Chuck Norris Karate Chopped Me in the Firewalls

The Czechs were the first ones to notice the network of infected devices that became known as the Chuck Norris bot-net. What makes this bot-net noteworthy for us networking types is not the number of devices infected (although the number is astonishing) but rather which devices are being targeted, compromised, and used to nefarious purposes, chiefly routers, firewalls, and gateway devices.

And that is unique: Most bot-nets attack workstations, compromise them, and use them to send spam, conduct DDoS attacks, or commit other crimes, and that’s about the extent of it. Chuck Norris uses network devices not only to commit crimes, but to compromise workstations on your private network and prime them for infection with other malware.

That’s right folks, Chuck Norris has gone berserk–he’s no longer just a butt-kicking Texas Ranger who beats up the bad guys, makes the ladies swoon, and wears a very expensive hat, now he’s after your firewall!

Details of the Chuck Norris Bot-Net

You might be vulnerable if…

As details of “Chuck Norris” are still emerging, an exhaustive, accurate list of “infectable” devices isn’t really available to us yet. In general, though, we have a very accurate profile of what a target device might look like, and how to protect devices against infection.

In general, you’re a prime target for infection if:

• You’re using a firewall, gateway, or router product exposed to the Internet and still using the default password, and,
• Your device has remote administration capabilities turned on.

Potential for Damage

What makes Chuck Norris insidious is that the attack seems benign to neophyte admins, who see the problem as being as simple as rebooting the device and changing the password.

For today’s “Pretend Time,” let’s imagne that Chuck finds his way into your Internet Gateway. Chuck can do a number of things with your gateway:

• Chuck can prevent access to the infected device altogether. (i.e. “The Internet is down!”)
• Chuck can scan your private network for other vulnerable hardware.
• Chuck can assist his other friends (Also named Chuck) in distributed denial of service attacks.
• Chuck could launch password dictionary attacks on local computers to enable infection with other malware.
• Chuck could change the gateway’s DNS settings so your workstations are surfing the web used Chuck’s DNS servers.

This last one is very troubling in its implications: In the hands of a smart person, this could be used for a seamless man-in-the-middle attack that could be used to get your employees to reveal critical business secrets to what appears to be a legitimate web-site with a valid certificate. Organizations that have been infected (and not noticed) need to worry about what passwords and critical data Chuck may have been used to extract from you.

Protecting Yourself from Chuck

Luckily, defending against Chuck isn’t that hard. His success to date hinges on the large number of “security” devices being operated with insecure, default passwords still in place. As is typical of most big “holy-crap my hair’s on fire!” security alerts, most of us can protect ourselves by following good security practices on your network devices:

• Disable remote administration on public-facing network devices unless you absolutely have to use it. Make sure you follow best-practices for this.
• Severely restrict remote administration it on internal devices to a complex password, requiring SSL/SSH connections, and define which specific IP addresses or ranges will be allowed to use the device.
• Change default passwords for all network devices everywhere. Do it now.
• Use two-factor authentication–ALWAYS. Cisco devices used to rely on one-factor authentication and even though new devices use two-factor by default, many environments still have “legacy” equipment in production (or in lab environments) using the antiquated single-factor method.

What if Chuck’s Already in Charge?

First thing to do is cleanup the infection which is thankfully as simple as rebooting your compromised device and changing the password, and then immediately take all of the precautions outlined above. After that, comes the really ugly part: Figuring out what the real damage is.

• Change all of your passwords to outside resources, they may be compromised.
• Contact financial institutions to check for unusual/unexpected activity from your online banking accounts.
• Verify with financial institutions not only that no unauthorized transactions have taken place, but also that no extra “authorized users” have been added to your accounts, lying dormant to be used later.

While the steps needed to combat Chuck Norris aren’t hard to take, they do need to be taken immediately to avoid getting swept up in the next wave of companies that lose money (or worse) due to security problems.