I just learned about a newly discovered router malware nicknamed Slingshot thanks to the alert writers at engadget. So far it’s only been identified on MikroTik routers (presumably running factory firmware). Please see link below. I just wanted to check if anyone knows whether routers running the latest version of OpenWRT/LEDE firmware are protected?
First read is "unlikely" as there is no Windows-based management tool for OpenWRT/LEDE
The exact method used by Slingshot to exploit the routers in the first instance is not yet clear. When the target user runs Winbox Loader software (a utility used for Mikrotik router configuration), this connects to the router and downloads some DLLs (dynamic link libraries) from the router’s file system.
So You do it manually not automaticaly at connect. So You have to know what to download and run on Windows box. As You could read, Slingshot works on Windows boxes and routers are only compromised for 'poisoning' workstations.
How exactly does infection happen?
The exact method used by Slingshot to exploit the routers in the
first instance is not yet clear. When the target user runs Winbox Loader
software (a utility used for Mikrotik router configuration), this
connects to the router and downloads some DLLs (dynamic link libraries)
from the router’s file system.
So the targets are Windows boxes, routers are only a tool for infecting. But "the clue" is how Microtic's routers were compromised?
And the second question: is only RouterOS vulnerable or also others embedded systems?
Are Mikrotik the only affected routers?
Some victims may have been infected through other routes. During our
research we also found a component called KPWS that turned out to be
another downloader for Slingshot components.
The devil is in the detail, and there is not really much detail other than the attack vector is the Winbox Component that injects a malicious military grade windows service preloaded in the router.
Kaspersky: While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.
Advice to users: snap in half the CD that comes with the router and stick to using the web interface. Better, replace the router's firmware with OpenWrt/LEDE and use SSH.
@lleachii - The trojan seems more like a spooks toolkit that farms local environment variables and traffic activity. It's certainly too heavyweight to just be some banking bot released by teenagers. Likely it's some cyber weapon in the war on terror.
@bimmerguy and everyone else, some interesting thoughts on the exploits of Microtik routers... on Github.