An examination of the Asus WL-HDD 2.5 as a Nepenthes malware collector
Trends in router technology advancements are permitting consumers to use their device as a gateway for Internet connectivity, a resource sharing point and a wireless access point. As routing devices become increasingly powerful with superior processors and significant increases in memory, developers are opting to utilise routers for a variety of applications. One router which received immense publicity was the Linksys WRT54g due to its highly manipulative firmware and basic configurable nature. Literature demonstrating the flexibility and ease of use of the Linksys WRT54g for both researchers and hobbyists (Asadoorian & Pesce 2007) is still being publicly released years after the initial product release.
Hackers and security enthusiasts may customise the Linksys WRT54g firmware (Al-Zarouni 2005) dependant on the place and purpose of use. Numerous pre-compiled firmware images are available specifically for the Linksys WRT54g and many other embedded system architectures. Innes (2005) discussed the application of some of the publicly available, pre-compiled software packages for the Linksys WRT54g operating on the OpenWRT firmware. The paper demonstrated how a Small office Home office (SoHo) router may be transformed to undertake various 802.11 wireless monitoring, intrusion detection and network forensic tasks. However, as time progresses the device which once permitted a wide range of software to be on the Linksys WRT54g is slowly becoming obsolete. One significant aspect in which the Linksys WRT54g is now insufficient is in the memory and storage availability which prevents it from being used for various network analysis and forensic activities.
Linksys released numerous versions of the Linksys WRT54g (versions 1 through to 8) with processors ranging from MIPS 125 MHz through to 240 MHz (OpenWRT 2006). However, as the processor performance increased on the high end routers the availability of flash and random access memory (RAM) decreased. Hence system performance was balanced across all the Linksys WRT54g routers. Whilst the device specifications are sound for the router’s requirements any intensive third party software will halt the device and require a manual power cycle. In contrast certain network analysis and forensic software does not only consume excessive resources but also requires a medium on which to store data it collects. One specific setup which is not feasible, is operating a Snort intrusion detection system (Snort 2007) coupled with a database server to log events. As the Linksys router has minimal non-volatile storage availability, the only feasible option is to utilise a remote database server to which the Snort intrusion detection system may connect and store log files.
Get pdf An examination of the Asus WL-HDD 2.5 as a Nepenthes malware collector
