Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.
Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:
Exploiting the remote management protocol
As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:
A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to IPs anymore (“NXDOMAIN”).
Mirai related binary
During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:
- Delete itself from filesystem (resides only in memory)
- Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP“
- Resolve command and control servers using DNS 220.127.116.11
- Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.
Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.
Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b/c
Update (2016-11-28 19:50 CET)
At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the 18.104.22.168/8 range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack.
Update (2016-11-29 15:16 CET)
The C2 hosts timeserver[.]host and securityupdates[.]us cannot be resolved to IPs anymore (“No answer”).
Update (2016-11-29 15:25 CET)
We still see worldwide attempts to exploit this vulnerability, now using a different server to download the malware binaries. IOCs updated.
Update (2016-11-30 19:13 CET)
We still see worldwide attempts to exploit this vulnerability, now using a different domain to host the malware: srrys[.]pw. This new variant of the malware is also sending out valid requests to set a specific IP as NTP Server – subsequently to the malicious requests. With this approach, the attackers try to avoid an early detection due to wrong timeserver settings, since the current NTP Server entry will be overwritten by the previous malicious requests. On non-vulnerable devices, this particular request will just set a new NTP Server :