Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.
Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:
Exploiting the remote management protocol
As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:
This request is part of the TR-069 specification, that defines an application layer protocol for remote management of end-user devices. This particular request is defined in the TR-098 data model for TR-069.
A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).
Mirai related binary
During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:
- Delete itself from filesystem (resides only in memory)
- Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP“
- Resolve command and control servers using DNS 220.127.116.11
- Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.
Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.
Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b
Update (2016-11-28 19:50 CET)
At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the 18.104.22.168/8 range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again.