no-image

Background

Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:

Exploiting the remote management protocol

As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:

tr069-request-mirai

This request is part of the TR-069 specification, that defines an application layer protocol for remote management of end-user devices. This particular request is defined in the TR-098 data model for TR-069.

A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).

Mirai related binary

During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:

  • Delete itself from filesystem (resides only in memory)
  • Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP
  • Resolve command and control servers using DNS 8.8.8.8
    • timeserver[.]host
    • securityupdates[.]us
  • Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.

Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.

Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b

IOCs

Samples

ff47ff97021c27c058bbbdc9d327b9926e02e48145a4c6ea2abfdb036d992557
ff6e949c7d1cd82ffc4a1b27e488b84e07959472ed05755548efec90df82701e
ace9c1fe40f308a2871114da0d0d2f46965add1bda9c4bad62de5320b77e8a73

Hosts

timeserver[.]host
securityupdates[.]us
93.174.93[.]50
188.209.49[.]64
188.209.49[.]86
188.209.49[.]60
188.209.49[.]168
5.8.65[.]1
5.188.232[.]1
5.188.232[.]2
5.188.232[.]3
5.188.232[.]4
212.92.127[.]146
5.188.232[.]71

Source: Secure List

RELATED ARTICLESMORE FROM AUTHOR