[email protected] +603-2181 3666
New wave of Mirai attacking home routers
November 28, 2016
0

Background
Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.
Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:

Exploiting the remote management protocol
As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:

This request is described in the TR-064 specification of methods for configuring DSL CPE (customer-premises equipment).
A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).
Mirai related binary
During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:

Delete itself from filesystem (resides only in memory)
Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP“
Resolve command and control servers using DNS 8.8.8.8

timeserver[.]host
securityupdates[.]us

Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.

Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.
Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b
Update (2016-11-28 19:50 CET)
At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the 6.0.0.0/8 range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack.
IOCs
Samples
ff47ff97021c27c058bbbdc9d327b9926e02e48145a4c6ea2abfdb036d992557
ff6e949c7d1cd82ffc4a1b27e488b84e07959472ed05755548efec90df82701e
ace9c1fe40f308a2871114da0d0d2f46965add1bda9c4bad62de5320b77e8a73
Hosts
timeserver[.]host
securityupdates[.]us
l.ocalhost[.]host
93.174.93[.]50
188.209.49[.]64
188.209.49[.]86
188.209.49[.]60
188.209.49[.]168
5.8.65[.]1
5.188.232[.]1
5.188.232[.]2
5.188.232[.]3
5.188.232[.]4
212.92.127[.]146
5.188.232[.]71
Source: Kaspersky