New piece of malicious code infecting routers and IPTV’s

19, Feb, 2012

We stumbled on a new breed of malware called LightAidra a few weeks back. Now, normally when you see a malicious binary it can function only on a single type of platform due to OS and processor architecture restrictions. LightAidra is a bit of a different breed. LightAidra supports several different architectures, including MIPS, MIPSEL, ARM, PPC and SuperH.

LightAidra is capable of infecting a wide range of different produts like routers, IPTV’s and so on. Basically anything that runs on one of the above five architectures and has an embedded linux-based OS can be a potential host for it. Naturally, a network connection is also needed :)

So how does it spread? One way is the HTTP control panel firmware update screen, most commonly seen in D-Link and NetGear boxes:

la2.png

Another, perhaps a bit more efficient way is the telnet port (TCP/23). It relies on the fact that some manufacturers have left the telnet daemon (telnetd) running on the devices. By itself, it wouldn’t be an issue, but while leaving the daemon running and reachable from the internet, some manufacturers also use static root passwords or no passwords at all! .

Once LightAidra wiggles it’s way into the device it will install itself to the system and tries to log on to the C&C server to listen for more commands. At the moment, the only things it supports are to launch an DDOS attack against someone or to scan and exploit other devices.

So, how to detect it? This is the part that is a bit tricky. You might get a report from your ISP about it. You might try to scan the device yourself, but there is a catch. When LightAidra installs itself it runs a small script that modifies the firewall rules:

#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 23 -j DROP
#iptables -A INPUT -p tcp –dport 80 -j DROP

In the above, LightAidra modifies the firewall to block connections that are coming from the internet towards the infected device’s telnet or http port.

How to remove it? Simple and easy, just power-cycle the device. Turn it off (from the power button, reset button or just pull the plug), turn it back on and you’re done. There’s a catch though: Nothing prevents the device from getting infected again. There are ways though to get some protection against the malware though:

* Check the manufacturer’s home page whether there has been any firmware updates for your device, and install the update.
* Most devices have an web based control panel. In some of the devices, you can actually choose whether the control panel is accessible from the internet. If it is, toggle off the setting and save changes.
* Place the device behind a firewall or NAT product (A bit trickier to do if the device IS the firewall or NAT product)
* Turn off the device when you don’t need it

LightAidra is not the harbringer of doom. It’s just another piece of malware that has evolved a bit differently. Even if you don’t remember the actual malware or what it does in a few weeks, try to atleast remember the four tricks above as they will help you protect your devices, most likely even after LightAidra is gone and newer malwares have replaced it.

Write once, cash everywhere

12, Sep, 2011

We happened to bump into a fancy piece of malware which is probably targeted to Russian mobile subscribers.
While malware running on Android platform has rapidly become the most common malware threat for mobile,
Java ME is stiff going strong too. The malware in question has a Virustotal score of 6/42.
[Read More…]

Tool Release: A Banking Trojan Detection Tool

15, Aug, 2011

As many of our readers know, banking trojans have become extremely widespread over the course of last few years. There are hundreds of thousands, if not millions, of computers on the internet that are infected by these malicious programs.

We created an experimental tool that can detect almost all variants from the TOP 5 of banking trojan families: Zeus, SpyEye, Carberp, Gozi and Patcher, if they are active and running on the infected computer. The tool works by scanning the memory of each running process, looking for telltale signs of these malwares. If any signs are detected, the tool will report the malware name and the affected process name.

The advantage of the tool is that it doesn’t use a conventional signature database, where a detection can be usually avoided by re-packing the malware with a new obfuscation layer. Instead it looks for pieces of code that belong to the actual malware itself.

We’d love to hear any improvement suggestions and comments, feel free to contact us at info(at)fitsec.com

The tool can be downloaded here: http://www.fitsec.com/tools/DeBank.exe

By downloading and/or using the tool you agree to the license terms that are described here: http://www.fitsec.com/tools/license.txt

Palevo Tracker has been launched

1, Mar, 2011

Roman Huessy, the owner and upkeeper of Zeus Tracker has launched a new project called Palevo Tracker.

Palevo is a highly polymorphic bot that has been around for a few years, usually with low AV detection rates.
Below are few AV engines and their detections for this threat:

F-Secure: W32/Palevo
McAfee: W32/Palevo
Microsoft: Win32/Rimecud
Symantec: W32.Pilleuz

We warmly suggest visiting abuse.ch, either on their blog here or the AMaDa project, where you can access the blocklist service abuse.ch is producing.

Interesting news about Stuxnet

15, Feb, 2011

We noticed that Symanted had updated their whitepaper on Stuxnet. Stuxnet is a completely new breed of malware designed to be used as a cyber warfare weapon.

It appears that Stuxnet was a targeted attack against 5 institutions, all of which have presence in Iran. You can read more about it in the Symantec blog entry