New piece of malicious code infecting routers and IPTV's

New piece of malicious code infecting routers and IPTV’s

19, Feb, 2012

We stumbled on a new breed of malware called LightAidra a few weeks back. Now, normally when you see a malicious binary it can function only on a single type of platform due to OS and processor architecture restrictions. LightAidra is a bit of a different breed. LightAidra supports several different architectures, including MIPS, MIPSEL, ARM, PPC and SuperH.

LightAidra is capable of infecting a wide range of different produts like routers, IPTV’s and so on. Basically anything that runs on one of the above five architectures and has an embedded linux-based OS can be a potential host for it. Naturally, a network connection is also needed :)

So how does it spread? One way is the HTTP control panel firmware update screen, most commonly seen in D-Link and NetGear boxes:

Another, perhaps a bit more efficient way is the telnet port (TCP/23). It relies on the fact that some manufacturers have left the telnet daemon (telnetd) running on the devices. By itself, it wouldn’t be an issue, but while leaving the daemon running and reachable from the internet, some manufacturers also use static root passwords or no passwords at all! .

Once LightAidra wiggles it’s way into the device it will install itself to the system and tries to log on to the C&C server to listen for more commands. At the moment, the only things it supports are to launch an DDOS attack against someone or to scan and exploit other devices.

So, how to detect it? This is the part that is a bit tricky. You might get a report from your ISP about it. You might try to scan the device yourself, but there is a catch. When LightAidra installs itself it runs a small script that modifies the firewall rules:

#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 10.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 127.0.0.0/8 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 23 -j ACCEPT
#iptables -A INPUT -p tcp -d 192.168.0.0/16 –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 23 -j DROP
#iptables -A INPUT -p tcp –dport 80 -j DROP

In the above, LightAidra modifies the firewall to block connections that are coming from the internet towards the infected device’s telnet or http port.

How to remove it? Simple and easy, just power-cycle the device. Turn it off (from the power button, reset button or just pull the plug), turn it back on and you’re done. There’s a catch though: Nothing prevents the device from getting infected again. There are ways though to get some protection against the malware though:

* Check the manufacturer’s home page whether there has been any firmware updates for your device, and install the update.
* Most devices have an web based control panel. In some of the devices, you can actually choose whether the control panel is accessible from the internet. If it is, toggle off the setting and save changes.
* Place the device behind a firewall or NAT product (A bit trickier to do if the device IS the firewall or NAT product)
* Turn off the device when you don’t need it

LightAidra is not the harbringer of doom. It’s just another piece of malware that has evolved a bit differently. Even if you don’t remember the actual malware or what it does in a few weeks, try to atleast remember the four tricks above as they will help you protect your devices, most likely even after LightAidra is gone and newer malwares have replaced it.

Posted by admin in in General Information Security

Fitsec Blog

Entries on Information Security