35,000 ARRIS cable modems at risk from firmware dumper bot
Backdoor-within-a-backdoor enables significant naughtiness
Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues.
ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems.
The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers.
Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed.
Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell.
The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw.
Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor.
He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by "unixfreaxjp", author of industry blog Malware Must Die.
"I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says.
"Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world.
"The report from [unixfreaxjp] also points that the LuaBot is being used for flooding and Distributed denial of service attacks."
Luabot has a detection rating on Virus Total of three from 55 anti virus engines.
The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group.
He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers.
The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners.
"Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®