Security

35,000 ARRIS cable modems at risk from firmware dumper bot

Backdoor-within-a-backdoor enables significant naughtiness

By Darren Pauli

15 SHARE

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues.

ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems.

The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers.

Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed.

Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell.

The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw.

Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor.

He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by "unixfreaxjp", author of industry blog Malware Must Die.

"I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says.

"Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world.

"The report from [unixfreaxjp] also points that the LuaBot is being used for flooding and Distributed denial of service attacks."

Luabot has a detection rating on Virus Total of three from 55 anti virus engines.

The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group.

He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers.

The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners.

"Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®

Sign up to our NewsletterGet IT in your inbox daily

15 Comments

More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Cisco waves swatter at ten new vulnerabilities

It's 2017, and UPnP is still a critical attack vector

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

M-M-M-MONSTER KILL: Cisco's bug-wranglers swat 29 in single week

Replace those end-of-life VPN devices, they won't be patched

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers