Security

35,000 ARRIS cable modems at risk from firmware dumper bot

Backdoor-within-a-backdoor enables significant naughtiness

By Darren Pauli

15 SHARE

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues.

ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems.

The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers.

Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed.

Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell.

The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw.

Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor.

He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by "unixfreaxjp", author of industry blog Malware Must Die.

"I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says.

"Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world.

"The report from [unixfreaxjp] also points that the LuaBot is being used for flooding and Distributed denial of service attacks."

Luabot has a detection rating on Virus Total of three from 55 anti virus engines.

The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group.

He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers.

The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners.

"Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®

Sign up to our NewsletterGet IT in your inbox daily

15 Comments

More from The Register

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Hot fuzz: Bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities

Flaw-spotting toolkit already has 42 zero-days to its name

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Ever seen printer malware in action? Install this HP Ink patch – or you may find out

Firmware update tackles remote code bugs in InkJet machines

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Microsoft 'kills' passwords, throws up threat manager, APIs Graph Security

Ignite Cloud lineup gets security overhaul with 2FA and new monitoring tools

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers