Security

35,000 ARRIS cable modems at risk from firmware dumper bot

Backdoor-within-a-backdoor enables significant naughtiness

By Darren Pauli

15 SHARE

Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues.

ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems.

The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers.

Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed.

Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell.

The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw.

Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor.

He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by "unixfreaxjp", author of industry blog Malware Must Die.

"I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says.

"Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world.

"The report from [unixfreaxjp] also points that the LuaBot is being used for flooding and Distributed denial of service attacks."

Luabot has a detection rating on Virus Total of three from 55 anti virus engines.

The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group.

He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers.

The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners.

"Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®

Sign up to our NewsletterGet IT in your inbox daily

15 Comments

More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Cisco waves swatter at ten new vulnerabilities

It's 2017, and UPnP is still a critical attack vector

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Telco IT admins on red alert as Cisco flings out patches for security holes in policy toolkit

Twenty-five bugs writhing on the netops floor this week

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Ever seen printer malware in action? Install this HP Ink patch – or you may find out

Firmware update tackles remote code bugs in InkJet machines

Four-year switch: Two Cisco veeps pack bags and go for a wander

Service Provider gros fromage and marketer leave biz