Fresh botnet recruiting routers with weak credentials

With a special HNAP exploit just for D-Link kit

By Richard Chirgwin

Posted in Security, 24th January 2018 04:29 GMT

Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed "Masuta".

The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.

According to NewSky's analysis, the attack comes in two flavours. There's Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by 0x22, inspired by Mirai); and there's the more sophisticated “PureMasuta” which exploits an old network administration bug.

That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link's Home Network Administration Protocol. That's what Pure Masuta tries to exploit.

NewSky wrote:

It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.

Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta's bot-herders do is run a wget to fetch and run a shell script, recruiting the device into its botnet.

If you have a vulnerable device – D-Link's AC300, for example – make sure you've got firmware newer than 2015.

NewSky's attribution of the botnet, to an entity they dub "Nexus Zeta", comes from the C&C URL nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

Patch out for 'ridiculous' Trend Micro command execution vuln

Password Manager, Maximum Security and Premium Security are all at risk

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

UK names Russia as source of NotPetya, USA follows suit

Updated 'Almost certain' assessment enough for official blast from Foreign Office

Trend Micro: Internet scum grab Let's Encrypt certs to shield malware

Updated Angler kit served via compromised HTTPS websites

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Trend Micro AV gave any website command-line access to Windows PCs

Updated Computers could be easily hijacked or trashed via security holes

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

HPE coughed up source code for Pentagon's IT defenses to ... Russia

Updated FSB buddies pinky-swore to let ArcSight know of any flaws discovered

Brit behind Titanium Stresser DDoS malware sent to chokey

20-year-old Herts man slapped with two years' stripey suntan time