Security

Fresh botnet recruiting routers with weak credentials

With a special HNAP exploit just for D-Link kit

By Richard Chirgwin

2 SHARE

Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed "Masuta".

The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.

According to NewSky's analysis, the attack comes in two flavours. There's Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by 0x22, inspired by Mirai); and there's the more sophisticated “PureMasuta” which exploits an old network administration bug.

That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link's Home Network Administration Protocol. That's what Pure Masuta tries to exploit.

NewSky wrote:

It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.

Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta's bot-herders do is run a wget to fetch and run a shell script, recruiting the device into its botnet.

If you have a vulnerable device – D-Link's AC300, for example – make sure you've got firmware newer than 2015.

NewSky's attribution of the botnet, to an entity they dub "Nexus Zeta", comes from the C&C URL nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated Data caught being siphoned off to outside server

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

BBC micro:bit vendor Kitronik says customers' deets nicked, fingers Magecart malware

We're one of 7,000 victims here, firm insists

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

North Korea's antivirus software whitelisted mystery malware

'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto

Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware

How it all happened (clue: unsigned library loaded)

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia

FireEye reckons it's fingered the miscreants behind nasty cyber-infection at industrial complex