Security News 35,000 ARRIS cable modems at risk from firmware dumper bot

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Backdoor-within-a-backdoor enables significant naughtiness
Hackers have exploited a back door in more than 35,000 ARRIS modems, making off with firmware and certificates, according to security researcher Bernardo Rodrigues.

ARRIS makes cable modems and associated home networking kit. It recently shipped a patch to address 2015 zero day which at the time of disclosure impacted 600,000 ARRIS modems.

The remaining as-yet-un-patched modems are located across the United States, Mexico, and Brazil, but the number of infected devices could be much higher, according to Rodrigues, since the Luabot malware used in the attacks shutters external access to lock out rival attackers and researchers.

Rodrigues identified the vulnerability which involved twin flaws, essentially a backdoor in a backdoor. His bug took the form of a shell within a hidden administrator feature that used a hardcoded password based on a known seed.

Hackers could enter the default SSH root user password of 'arris' and then punch in the password of the day in the subsequent spawned mini_cli shell.

The second-tier backdoor was based on the modem's serial number and was initially hosed-down by Arris as a low-risk flaw.


Professional box-popper Rodrigues cooked up a keygen, complete with a chiptune, which would generate passwords for the backdoor-backdoor.

He now says VXers have been exploiting the vulnerability using the LuaBot malware, first detailed earlier this month by Hendrik Adrian, author of industry blog Malware Must Die.

"I received some reports that malware creators are remotely exploiting those devices in order to dump the modem's configuration and steal private certificates," Rodrigues says.

"Some users also reported that those certificates are being sold for Bitcoin to modem cloners all around the world.

"The report from [Adrian] also points that the LuaBot is being used for flooding and Distributed denial of service attacks."

Luabot has a detection rating on Virus Total of three from 55 anti virus engines.

The Luabot author told known French security researcher x0rz he was a programmer not affiliated with any hacking group.

He says he does not like the attention on his malware and says reverse engineers often bork analysis due to cross-pollination with other infections on routers.

The hacker has included comments of "happy reversing" in his binaries as a note to security researchers, and claims he is not attempting to cause harm to router owners.

"Internet-of-things botnets are becoming a thing: manufacturers have to start building secure and reliable products, ISPs need to start shipping updated devices and firmware, and the final user has to keep his home devices patched and secured," Rodrigues says. ®

Again...Rodrigues couldn't have said it better!
...and again I add, manufacturers and ISP that don't do it have to be FINED.
 

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
I would suggest you to login to your modem/router and to change the password. Then I would check for updates.
Apparently it is better to not allow remote administration/access.
Check also your wifi uses wpa2.
If you want you can also check the router log to see if someone already changed something, if yes, reset, new password, update, deny remore acces.

On VT still low detection, 9/54.

https://www.virustotal.com/en/file/...24367db0d9e49f16cf68740a50218fb4428/analysis/
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Awesome heads up Solar, Thank You !
Thought I was already following you :(
 
  • Like
Reactions: Solarquest

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top