- Jan 24, 2011
- 9,378
From: http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
In recent years, TredMicro has seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen includebackdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.
Snooping Around Your Network
We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.
Figure 1. Infection chain
A Closer Look at its Routines
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.
Figure 2. Site hosting fake Adobe Flash update
Figure 3. Fake Flash update
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.
Figure 4. Scanning for connected devices
The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
[0] connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
…. (skip)
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:
Figure 5. The search for Apple devices
Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.
Read more: http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
In recent years, TredMicro has seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen includebackdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.
Snooping Around Your Network
We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.
Figure 1. Infection chain
A Closer Look at its Routines
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.
Figure 2. Site hosting fake Adobe Flash update
Figure 3. Fake Flash update
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.
Figure 4. Scanning for connected devices
The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
[0] connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
…. (skip)
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:
- dlink
- d-link
- laserjet
- apache
- cisco
- gigaset
- asus
- apple
- iphone
- ipad
- logitech
- samsung
- xbox
Figure 5. The search for Apple devices
Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.
Read more: http://blog.trendmicro.com/trendlabs-security-intelligence/malware-snoops-through-your-home-network/
