Damballa researchers have spotted an active campaign aimed at infecting as many home routers possible with a worm.
A variant of the TheMoon worm, it works by taking advantage of a weakness in the HNAP (Home Network Administration Protocol) protocol, and is delivered to visitors of one of five one-night stand dating sites seemingly controlled by the same person (possibly a victim of identity theft).
If all of this seems familiar, it is because a similar campaign using the same malware was detected in early 2014 by SANS ISC.
Now, as then, the worm spreads but has no functional C&C server to control it, so effectively we can’t really say the routers are roped into a botnet – but they could be at a later date.
The malware prevents users from using some of the router’s ports and opens others so that it can spread to other routers, and currently goes undetected by popular AV solutions.
The initial infection is triggered when a user visits one of the aforementioned dating sites.
“The page loads an additional php file called remot.php from an iframe to run in the background. The file remot.php probes and accesses the router and other information. If criteria is met, the attack moves to Stage 2,” the researchers explained.
The criteria is: the router is vulnerable to the aforementioned weakness, and it uses a default IP address (192.168.0.1 or 192.168.1.1) for the login page.
Stage 2 includes a call for another URL, which launches a script and downloads the worm (a Linux executable ELF file).
“The criminals moved from scanning IP ranges for potential vulnerable home routers to embedding the attack on a website,” noted Loucif Kharouni, senior threat researcher at Damballa. “In 2015 they released 3 versions of the file nttpd which is a main component of the attack. It feels like this conversion to a web-based attack is new and under construction. We are still looking for more information about the attack and the criminals.”