One of the latest malicious attacks that can easily become a major threat involves the distribution of a worm to certain website visitors. The worm will then infect home routers and will add them to a particular botnet.
Details about the attack:
- Research indicates that at least five dating websites are likely involved in the attack scenario we just described.
- The worm is identified as a variant of TheMoon – a threat that was discovered and analyzed by Damballa researchers in February 2014. TheMoon is designed to exploit the weak spots in the Home Network Administration Protocol.
Description of the Attack
TheMoon was analyzed by SANS Institute. Here is their analysis.
To deploy the worm, malicious actors are currently using dating sites where the infection takes place via a two-step process started by a malicious frame embedded on the page.
How does the iframe work? It makes different URL calls to determine whether the router runs the HNAP protocol. The iframe also checks if the router uses the 192.168.1.1 for router management and gateway IP.
What Is 192.168.1.1?
192.168.l.l ip adress is the management panel address of an ADSL (Asymmetric digital subscriber line) modem. Companies that make modem devices load updated software to it so that it is easily managed by users. Thanks to that software, users can easily configure new settings by reaching their management panel, if, for instance, they are facing Internet connection issues.
After the 192.168.1.1 checks are done, the iframe ‘calls home’ and shares whatever information it has discovered. This is when the second stage of the attack takes place: a second URL is loaded in the iframe. As a result, the payload – TheMoon worm – is delivered, along with a Linux ELF binary.
Once the worm is installed, it will prevent users from using some of the router’s inbound ports. It can also open outbound ports and use them to spread to other routers.
The Botnet Infrastructure
What about the botnet we mentioned in the beginning? When the worm was first discovered, it wasn’t reported to have a command and control infrastructure. Currently, the botnet may appear only in its developing or testing stages and it definitely represents an effort to build a broader infrastructure.
Daballa researchers, who first discovered the threat, believe that:
There are different scenarios on how the criminals could bring their victims to visit an affected website via malvertising, exploit kits or phishing email. The criminals moved from scanning IP ranges for potential vulnerable home routers to embedding the attack on a website. It feels like this conversion to a web-based attack is new and under construction.
In addition, researchers identified the owner of the dating sites used to spread the worm. However, they believe that his identity was stolen and that he is not the owner of the botnet. Also, during the first malicious campaigns in 2014, mostly affected by the worm were models of Linksys DLink home routers.
Currently, experts report that the latest version of TheMoon is not detected by antivirus products.