ac66u infected with LuaBot - help please

[crpt0]

I just discovered that my router is infected with LuaBot

Information about this ARM specifc malware can be found here : https://w00tsec.blogspot.it/2016_09_01_archive.html

Indicators of Compromise (IOCs)
LuaBot ARMEB Binaries:

• drop (5deb17c660de9d449675ab32048756ed)
• .nttpd (c867d00e4ed65a4ae91ee65ee00271c7)
• .sox (4b8c0ec8b36c6bf679b3afcc6f54442a)
• .sox.rslv (889100a188a42369fd93e7010f7c654b)
• .arm_puma5 (061b03f8911c41ad18f417223840bce0)

In my process list i can see two of these binaries (.sox and .nttpd) and the file .sox.rslv in /tmp/ .... meaning that my router are certainly infected!

any tips on how to safely remove malware but especially on how to prevent a new infection ?

my fw version is 374.43 (I know a bit old) but updating to the latest version has to be the last chance because I have to reconfigure it all over again

thanks in advance for any help
crpt0

 

[thelonelycoder]

my fw version is 374.43 (I know a bit old) but updating to the latest version has to be the last chance because I have to reconfigure it all over again

I have this version in my 'Merlin Firmware' folder with a download date from June 11 2014.
You dug your own grave. There's no excuse for not updating regularily.
Now you have a lot more on your hands than keeping up with the releases.
Isolate that router, do a reset before updating. Clear the /jffs/ directories as well for good measure.
Then update to the latest version, and resetting again.
Then manually reconfigure.

 

[crpt0]

thank you for your reply, you're absolutely right, but a 3 year old daughter can be an attenuating

I just found out in the forum the existence of the merlin fork for the 374.43. LATEST RELEASE: Merlin fork 374.43_2-19E3j9527

can i use it ?

 

[RMerlin]

my fw version is 374.43 (I know a bit old) but updating to the latest version has to be the last chance because I have to reconfigure it all over again

Since your router was compromised, you really should reconfigure everything from scratch anyway. There are a number of locations in nvram that could store malicious content.

You can go with either John's fork or my latest 380.62_1 release. Both are equally secure.

And make sure to use a new password and WPA key, just in case.

 

[TerminX]

Wait, you have an RT-AC66U? You got hit by an exploit in the various file sharing services in your firmware revision, but the CPU in that router is MIPS and therefore not capable of executing the final stage of the payload. You still need to clean this stuff up, but at least your router can't execute the really nasty bits that let the attacker actually control things.

 

[dieter]

I have read that Arris Cable Modems were targeted with LuaBot.
How did this get into your rt-ac66u? Just curious...

 

[joegreat]

my fw version is 374.43 (I know a bit old) but updating to the latest version has to be the last chance because I have to reconfigure it all over again

Any reason not to use John's NVRAM Save/Restore tool? This tool takes away our burden of re-configure manually...

 

[thelonelycoder]

Any reason not to use John's NVRAM Save/Restore tool? This tool takes away our burden of re-configure manually...

Hmm. That's a really smart way of migrating the infection to the new install.
Unless @john9527 is way ahead of the hackers, I would not recommend it.

 

[akb]

How did you find the processes which were bad? Were they eating up a ton of CPU and/or eating your network, or where you just bored and looking through the list and searching for the results.?

 

[joegreat]

Hmm. That's a really smart way of migrating the infection to the new install.
Unless @john9527 is way ahead of the hackers, I would not recommend it.

The smart part is/would be to regularly update the firmware and use John's tool to avoid being vulnerable...

 

[crpt0]

thank you for all reply ... this weekend i was too busy but now it's time to finally solve this problem

at the moment I only have provided to remove all malicious file and executables. Everything seems to go well from 2 days but, i know, i can not feel comfortable and i must take urgent action.

I have read that Arris Cable Modems were targeted with LuaBot.
How did this get into your rt-ac66u? Just curious...

i have no idea, i'm curios too. It could be useful to prevent future infections

How did you find the processes which were bad? Were they eating up a ton of CPU and/or eating your network, or where you just bored and looking through the list and searching for the results.?

few days ago I accidentally discovered that my ip was listed in many "black" list because it was sending a lot of spam. Everyone can check their own ip here : http://www.anti-abuse.org/multi-rbl-check/
After that i checked all my network devices but did not find anything. Finally decided to take a look at the routers and, to my surprise, I found several processes with strange names (.sox , . nttpd, etc) ..... you know the rest of the story .

Now I'm thinking about if it's better to install the latest original merlin version or the fork

What would you recommend me?
have a good day and thank you again for your help !

PS

Any reason not to use John's NVRAM Save/Restore tool? This tool takes away our burden of re-configure manually...

seems to be a very useful tool, i will take a look at it, but just like @thelonelycoder sayd, i'm afraid that i could migrate the infection

 

[Nullity]

Are your LuaBot files identical (same md5 hashes) to the files you quote in your first post?

If not, can you share them?

 

[crpt0]

Are your LuaBot files identical (same md5 hashes) to the files you quote in your first post?

If not, can you share them?

a small clarification, I found the 2 executables (.sox and .nttpd) in the process list only but not in my entire dir.
the only files found are .sox.rslv .sox.pid and .nttpd.pid under my /tmp dir and i deleted it but i have a copy in my weekly backup. Here you can see the result :

admin@RT-AC66U:/tmp/home/root# find / -name *sox*
/tmp/mnt/touro1/rsnapshot/weekly.1/router_state/tmp/.sox.rslv
/tmp/mnt/touro1/rsnapshot/weekly.1/router_state/tmp/.sox.pid

admin@RT-AC66U:/tmp/home/root# md5sum /tmp/mnt/touro1/rsnapshot/weekly.1/router_state/tmp/.sox.rslv
21f7eed3c4346b55ed659286b91ca051  /tmp/mnt/touro1/rsnapshot/weekly.1/router_state/tmp/.sox.rslv

admin@RT-AC66U:/tmp/home/root# find / -name *nttpd*
/tmp/mnt/touro1/rsnapshot/weekly.1/router_state/tmp/.nttpd.pid

admin@RT-AC66U:/tmp/home/root# find / -name *drop*
none!

admin@RT-AC66U:/tmp/home/root# find / -name *puma5*
none!

the md5sum is different. I will try to copy them and share with us in some way

 

[crpt0]

If you're Entware-ng user, install lsof and try:

$ lsof|grep 'sox\|nttpd'

no result

 

[IngoPan]

Please share the files. Curious here tool.

 

[kvic]

the md5sum is different. I will try to copy them and share with us in some way

My bad...didn't read carefully enough. You actually found the binaries and can calculate the checksum. Perhaps you shall share what you figured since you gather enough attention rather than seeking help.

 

[crpt0]

here are the 3 file :
.sox.rslv (md5sum 21f7eed3c4346b55ed659286b91ca051)
.sox.pid
.nttpd.pid

http://www.filedropper.com/luabot (it was the first sharig file site i've found)

i removed the 'x' attribute on the .sox.rslv file before copy

now i'm saving all the info i need to restore my router and i will format it soon. If someone wants more information about this malware, ask me before it's too late

 

[bmaia]

Hey there I wrote the blog post reversing the Luabot =)

I had a quick look at your binary and it seems to be some auxiliary tool for the dropper that downloads the phase2 binaries.

It simply "converts" a standard domain/IPv4 address to the hex notation, for example:

w00t@splinter:~/RT-AC66U_3.0.0.4_380_4005-ge00c831$ sudo chroot . ./qemu-mipsel-static ./sox.rslv
1.2.3.4
04030201

w00t@splinter:~/RT-AC66U_3.0.0.4_380_4005-ge00c831$ sudo chroot . ./qemu-mipsel-static ./sox.rslv
www.google.com
441DD9AC
​

It seems to be loading /lib/ld-uClibc.so.0 and there's no networking functions besides gethostbyname:

$ readelf -s sox.rslv

Symbol table '.dynsym' contains 24 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00410b10 0 NOTYPE GLOBAL DEFAULT 16 _fdata
2: 00000001 0 SECTION GLOBAL DEFAULT ABS _DYNAMIC_LINKING
3: 00418b20 0 NOTYPE GLOBAL DEFAULT ABS _gp
4: 0040056c 28 FUNC GLOBAL DEFAULT 7 _init
5: 004005f0 0 NOTYPE GLOBAL DEFAULT 8 _ftext
6: 00410b20 0 OBJECT GLOBAL DEFAULT 17 __RLD_MAP
7: 00410b7c 0 NOTYPE GLOBAL DEFAULT ABS __bss_start
8: 00400850 388 FUNC GLOBAL HIDDEN 8 main
9: 00400a80 28 FUNC GLOBAL DEFAULT 10 _fini
10: 00410b7c 0 NOTYPE GLOBAL DEFAULT ABS _edata
11: 00410b30 0 OBJECT GLOBAL DEFAULT ABS _GLOBAL_OFFSET_TABLE_
12: 00410ba0 0 NOTYPE GLOBAL DEFAULT ABS _end
13: 00410b7c 0 NOTYPE GLOBAL DEFAULT ABS _fbss
14: 00000000 0 FUNC WEAK DEFAULT UND __register_frame_info
15: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
16: 00400a60 0 FUNC GLOBAL DEFAULT UND gethostbyname
17: 00400a50 0 FUNC GLOBAL DEFAULT UND __uClibc_main
18: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
19: 00000000 0 OBJECT GLOBAL DEFAULT UND stdin
20: 00000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
21: 00000000 0 FUNC WEAK DEFAULT UND __deregister_frame_info
22: 00400a40 0 FUNC GLOBAL DEFAULT UND fscanf
23: 00400a30 0 FUNC GLOBAL DEFAULT UND printf​

The buildroot seems suspicious and may be linked to some router malware, just google for Buildroot 2014.08-git-00867-g07ce780:

$ readelf -p .comment sox.rslv

String dump of section '.comment':
[ 0] GCC: (GNU) 3.3.2
[ 11] GCC: (Buildroot 2014.08-git-00867-g07ce780) 4.8.3​

There may be a hidden process running on the Router associated with .nttpd.pid and .sox.pid, a common (yet effective) technique used by malware is to run and remove itself from the system so common tools like "ps" won't find them.

It's very likely that ".sox.rslv" is used as an auxiliary tool to create a dropper using a series of "echo" commands just like the armeb luabot:

I would be glad to help you if you manage to find the second-stage from the malware. It would also be interesting to know some additional info:

• Is the router accessible from the Internet?
• Are you running additional services like AiCloud/DLNA/FTPs/SMBs?
• Are you using weak credentials?
• What are the timestamps from those files (when were they created)?

 

[crpt0]

I would be glad to help you if you manage to find the second-stage from the malware. It would also be interesting to know some additional info:

• Is the router accessible from the Internet?
• Are you running additional services like AiCloud/DLNA/FTPs/SMBs?
• Are you using weak credentials?
• What are the timestamps from those files (when were they created)?

tnks, great job ! I'd be happy to help you too

1 - yes , i have some open ports (443 for sshd, sip port for my gigasetA510 and another port for my ipcam) and "respond to ping requests from wan" set to yes
2 - yes only DLNA, SMB and itunes (no upnp, aicloud, nfs, ftp, http, mail, etc)
3 - don't think so, router and wifi passwords are 13-20 chars passphrases with uppercase, lowercase, number and special char
4 - sorry, i no longer have the original files. I can assume that they were created in June this year

let me know if you need something else

 

[L&LD]

crptO, on your point 3; Asus passwords (for router login) can only be 16 characters long (preferably Alpha numeric only; no special characters).