White Team malware killing router malware


White Team hackers are infecting thousands of routers with Linux.Wifatch malware to remove SYNful Knock malware.

Here at IT Security Thing we have made it something of a policy not to chase the news, but rather sit back a little and reflect upon it. That said, you may be thinking that news that first broke back in November 2014 is pushing the boundaries a little in terms of time to absorb. You’d be right, of course, if nothing had happened between self-proclaimed malware hunter ‘l00t’ discovering the existence of some unusual malware called ifwatch in his router a year back and now. Actually, rather a lot has happened and ifwatch has infected a lot of routers; the reasons why are what interests us here at Thing.

OK, let’s get the obvious stuff out of the way to begin with: routers are amongst the most attacked thing out there, and not only because they handle all the data that passes between your network and whatever they are connected to. That whatever is quite likely to be t’internet, or at least Internet facing. A router, is also a target of probing because chances are those probes will hit paydirt in the form of old firmware (most civilians never update their routers, not least because they can be a bitch to update) and default admin passwords (most civilians never change their default admin password, not least because that change isn’t forced upon them when setting up the device). Those two things are a win-win for the bad guys, and you can throw another win into the mix as malware scanning of routers isn’t exactly commonplace either.

Having physical access to a router with a default admin password is one thing, and who hasn’t played around with the settings of such a thing when bored at a relative’s house, but exploiting this weakness to install malware that provides what is essentially a router backdoor is quite another. If you have a backdoor, you have access to not just the router but potentially other hosts and critical data beyond it. If you have a backdoor that is built into the firmware, the modified firmware that your malware has replaced the original with, then you have this access without the owner having any visibility into the fact. So when researchers at the FireEye incident response arm, Mandiant Consulting, discovered just such a thing the entire IT security industry very quickly paid attention.

The SYNful Knock malware was just that, malware, and not a vulnerability in Cisco routers as was mis-reported with alarming frequency in the weeks that followed the disclosure in September 2015. It was found to be active on 14 Cisco routers across just four countries (India, Mexico, the Philippines and Ukraine) and gets in simply be exploiting those routers with factory default admin passwords. Of course, it could just as easily exploit a compromised non-default admin password, although that’s less likely to be the case as far as SYNful Knock infections so far are concerned it would seem.

No you should not trust these guys, any more than you would trust anyone who installed code on your hardware without your permission

It also seems pretty obvious that whoever is behind SYNful Knock is pretty professional and well resourced, as the modified firmware it replaces the original with appears thoroughly well developed, fully featured and not just knocked together quickly. It’s likely that the team behind this malware, whether it turns out to be state-sponsored or criminal organisation doesn’t really matter at this point, spent some considerable time acquiring and reverse-engineering a variety of router firmware in order to be able to pull this off. Script-kiddies they most certainly ain’t.

Here’s how the researchers describe SYNful Knock in summary, for the full technical breakdown we advise you go read the original report:

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers.  The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.”

Rewind a year to that original discovery of that ifwatch malware, and then fast forward to the last few weeks and we discover it has re-emerged as Linux.Wifatch (or ‘Reincarnia’ according to some sources) infecting more than 10,000 routers so far.

Here’s the thing though, after Symantec identified the new router infection campaign and dissected the code it didn’t find any obvious malicious intent. Instead, it appeared that Linux.Wifatch was acting in a kind of router vigilante capacity by scanning for and deleting any known malware infections, disconnecting the channels used by other malware to attack the router, and advising the user to change their default passwords and update the firmware. Symantec has not yet, in two months of monitoring the malware, found any evidence of it doing anything malicious. Apart from accessing the router without permission in the first place, and installing itself there of course.

So is this hardware hardening malware actually a force for good? The White Team, which claims to be the group responsible for developing the code, certainly want us to accept that it is. The group has published the source code, minus infection code, build scripts, the private key and parts of the command and control code that would enable others to easily abuse it. You can take a look yourself at code depository GitHub.

The White Team has also posted a Q&A to explain their motives a little further, some of which includes the following:

Why did you write this and let it go?

“First, for learning. Second, for understanding. Third, for fun, and fourth, for your (and our) security. Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned (and it is nice touch that Symantec watch over this).”

Why not release (the source code) earlier?

“To avoid unwanted attention, especially by other malware authors who want to avoid detection. The plan failed, unwanted attention has been attracted, so there are no reasons not to release anymore.”

Who are you?

“We are nobody important. Really.”

Do you feel bad about abusing resources by others?

“Yes, although the amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way).”

Can I trust you to not do evil things with my devices?

“As a matter of fact, yes, but that is of no practical help – somebody could steal the botnet key, no matter how well I protect it. And software is never perfect – chances are there is a bug in the code that allows access to anybody (even though multiple researchers tries but failed to find one). And in the end, it’s a common trick by fraudsters to assure people that they are trustworthy.”

Should I trust you?

“No. This does not mean that we don’t promise to screw you (we herewith do promise to not screw you intentionally), it means you should not rely on us to keep you safe, because we might not be able to. Instead, you should reassert control of your device and close the obvious security holes and look for firmware updates regularly. If you do that, then you don’t have to worry whether to trust us or not.”

Here at IT Security Thing we have to say that the last question is the one you should focus in one, and the answer given is 100% correct. No you should not trust these guys, any more than you would trust anyone who installed code on your hardware without your permission. Linux-Wifatch is malware whichever way you spin it, and rather than rely on the goodwill of apparently white hat hackers to secure your kit you should be securing it yourself. That the various backdoors built into Wifatch are cryptographically protected is by the by, they are still capable of malicious exploitation and if those keys ever get compromised then the code could be effectively weaponised by less swell intentioned actors. Our advice is to reboot your router (which would remove Wifatch) and then update the firmware and change your password defaults. It’s not rocket science, it’s router science and that, dear reader, is pretty damn simple stuff.