Security researchers have discovered a new variant of the Muhstik botnet that adds a scanner to attack Tomato routers for the first time by web authentication brute forcing.
According to a blog post, the finding was made early last month. Tomato is a popular open source firmware for routers and is installed by multiple router vendors and also installed manually by end users. Around 4,600 Tomato routers are exposed on the internet, according to a Shodan search.
The botnet has been around since March 2018 and can propagate itself to Linux servers and IoT devices using multiple vulnerability exploits to infect Linux services, such as Weblogic, WordPress and Drupal. It also compromises IoT routers, such as the GPON home router and DD-WRT router. This new variant expands the botnet by infecting Tomato routers, researchers said.
"We have not found further malicious activities in Tomato routers after the Muhstik botnet harvests vulnerable routers, but from our understanding of the Muhstik botnet, Muhstik mainly launches cryptocurrency mining and DDoS attacks in IoT bots to earn profit," said researchers.
The new variant scans Tomato routers on TCP port 8080 and bypasses the admin web authentication by default credentials bruteforcing. In Tomato routers, the default credentials are "admin:admin" and "root:admin". It also scans for Linux servers running WordPress and Webuzo. Additionally, it implements modules to compromise WebLogic servers and Wi-Fi routers running Tomato firmware.
The payload of the malware is a malicious binary called tty0. Since tty0 targets Tomato routers, it includes bash commands that can be executed in those systems (and other systems such as DD-WRT).
The first command is used to download a binary called nvr, said researchers.
"The nvr binary contains commands to download four additional binaries. These four binaries are IRC botnet variants, which work on ARM and MIPS architectures. We focused our analysis on binary Pty5, since it drops a binary called daymon, which is a scanner containing the new module targeting Tomato routers," said researchers.
Once a device is compromised, it will send a connect command to an IRC server. The connect command includes a nickname (NICK) for the device in order to join the channel.
Researchers said that the new Muhstik botnet variant demonstrates that IoT botnet keeps expanding the botnet size by adding new scanners and exploits to harvest new IoT devices.
"Botnet developers are increasingly compromising IoT devices installed with the open source firmware, which often lack the security updates and maintenance patches necessary to keep devices safeguarded," researchers added.
John Stock, product manager at Outpost24, told SC Media UK that default username/password combinations, combined with remote management is certainly not new on routers, and is something that has been talked about at numerous security conventions to outline the risks involved, "so the fact malware is now starting to take advantage of this is not unexpected, although disappointing that it still happens. "
"Whilst it’s unlikely that an organisation would be running Tomato, it has the potential to be used in remote offices or sites where a full-sized router/firewall solution is less of an option, so the risk is still there," he said.
Paul Ducklin, principal research scientist at Sophos, told SC Media UK that whatever device you have online, it’s not a question of *if* the crooks might scan you looking to see if you’re vulnerable for already-known holes.
"It’s not even a question of when, because scanning all the internet is going on all the time, and if you have a detectable, public-facing security hole, you can and will be found, if not today at best tonight," he said. "So get the basics right: don’t open services to the internet unless you absolutely mean to do so, and please pick proper passwords! Don’t be the low-hanging fruit because you will get plucked."