Blog: Internet Of Things

TR-064 worm. It’s not Mirai and the outages are interesting

Andrew Tierney 02 Dec 2016

routerwormsmall

We’ve been looking at the code behind the worm that’s exploiting TalkTalk, PostOffice and many other Zyxel routers using the Allegro RomPager HTTP server.

What’s odd is that we can’t currently see why it’s causing outages, other than perhaps collapsing under the congestion of scanning for more vulnerable routers.

The vulnerability is fairly simple, and relies on a series of mistakes.

Port 7547 is open on these routers to listen for a “knock” to tell them to connect back to a provisioning server. It’s meant to be exposed to the WAN side of the router. This is part of TR-069, which has been discussed a lot in the past.

Curiously, it also appears that TR-064 is also available on port 7547. TR-064 is called “LAN-Side DSL CPE Configuration”, and unsurprisingly, is only meant to be exposed on the LAN side of the router.

The TR-064 specification requires authentication, but this seems to be missing.

Finally, there is a command injection vulnerability in some routers, allowing a command to be injected into the SetNTPServer field.

It’s a perfect storm of vulnerabilities resulting in a takeover of the device.

Once it has a shell, it then closes port 7547 behind it using iptables:

routerworm1

routerworm2

Finally, it attempts to propagate. Here are the connections from our infected honeypot  (don’t worry, all of the outbound traffic is getting sent to a local server so we don’t annoy anyone):

routerworm3

Yes, we’re only running the binary in QEMU, not the entire firmware, so we could be missing something there. We have two TalkTalk routers on the way, so they may be more revealing

But, we can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.

This doesn’t appear to be the same as with the Deutsche Telekom Speedport routers – they were put into a DoS condition by sending three requests on port 7547 (https://comsecuris.com/blog/posts/were_900k_deutsche_telekom_routers_compromised_by_mirai/). The TalkTalk and Post Office routers appear to be joining the botnet absolutely fine judging by the action from our honeypots.

Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.

On another note, we’ve noticed a number of Mirai-infected DVRs attempting to hit our TR-064 honeypot. A case of identity crisis? Or are we looking at an infected router port-forwarding to a DVR?

routerworm4

routerworm5