TrendLabsSM is currently taking a look at an interesting .ELF file that is actually an IRC backdoor program. We initially found some code suggesting that it performs brute-force attacks on router user name-password pairs.
This malware is predominantly found in Latin America but we are also checking the extent of infection in other regions. The attacks also work against D-LINK routers though we are also verifying if it works on others.
An infected system also connects to a botnet on IRC servers and is capable of receiving and executing commands. Trend Micro detects the offending code as ELF_TSUNAMI.R. Analysis is ongoing and we will be posting updates as new information is found.
There was an old attack in 2008 that targeted routers in Mexico, which we blogged about in the entry “Targeted Attack in Mexico: DNS Poisoning via Modems.”
Update as of March 11, 2011, 6:08 AM Pacific Time
- ELF_TSUNAMI.R is MIPS-based (Microprocessor without Interlocked Pipeline Stages)—a processor typically used in small devices such as routers. The means as to how an attacker would be able to drop the said file into a router is not yet determined, but it is possible that the .ELF file is just a component of a much bigger threat.
- It exploits a vulnerability that affects certain D-Link routers. Successful exploitation of the said vulnerability grants a remote attacker complete administrative access to the affected router.
- It is also capable if disabling the firewall of the affected router by executing the command /etc/firewall_stop