• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   DVLabs   »   Netis Router Backdoor Update

Netis Router Backdoor Update

  • Posted on:November 21, 2016
  • Posted in:DVLabs, Network, Security
  • Posted by:
    Steve Povolny
0
Malware continues to evolve.

Remember this blog circa 2014?

http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/

The article highlights a backdoor coded into the Netis Router family that has been heavily abused.  Here is an update on the continued use of the backdoor and one of the TippingPoint Digital Vaccine (DV) filters you may have seen firing in large numbers as of late.

DV filter 32391, which checks for attempts to scan for this backdoor, still fires in massive amounts on detection of backdoor communication attempts.  It has essentially no false positive potential, and per our reporting dashboard known as ThreatLinQ, has fired approximately 2.9 million times since the filter was released in August of 2016. However, considering these statistics are based on approximately 5% of customer filter hits, that number can be extrapolated out to more than 57 million events across our customer base.

blog

We’ve analyzed a number of these pcaps from the TippingPoint devices, and all are true positives to date as expected.  The following is a lookup on the domain associated with one of the highest frequency malicious scanning IPs observed in our Lighthouse deployment:

blog1

Next follows a screenshot from one of the scan attempts as viewed in Wireshark:

blog3

Of interest is the fact that for the nearly 50,000 events that we saw on a single IPS in the last week, the huge majority originated from the UK at 40,000 hits, followed by China and North Korea making up the majority of the remainder. This data can be retrieved directly from the SMS dashboard.

blog4

After digging a bit on the Internet, we found a number of public exploit or scanning tools which leverage this backdoor functionality. One such example is shown here:

http://pastebin.com/R7Fqh6B9

blog5

What this highlights, is an active campaign of world-wide scanning across the IPv4 space, looking for Internet-accessible routers that respond to the backdoor probe.  Given the length of this campaign and the sheer volume, not to mention the ease of exploitation, it’s very likely that a large number of these routers are being compromised and used for nefarious purposes such as man-in-the middle attacks.  While Netis did issue a patch sometime back, there are still flaws in the implementation and the backdoor code itself has not been removed.

Regardless of whether the device is physically patched, TippingPoint users are protected from the backdoor communication attempts with DV filter 32391, which is enabled by default in a block/notify setting.  We will continue to monitor the frequency and location of these scans going forward.

http://blog.trendmicro.com/trendlabs-security-intelligence/netis-router-backdoor-patched-but-not-really/

Related posts:

  1. This Week in Security News: Hacker Reports and Router Reboots
  2. ZDI Update: Microsoft and Adobe Patch Tuesday for May 2016 and Microsoft Closes Pwn2Own 2016 Vulnerabilities
  3. FBI Router Reboot Warning: How Do I Stay Safe from the New VPNFilter Malware?
  4. Backdoor attacks: How they work and how to protect against them

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.