Analysis by Kenney Lu
In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.
Snooping Around Your Network
We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.
Figure 1. Infection chain
A Closer Look at its Routines
Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.
Figure 2. Site hosting fake Adobe Flash update
Figure 3. Fake Flash update
Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.
Figure 4. Scanning for connected devices
The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:
Find router IP address – start
Searching in 192.168.0.0 – 192.168.0.11
 connect to 192.168. 0.0
URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’
Find router IP address – end
We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:
Figure 5. The search for Apple devices
Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.
Figure 6. Encryption of scan results
Figure 7. Sending results to the C&C server
After it has sent the results, it will delete itself from the victim’s computer, removing any trace of it. It uses the following command to do so:
- exe /C ping 220.127.116.11 -n 1 -w 3000 > Nul & Del “%s”
Based on its routines, the malware might be used by cybercriminals as a “scout” for bigger campaigns. The intelligence gathering could be the first step in more severe attacks. The information could be stored and used for future cross-site request forgery (CSRF) attacks similar to the one discussed here. If they have previous log in credentials for specific IPs, the attack would be easier to perform. Of course, we cannot be truly certain but this seems to be the likeliest scenario for malware with this type of routine.
Protecting Routers and Other Devices
Whatever its ultimate goal, this malware shows the importance of securing devices—even those that might not seem like likely targets. Users should always change their routers’ default login credentials; strong passwords or passphrases are a must. Users can also opt for password management software to help them with all their passwords.
Aside from good password habits, users should always remember other security practices. For example, they should avoid clicking links on emails as much as they can. If they need to go to a site, typing the address or using a bookmark is preferred. If their software requires updates, users can directly visit the official site for downloads. They can also opt for their applications to automatically install updates once they are available. Lastly, users should always protect their devices with security solutions. For example, they can use Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for their smartphones.
User names and passwords
This malware uses the following list of possible user names:
It uses the following list of passwords:
Hash of related file: