Analysis by Kenney Lu

In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward.

Snooping Around Your Network

We recently came across one malware, detected as TROJ_VICEPASS.A, which pretends to be an Adobe Flash update. Once executed, it attempts to connect to the home router to search for connected devices. It then tries to log in to the devices to get information. Should it be successful, it will send the information to a command-and-control (C&C) server and deletes itself from the computer.



Figure 1. Infection chain

A Closer Look at its Routines

Users may encounter this malware when visiting suspicious or malicious sites hosting a supposed Flash update. Users are encouraged to download this update and install it in their computers.



Figure 2. Site hosting fake Adobe Flash update



Figure 3. Fake Flash update

Once the malware is executed, it attempts to connect to the connected router through its admin console, using a predefined list of user names and passwords. If successful, the malware will attempt to scan the network to look for connected devices.



Figure 4. Scanning for connected devices

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, which are IP addresses which are assigned by home routers. The target range is hard-coded. A look at the internal log format reveals such:

Find router IP address – start Searching in 192.168.0.0 – 192.168.0.11 [0] connect to 192.168. 0.0 URL: ‘192.168.0.0’, METHOD: ‘1’, DEVICE: ‘Apple’ …. (skip) Find router IP address – end

We noticed that the malware checks for Apple devices such as iPhones and iPads, even though those devices cannot have an HTTP open panel. However, it should be noted that the strings focus more on routers. We found that the malware uses the following strings in its search:

dlink

d-link

laserjet

apache

cisco

gigaset

asus

apple

iphone

ipad

logitech

samsung

xbox



Figure 5. The search for Apple devices

Once the malware finishes scanning, the results of the search are encrypted using base64 and a self-made encryption method. Base64 is only an encoding technique so the scan results still require an encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.



Figure 6. Encryption of scan results



Figure 7. Sending results to the C&C server

After it has sent the results, it will delete itself from the victim’s computer, removing any trace of it. It uses the following command to do so:

exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del “%s”

Gathering Intelligence

Based on its routines, the malware might be used by cybercriminals as a “scout” for bigger campaigns. The intelligence gathering could be the first step in more severe attacks. The information could be stored and used for future cross-site request forgery (CSRF) attacks similar to the one discussed here. If they have previous log in credentials for specific IPs, the attack would be easier to perform. Of course, we cannot be truly certain but this seems to be the likeliest scenario for malware with this type of routine.

Protecting Routers and Other Devices

Whatever its ultimate goal, this malware shows the importance of securing devices—even those that might not seem like likely targets. Users should always change their routers’ default login credentials; strong passwords or passphrases are a must. Users can also opt for password management software to help them with all their passwords.

Aside from good password habits, users should always remember other security practices. For example, they should avoid clicking links on emails as much as they can. If they need to go to a site, typing the address or using a bookmark is preferred. If their software requires updates, users can directly visit the official site for downloads. They can also opt for their applications to automatically install updates once they are available. Lastly, users should always protect their devices with security solutions. For example, they can use Trend Micro security for their computers and Trend Micro Mobile for Android and iOs for their smartphones.

User names and passwords

This malware uses the following list of possible user names:

admin

Admin

administrator

Administrator

bbsd-client

blank

cmaker

d-link

D-Link

guest

hsa

netrangr

root

supervisor

user

webadmin

wlse

It uses the following list of passwords:

_Cisco

0000

000000

1000

1111

111111

1111111

11111111

111111111

112233

1212

121212

123123

123123Aa

123321

1234

12345

123456

1234567

12345678

123456789

1234567890

1234qwer

123ewq

123qwe

131313

159753

1q2w3e4r

1q2w3e4r5t

1q2w3e4r5t6y7u8i9o0p

1qaz2wsx

2000

2112

2222

222222

232323

321123

321321

3333

4444

654321

666666

6969

7777

777777

7777777

88888888

987654

987654321

999999999

abc123

abc123

abcdef

access

adm

admin

Admin

Administrator

alpine

Amd

angel

asdfgh

attack

baseball

batman

blender

career

changeme

changeme2

Cisco

cisco

cmaker

connect

default

diamond

D-Link

dragon

ewq123

ewq321

football

gfhjkm

god

hsadb

ilove

iloveyou

internet

Internet

jesus

job

killer

klaster

letmein

link

marina

master

monkey

mustang

newpass

passwd

password

password0

password1

pepper

pnadmin

private

public

qazwsx

qwaszx

qwe123

qwe321

qweasd

qweasdzxc

qweqwe

qwerty

qwerty123

qwertyuiop

ripeop

riverhead

root

secret

secur4u

sex

shadow

sky

superman

supervisor

system

target123

the

tinkle

tivonpw

user

User

wisedb

work

zaq123wsx

zaq12wsx

zaq1wsx

zxcv

zxcvb

zxcvbn

zxcvbnm

Hash of related file: