Hello, welcome to the Friday, August 5th, 2016 edition of the Sands and its Storm Center's

Stormcast.

My name is Johannes Ulrich and the day I'm recording from Boston, Massachusetts.

In 2014, Trent Labs reported about vulnerability in Nettis routers.

Now, Nettis routers are typically only sold in China, but occasionally you can find them

in the US or other parts of the world as well.

The problem here was that exploitation of this vulnerability was rather simple.

It was just a listening UDP port, and you could send any shell command to that UDP port.

You had to prefix it with the right static password that was well known and you could essentially

execute commands.

This has been laying dormant for a while. It has been abused occasionally,

mostly in China, in areas where these routers are common. But about a week ago, we saw

a huge search in scans for the port here. It's 53,413. This port has been scanned by thousands of hosts

starting about a week ago, which indicates that since the number of sources increased at about the same rate,

the number of actual targets increased, that this is likely

a worm that will infect systems and turn them into additional scanners.

Shadow Server has been looking into this problem for a while now and has been assembling lists

of infected IP addresses in order to notify owners.

At this point, we do see about 30,000 different IP addresses

and assuming that these are infected systems, scanning for more systems to infect.

The initial exploit will just download additional binaries. The little bit odd part

is that the download uses a more or less static IP address. It's not downloading it from the

...