Hello, welcome to the Tuesday, November 29, 2016 edition of the Sands and a Storm Center's

Stormcast. My name is Johannes Ulrich, and I am recording from Jacksonville, Florida.

What better way to snap out of a long weekend than a major botnet that's taking down a large

ISP? In this case, it was a variant of the Mirai botnet that's taking down a large ISP. In this case it was a variant of the Mirai

botnet that now added a new exploit at hacking certain DSL routers. Now really the story

starts on November 7th. That's when a researcher posted a new vulnerability in the D-1000 modem deployed by Irish

ISP IRE. Now, this vulnerability affected the TR-69 protocol. TR-69 is a protocol that ISPs use

to remote configure modems, and in this particular case,

it used port 7,547, a fairly odd port, so nothing that's really used by anything else,

but actually this protocol often also listens on port 5,55555.

Now, this D-1000 modem is a variant of a Syccell modem and that's

really no surprise. Most ISPs really just rebrand a more or less off-the-shelf modem and all

modems of this particular type, not just the ones that I are deployed, are vulnerable

to this exploit, which is very easy to execute.

All you have to do is insert a shell command in the SetnTP server directive in the request,

and your exploit will be executed. There is a meta-sploid module available

that was published on November 7th with the original release of this vulnerability.

So this weekend, about 900,000 customers of German ISP Deutsche Telecom did report that their modem essentially kept crashing.

It's not really clear yet whether that was an intention of the exploit or really just a side effect,

but these modems, while they're not made by Sychcel, also appear to be vulnerable to this exploit.

What we have seen so far is that Mirai did adopt this exploit and is now actively scanning for it.

So all this very intense scanning that we have seen so far from Mirai now also includes scans for this vulnerability.

...