Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Malware targets home networks - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware targets home networks

Malware researchers at Trend Micro have analyzed a malware that connects to the home routers and scan the home network then send the gathered information to C&C before deleting it self .

TROJ_VICEPASS.A pretends to be an Adobe Flash update, once its run it will attempt to connect to the home router admin council using a predefined list of user names and passwords. If it’s succeed, the malware will scan the network for connected devices.

The malware scans for devices using HTTP, with a target IP range of 192.168.[0-6].0-192.168.[0-6].11, this IP range is hard-coded

Once the scans is finish it will encode the result using Base64 and encrypt it using a self-made encryption method. The encrypted result will be sent to a C&C server via HTTP protocol.

After sending the results to the Command and Control server (C&C) , it will delete itself from the victim’s computer. It uses the following command to do so:

  • exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del “%s”

Such type of malware infection can be avoided using a very basic security techniques such as downloading updated and software from a trusted sources only and changing the default password of your equipment’s.  

Basil

56 Posts
ISC Handler
Update: Microsoft recommended that I disable certificate pinning as a work around to the problem that was causing IE 11 to stop working. So far, this seems to be a viable work around.
James

2 Posts Posts
The news media claims "Off-brand modems and routers from your internet provider may be compromised" but never mentions the brands of these products. While I change everything from the default settings, my TP-Link routers have not been issued upgrades since their manufacturing date. I checked their website yesterday and there wasn't any updates available. The old BBS days were safer :)
Glenn

17 Posts Posts
Stupid hardcoded range... My home network uses 10.0.0.0/24 so it would completely miss everything there.
Per

11 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!