r00t.cz

Page: Misc.MikrotikBackdoor - Last Modified : Thu, 23 Jan 14

Backstory

Bought the cheap WRAP router on a flea market, with two wifi cards and CF card. Was expecting to see some linux distro on it, but instead found Mikrotik 5.2 with no password. So I have replaced my original Linksys RV042 router with it and everything seemed to work as expected for some time.

After few months, I found one of DNS servers I used disappeared and ran DNSBenchmark to help me find new DNS server. It reported something weird: all DNS servers were redirecting invalid DNS requests to some IP address.

Something was clearly wrong. All requests for invalid domains were returning IP 218.93.250.18. After bit of googling, I found this is caused by cracked Mikrotik system. Sure, this DNS redirection isn't that obvious, but what if there are some other even less obvious system hooks?

Analysis

Let's find out. To access filesystem, I have dumped the CF card and mounted it under linux. First I have checked rc.d and found following script /etc/rc.d/run.d/S09PlugIn:

#!/bin/sh
# Copyright (C) 2012 OpenWrt.org

run_scripts() {
        for i in /rw/pckg/plugin/*; do
        [ -d $i ] && [ -f $i/run.sh ] && chmod +x $i/* &&  $i/run.sh & 2>&1
        done
}

#check SMP CPU
#cpu=`uname -a | busybox grep SMP`
 #[ ! -n "$cpu" ] && echo UP CPU
 #[ -n "$cpu" ] && echo SMP CPU

[ ! -d  /rw/pckg/plugin ] &&  mkdir /rw/pckg/plugin
[ -f /nova/bin/clone ] && /nova/bin/clone
run_scripts &

Interesting:

• Actual evil code is /nova/bin/clone
• Script also runs all scripts from /rw/pckg/plugin/<something>/run.sh. This directory is accessible from WinBox and can be used to run any user scripts.

Clone code

This is encrypted 77kB ELF executable with MD5 b46c48577574723f7abe8845c5417f1a. It contains string "UPX fix 5", but that's added just to mislead anyone trying to unpack it. It's not packed, just encrypted. I have used GDB to dump it from memory and analyzed it:

• It contains 6 kernel modules and initialization code that hooks kernel functions directly to load the modules. Init code also collects some system information (/proc/cpuinfo, /proc/pci, /proc/meminfo, /proc/net/route, /proc/partitions) and generates the backdoor password. Backdoor username seems to be fixed to "810113". And also some code to "seal the system".
• Module#1 monitors /dev/tty for backdoor login signature.
• Module#2 does something with LD_PRELOAD while detecting XenVMM, VMware and KVM.
• Module#3&4 are kernel modules (2.6.35 and 2.6.35-smp kernels) for actual evil stuff:
  • Monitors all traffic for DNS replies, eats the invalid ones and instead sends fake replies redirecting to 218.93.250.18.
  • Following DNS replies are always modified:
    • 1616.net
    • hao123.com
    • 114la.com
    • 265.com
    • 2345.com
    • tao123.com
    • dns.vpn2vpn.info
    • ssl.vpn2vpn.info
  • Backdoor UDP listener code. It listens for specially crafted UDP packets for commands. Commands are RC4 encrypted and allows injecting of remote kernel modules. Yes, this can be pretty bad.
• Module#5,6 are again SMP and non-SMP versions of kernel module to actually do the "hard work". It hooks the disk reading and spoofs the disk identification to VMware disk to allow using known Mikrotik key.

As you can see, almost all code is related to backdoor activities and malicious purpose...

Both packed and unpacked backdoor code can be downloaded here to satisfy your analysis needs: mkclone.zip (24KB)

DISCLAIMER: I provide this download for others to not only verify my work, but maybe find out more about this backdoor. I'm very sure it's remotely exploitable and cheap WISPs tend to use this cracked version... what could possibly go wrong?

How to know your router is backdoored?

• License key is W5EY-LHT9.
• Pinging any nonexisting domain will return 218.93.250.18. This includes pings from router itself (from console and WinBox).
• Files area on router contains directory "plugin". When deleted, it will be recreated on router restart.
• If you are connected using wireless internet provider and your DNS returns 218.93.250.18, it's time change the provider...

What to do with it?

While I'm pretty sure this is only part of system that was compromised, it may not be true. So only right way to deal with this is formatting the CF card and installing Mikrotik (and buying proper license) or some linux distro if your choice.

Bonus: How to get shell on Mikrotik

This can be very useful, be it for debugging, running your own programs or just feeling good to have the access.

• All you need to do it create empty file /nova/etc/devel-login. Easiest way is to simply mount CF card from linux. It's more tricky to do on Routerboards with internal NAND flash. In that case, LAN booting of OpenWRT linux can be used to access the flash partition.
• You can then login using SSH with username "devel" and admin user password.
• This will drop you into busybox shell. If you plan on using shell regularly, I suggest uploading full busybox executable and creating symlinks for it, as original one lacks a lot of important commands. Also many commands are supported by original busybox, but are not symlinked (like ls,rmdir,...).