Momentum Botnet Infects Linux-based Routers And Smart Devices, Uses Them For DDoS Attacks
Cloud provider and security research firm Trend Micro reports that they are seeing "notable malware activity" on "devices running Linux" from a botnet called Momentum. The actual devices in question are IoT devices, security cameras, routers, copy machines and TV top-set boxes running a variety of exploitable software on top of a Linux kernel.
Trend Micro story regarding the Momentum botnet is:
"Momentum targets the Linux platform on various CPU architectures such as ARM, MIPS, Intel, Motorola 68020, and more. The main purpose of this malware is to open a backdoor and accept commands to conduct various types of DoS attacks against a given target"
The Security Vulnerabilities "Momentum" (ab)Uses
Trend Micro was kind enough to include a list of the methods the Momentum botnet uses to spread itself towards the end of their dramatic article/product advertisement. It has many methods for infecting devices:
- A CCTV exploit from 2016 which affected a long list of CCTV camera models.
- A remote code execution flaw in Hootoo HT-05 from January 2019
- A http POST flaw in a
/cgi-bin/file_transfer.cgiscript present on large-display devices from several different vendors. They list Crestron AM, Barco wePresent WiPG, Extron ShareLink, Teq AV IT, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, InFocus LiteShow as affected. As an example, Sharp PN-L703WA is a 70-inch "interactive display system" with a 1080p resolution and 10-point multi-touch.
- MVPower DVR TV-7104HE using a flaw in its JAWS Webserver
Momentum covers most of the long-known router exploits. It supports:
- A ZyXEL router exploit disclosed in 2016
- A Remote Code Execution Vulnerability in Huawei's HG532 router, disclosed Dec 28th 2017 as CVE-2017-17215
- Flaws in D-Link's "Home Network Administration Protocol" (D-Link HNAP)
- A UPnP flaw in Realtek routers from 2014
- Many models of Dasan GPON routers including GPON80, GPON8080 and GPON443
- A WAN Side Remote Command Injection in Eir D1000 Wireless Routers
None of the listed methods take advantage of security flaws in the Linux kernel and none of them affect desktop and server distributions like RHEL, CentOS, Debian, Manjaro or free software router firmware distributions like OpenWrt.
The DDoS Modules
The Momentum botnet has a long list of modules for carrying out DDoS attacks using its infected botnet nodes. Only one stands out as particularly noteworthy: It supports a memcached amplification attack. This particularly attack is not at all unique to Momentum. Memcached is typically used for object caching on a local machine or a local network. Exposing memcached's port to the Internet will result in it being used for DDoS amplification attacks. All you have to do to see how common this is is to start a memcached service on a public IP with its default port
11211 open. It will be exploited within 10-30 minutes. System administrators should keep this in mind when configuring LAMP servers and other deployments using memcached.
Momentum has also got support for DNS amplification attacks just in case some public DNS server has not been upgraded since those attacks were made a non-issue thanks to updates nearly a decade ago.
The rest of Momentum's DDoS modules are dull and not even remotely interesting. It supports doing SYN floods, UDP floods, RTCP floods and several other similar flood attacks. They are all regular straight-forward send a lot of data attacks taking advantage of a potentially large number of botnet machines participating in the attack (amplification attacks, on the other hand, uses weaknesses in software on other hosts to make those other hosts send lots of data to a target).
Lessons Worth Learning
You should look for a firmware update you own or use any of the above listed IoT smart displays, CCTV cameras or routers. The chances that you do are fairly slim, none of those devices are very common. You should probably also check if there are firmware updates, if you have any similar Internet of Things (IoT) devices.
You should also, regardless of owning any of the above listed devices, remember one important lesson: Firmware running on devices which look more like appliances than computers can and does have security problems (even if they happen to be running a Linux kernel). Buy and use routers capable of running free software like OpenWrt instead of locked-up routers running black-box closed-source firmware. As for other IoT devices and "smart" appliances: It's mostly best to avoid them. Refrigerators have been able to keep food cold without any "smart" functionality for many decades.