Ubiquiti Networks issued a security alert on Monday, urging users to update their AirOS router firmware to the latest release in order to avoid getting compromised by a worm attack affecting all devices that have login ports open to the Internet.
The company says that the following router models are actively being targeted: AirOS 802.11G, AirMAX M (including airRouer), AirMAX AC, airGateway, airFiber, and ToughSwitch.
An unknown attacker created a self-replicating virus that uses the default credentials for Ubiquiti devices, admin user "ubnt" and password "ubnt," to log into these routers, leave a copy of itself and then spread to other devices.
Worm creates its own admin account and then leaves
Once the worm logs into the routers, it uses a vulnerability discovered last summer in the login.cgi file to upload and execute files on the device.
This exploit allows the worm to create a backdoor account on the router, with the username "mother" and the password "f u c k e r."
The worm takes additional precautions by also adding iptables (firewall) rules that prevent the admin user from accessing the administration panel via the Web interface.
Furthermore, the work also adds itself to the rc.poststart file, which governs what processes start automatically after each reboot.
After getting persistence on the device, the worm will download a copy of the open-source cURL utility and use it to spread to other routers, either on the internal network or the Internet.
Firmware updates were available for months
Ubiquiti Networks issued the alert on Monday to remind users that a new firmware version that includes a fix for the worm’s exploit had been released a few months back. The company also urged administrators to protect their routers behind a firewall.
Additionally, the company also introduced a tool for cleaning out infected routers. The user must connect the affected device to their PC and run the tool (a Java JAR file).
Symantec claims that the worm targeting Ubiquiti devices is harmless but could be a test version for something that could be easily weaponized in the future.
Last week, German researchers from OpenSource Security (OSS) created a proof-of-concept worm that targets programmable logic controllers (PLCs), crucial ICS/SCADA equipment.
It appears that self-replicating viruses (worms) are becoming popular once again, after they were extremely dangerous and successful in the ‘90s and the start of the 2000s, thanks to removal storage devices such as CDs, DVDs, and USBs, and in the early days of the Internet, when there were very few Web security products available.