A Trojan designed to brute-force Wi-Fi router access passwords and distributed via a P2P network consisting of computers infected with Win32.Sector.
Communication with the server
Communication protocol is binary and has a simple structure. Messages have the following header:
struct thead{
DWORD crc32;
WORD size;
};
A message that comes after the header is encrypted using RC4 with the key as follows:
001ls\r\n%2.2u\r\n
The Trojan also adds a string, whose length is randomly chosen (3–20), to the size of the message (thead.size).
Then the bot sends the server requests that look as follows:
struct OP_01_REQ{
BYTE op; //0x01
BYTE rnd[3];
};
thead head;
OP_01_REQ op_01;
In reply, it receives the following commands:
Scan the specified range of IP addresses
The reply to this command looks as follows:
struct OP_01{
BYTE op; //0x01
DWORD addr; //start address
BYTE count; //number of addresses to scan
};
The bot launches a circular scan and sends GET requests to addresses from the specified range. The requests look as follows:
http://%s/
In the reply, it looks for the following tag:
realm=\"
Using this tag, the Trojan identifies the router model.
The Trojan can crack passwords for the following router models:
DSL-2520U
DSL-2600U
DSL router
TD-W8901G
TD-W8901G 3.0
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-8840T 2.0
TD-W8961ND
TD-8816
TD-8817 2.0
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
echolife
level
TP-LINK
ZXV10 W300
If the tag contains a name from this list, the bot sends the server a report that looks as follows:
struct OP_02_REQ{
BYTE op; //0x02
DWORD addr;
WORD rnd;
};
Crack password and change DNS
The Trojan receives the following command:
struct ITEM{
DWORD addr; //router address
BYTE len;
BYTE password[len];
};
struct OP_02{
BYTE op; //0x02
DWORD dns; //dns address
DWORD count; //number of passwords
ITEM list[count]; //list of passwords
};
Then the Trojan goes through the passwords. As a login, Trojan.Rbrute uses the following values:
admin
supportFirst, the Trojan identifies the router model. After that, depending on the model, the malicious program sends POST or GET requests to corresponding scripts.
If the authorization attempt succeeds, the bot sends requests to change the device's DNS addresses. The first address is retrieved from the ns1=OP_02.dns request; the Google address (ns2=8.8.8.8) is used as the second one.
Then the Trojan reports that the password has been cracked.
BYTE op;
BYTE str[];
The str parameter has the following format:
url:login:password:type
The following command and control server address is hard coded in the Trojan's body:
142.4.213.220:48919
Operating routine
The Trojan is used to distribute Win32.Sector.
- To the compromised computer already infected with Win32.Sector, the malicious program downloads Trojan.Rbrute.
- Trojan.Rbrute receives a password dictionary and a command to search for Wi-Fi routers from the command and control server.
- If the search attempt is successful, Trojan.Rbrute modifies the router's DNS server settings.
- When another “healthy” machine tries to connect to the Internet through the compromised router, the user is redirected to a specially generated webpage.
- From this page, Win32.Sector is downloaded to the computer, and the infection process begins.
- Subsequently, Win32.Sector can download a copy of Trojan.Rbrute to the infected computer. The cycle is repeated.
The following example shows how connection to google.com is established:
nslookup google.com xx.xx.xxx.186
Server: xx.xx.xxx.186
Address: xx.xx.xxx.186#53
Non-authoritative answer:
Name: google.com
Address: xxx.xxx.xxx.92
Password dictionaries and configuration data look as follows:
0012EC72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012EC82 00 00 00 00 00 00 00 00 00 00 07 D5 E1 BB 6F 00 ...........-с¬o.
0012EC92 02 7A A8 87 E3 08 00 00 00 02 BF 79 F7 05 61 64 .zиЗу.....¬yў.ad
0012ECA2 6D 69 6E D2 38 78 F7 05 61 64 6D 69 6E 7A A9 87 minT8xў.adminzйЗ
0012ECB2 F7 06 64 72 61 67 6F 6E BB 95 7D F7 06 6D 6F 6E ў.dragon¬Х}ў.mon
0012ECC2 6B 65 79 02 B1 78 F7 06 61 62 63 31 32 33 D0 56 key.-xў.abc123¦V
0012ECD2 67 F7 06 64 72 61 67 6F 6E 7D A0 65 F7 08 74 72 gў.dragon}аeў.tr
0012ECE2 75 73 74 6E 6F 31 59 60 86 F7 08 70 61 73 73 77 ustno1Y`Жў.passw
0012ECF2 6F 72 64 00 00 00 00 00 00 00 00 00 00 00 00 00 ord.............
0012EC82 00 00 00 00 00 00 00 00 00 00 96 34 79 32 61 00 ..........Ц4y2a.
0012EC92 02 1F 1C 67 BA 06 00 00 00 BB AC 20 F8 07 67 69 ...g¦....¬м °.gi
0012ECA2 7A 6D 6F 64 6F 24 47 0A F8 06 64 72 61 67 6F 6E zmodo$G.°.dragon
0012ECB2 BB CC 09 F8 06 64 72 61 67 6F 6E 4F 00 11 F8 08 ¬¦.°.dragonO..°.
0012ECC2 70 61 73 73 77 6F 72 64 29 20 11 F8 06 31 32 33 password) .°.123
0012ECD2 34 35 36 59 BA 1C F8 07 67 69 7A 6D 6F 64 6F 00 456Y¦.°.gizmodo.
0012ECE2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012ECF2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012EC82 00 00 00 00 00 00 00 00 00 00 E8 EA FD EE 38 00 ..........шъ¤ю8.
0012EC92 02 1F 1C 67 BA 02 00 00 00 BD F5 30 F8 06 31 32 ...g¦....-ї0°.12
0012ECA2 33 34 35 36 4F 81 3D F8 0D 41 64 6D 69 6E 69 73 3456OБ=°.Adminis
0012ECB2 74 72 61 74 6F 72 00 00 00 00 00 00 00 00 00 00 trator..........
0012EC82 00 00 00 00 00 00 00 00 00 00 5E 20 C1 C7 95 00 ..........^ +¦Х.
0012EC92 02 7A A8 87 E3 0A 00 00 00 BB 89 53 F8 08 6C 69 .zиЗу....¬ЙS°.li
0012ECA2 66 65 68 61 63 6B 3C F2 6F F8 07 73 75 70 70 6F fehack<Єo°.suppo
0012ECB2 72 74 24 49 64 F8 05 61 64 6D 69 6E 7B 1C 56 F8 rt$Id°.admin{.V°
0012ECC2 0E 73 6F 70 6F 72 74 65 45 54 42 32 30 30 36 B4 .soporteETB2006+
0012ECD2 FB 53 F8 07 67 69 7A 6D 6F 64 6F 71 A7 66 F8 06 vS°.gizmodoqзf°.
0012ECE2 61 62 63 31 32 33 24 4C 60 F8 08 70 61 73 73 77 abc123$L`°.passw
0012ECF2 6F 72 64 75 C3 54 F8 04 72 6F 6F 74 5D 5A 57 F8 ordu+T°.root]ZW°
0012ED02 04 72 6F 6F 74 1F 09 53 F8 05 61 64 6D 69 6E 00 .root..S°.admin.
0012ED12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
