Chapter Four: Mitigation and Network Detection

In a test on an Asus RT-AC66 router, the programs that QF ran did not restart themselves if the router was rebooted, and the iptables firewall modifications didn’t persist. So a reboot might be a way to get the router into a good state, but an unpatched router will still be vulnerable to exploitation through the existing unpatched vulnerabilities. Also, the QF cyber operators might modify their programs to make the programs harder to get rid of.

If an administrator logs into a compromised router using SSH secure shell or (gasp!) telnet, he might be able to identify recently created files, particularly files beginning with the hidden character “.”. This step, however, is beyond the expertise of most home and office users.

Analysts can use the tcpdump network capture program or the Snort network intrusion detection program to identify network traffic associated with the QF group.

The following BPF/tcpdump filter will identify exploitation attempts against the Asus CVE-2014-9583 vulnerability. It may also identify legitimate Asus traffic, in addition to exploitation attempts by other groups. However in my experience, false positives are minimal. udp dst port 9999 and udp[8:4] = 0x0c153300

Here is a corresponding Snort signature: alert udp any any -> any 9999 (msg:"Possible Asus CVE-2014-9583 Exploit Attempt"; reference:cve,CVE-2014-9583; reference:url,github.com/jduck/asus-cmd; sid:10000000; rev:1; classtype:attempted-admin; pkt_data; content:"|0c 15 33 00|"; nocase; rawbytes; depth:4; )

The following BPF/tcpdump filter will identify a QF-specific command directing a victim to download and execute a binary. Typically, these commands are sent more than once an hour. False positives have been non-existent. udp dst port 4143 and udp[8:4] = 0x1001008f It is easily feasible for the QF threat group to modify their command protocol to evade this detection filter.

Here is a corresponding Snort signature: alert udp any any -> any 4143 (msg:"QuantumFilament C2"; sid:10000001; rev:1; classtype:trojan-activity; pkt_data; content:"|10 01 00 8f|"; nocase; rawbytes; depth:4; )

Its time to digest the material, and perhaps take some action on your local router. At minimum, from time to time users should reboot the router and log into the web console, and then check for firmware updates. In the next post, I will comment on the state of home/office router security. Hint: Its not great.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s