dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2288

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

Skynet virus

UBNT forums are down.

Does anyone know exactly what the sky net virus does?

recently I have radios with changed passwords or services disabled (HTTP/SSH) and I dont know if its someone with my password or the virus?
urmom
Premium Member
join:2010-10-18
Pittsburg, KS

urmom

Premium Member

If you have the most recent firmware on them, the virus shouldn't be an issue.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

said by urmom:

If you have the most recent firmware on them, the virus shouldn't be an issue.

Assume I dont.
Newbie
join:2011-04-18

Newbie to Inssomniak

Member

to Inssomniak
There were a couple different things from what I read....

First off it installed a packet sniffer that would collect customer data and send it to a remote server... I'm guessing to collect passwords etc... Eventually it would use up all the memory on the UBNT device and cause it to crash/reboot every few hours when it filled up..

There was another thread where it was more malicious, I dont know if they ever figured out what happened but every UBNT device had a redirect built into it that would send every customer to a gay porn website.... apparently YMMV.....

It apparently spreads like wildfire to everything on the same network... So if you can SSH into another device on that same network and run ls -la /etc/persistent and see if you find anything that says skynet.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

1 edit

Inssomniak

Premium Member

said by Newbie:

There were a couple different things from what I read....

First off it installed a packet sniffer that would collect customer data and send it to a remote server... I'm guessing to collect passwords etc... Eventually it would use up all the memory on the UBNT device and cause it to crash/reboot every few hours when it filled up..

There was another thread where it was more malicious, I dont know if they ever figured out what happened but every UBNT device had a redirect built into it that would send every customer to a gay porn website.... apparently YMMV.....

It apparently spreads like wildfire to everything on the same network... So if you can SSH into another device on that same network and run ls -la /etc/persistent and see if you find anything that says skynet.

Variation 1-Ive found the HTTP port still active but cant login.

Variation 2-no HTTP or SSH port 22 active, but found SSH on port 23, but still cant log in. Adding to this variation found HTTP on port 88 instead of 80.
Newbie
join:2011-04-18

Newbie

Member

I did not see any reports of the virus changing management ports yet... It certainly wouldnt suprise me...

IMO from what I saw of the virus (i'm no expert) it seemed like they were trying to stay more incognito and sniff traffic from under your nose...

To me it smells like something else is going on, but your not going to be able to tell until you can find a way to get into the devices... If you use a universal password I would start by changing that to try and stop whatever this is.

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak

Premium Member

I need more info on how the exploit worked. like how I can use the virus to gain access myself to radios with changed passwords.

So far Ive found 6, out of 500 or so. All would have been running vulnerable firmware.
Newbie
join:2011-04-18

1 edit

Newbie

Member

Here is the initial site reporting the virus, you'll need chrome to translate it for you. This would be much easier if their forums werent down :-\

Edit: Sorry I took the URL down I didnt know they had skynet available for download on that site, dont want to spread it

Here is the Just of what it said, if you need the address PM me
-----------------------------------------------------
"What virus causes?

We managed to catch a few modifications, but all have in common:

naturally reproduce itself
interception login cookies to devices and their communication to author virus
listening to network traffic identification and passwords on port 80, and their communication to the author of the virus
Among other things, the virus causes random reboots device, probably exhaustion of free memory, but in a modified and targeted restarts WiFi router.

How the virus works?

It must be said that the worm uses a combination of two errors creators firmware for the device. The first mistake is that in these versions of firmware for the device there is a site / admin.cgi , which is of course protected by a password for the device setup, but allows uploading files to devices or brazen command execution as root via a web interface. This page from the production firmware would definitely launched. The second mistake is misconfigured configuration AirOS proprietary module for lighttpd web server that allows for entering a couple of characters for display url of any website configuration without knowing the password.

The few characters can trace in the attached file with a virus skynet.tgz and deliberately not mentioned directly in the article.

With these two errors virus has the opportunity to spread easily without breaking complex passwords, etc., basically a test ip address for a few seconds and tries to cycle through more and more."

matthardy
Premium Member
join:2007-01-23
Atlanta, GA

matthardy

Premium Member

Hi guys,
Sorry for the inconvenience. There's a major AWS outage now (also affecting Netflix, reddit, foursquare, etc).

You can find the cached version here:
»webcache.googleuserconte ··· &ct=clnk

You can also find the removal tool in post 3.
Feel free to email me (matt@ubnt.com) for more info...

-Matt
matthardy

matthardy to Newbie

Premium Member

to Newbie
said by Newbie:

There was another thread where it was more malicious, I dont know if they ever figured out what happened but every UBNT device had a redirect built into it that would send every customer to a gay porn website.... apparently YMMV.....

From what I remember, this wasn't actually a virus that spread around, but a personal attack against this ISP (competitor or something similar).
Mike_27
Premium Member
join:2004-05-15
Gardiner, MT

Mike_27 to Inssomniak

Premium Member

to Inssomniak
said by Inssomniak:

I need more info on how the exploit worked. like how I can use the virus to gain access myself to radios with changed passwords.

»webcache.googleuserconte ··· t=ubuntu
said by Inssomniak:

So far Ive found 6, out of 500 or so. All would have been running vulnerable firmware.

»sourceforge.net/projects ··· scanner/

hth,
Mike

Inssomniak
The Glitch
Premium Member
join:2005-04-06
Cayuga, ON

Inssomniak to Newbie

Premium Member

to Newbie
Using the same vulnerability posted earlier and later removed I hacked my way back in to the radios with changed passwords. It doesnt appear that it was the sky net virus, just someone that used the vulnerability to well, just change the username and password, and the admin ports to HTTP and SSH as far as I can tell....