Foul-mouthed worm takes control of wireless ISPs around the globe

Share this…

Active attack targets Internet-connected radios from Ubiquiti Networks. ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.

San Jose, California-based Ubiquiti Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn’t widely installed. Many customers claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he’s seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it’s likely that ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it’s on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquiti officials have said there are at least two variations, so it’s possible that other strains behave differently.

Many things this worm could have done

“People were very lucky about this worm because aside from misconfiguring the device and trying to infect other devices, it doesn’t do anything at all,” Waisman wrote in an e-mail. “There are so many things that this worm could have done to this system; it could have remained permanent on the device and nobody would ever find out he got infected.”

The bug is the result of a file upload vulnerability in a Web administrator interface that allows at least one of the worm variants to replace the existing password file with one that contains the username “mother” and a corresponding password of “fucker.” From then on, attackers have persistent control over the device. The flaw resides in anything prior to the following Ubiquiti product versions:

airMAX M (Including airRouter)

    • 5.5.11 XM/TI
    • 5.5.10u2 XM
    • 5.6.2+ XM/XW/TI


    • 7.1.3+

airOS 802.11G

    • 4.0.4


    • 1.3.2


    • 1.1.5+


    • AF24/AF24HD 2.2.1+
    • AF5x
    • AF5 2.2.1+

In an advisory, Ubiquiti officials said they are aware of two different payloads that exploit the vulnerability. Although the flaw was fixed last July through a patch released through the company’s bug bounty program, officials have issued a new patch that further locks down potentially vulnerable devices.

“This is an HTTP/HTTPS exploit that doesn’t require authentication,” they wrote. “Simply having a radio on outdated firmware and having its http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.”

A quick way users of these products can see if they’re infected is by trying to log in to the device over SSH with the username “mother” and the password “fucker.” If they get a shell window, that means the device was compromised. (The login credentials are left behind by the attackers after an exploit is successful.) The surest way to disinfect a device is to back up its configuration and completely wipe and rewrite its flash with a fresh copy of the firmware. Ubiquiti has a firmware recovery script that automates this process. Users can then restore the device configuration on the reflashed device.

Ubiquiti officials have indicated that the number of customers known to be infected has been low. But outsiders say the actual number of compromises might be much higher.

“Exploits are assumed to be underway globally,” said Ben West, a networking engineer at WasabiNet, a wireless ISP located in St. Louis. “The number of affected customers is possibly in the low hundreds, based on observation of volume of traffic on [Ubiquiti] support forums and e-mail threads.”

Post updated throughout to correct the spelling of the company’s name. List of vulnerable products also updated.