[nsp-sec] UBNT airOS worm in the wild
Damian Menscher
damian at google.com
Mon May 16 15:11:44 EDT 2016
On Mon, May 16, 2016 at 7:50 AM, Smith, Donald <Donald.Smith at centurylink.com
> wrote:
> TLP (the link is public but checking)?
>
Existence of worm is TLP:WHITE (public link).
What is the tie-in to nxdomain?
>
This part is TLP:AMBER: The worm spreads by picking a random IP, then
trying to infect it. It apparently (not entirely certain why, but I
suspect it's either ssh or curl doing it) triggers a A/AAAA DNS query on
the IP it tries to infect. As a result, this triggers an NXDOMAIN response
(.[0-9]{3} isn't a valid gTLD).
Damian
Subject: [nsp-sec] UBNT airOS worm in the wild
>
> ----------- nsp-security Confidential --------
>
> Starting Friday, a worm started spreading affecting UBNT airOS devices:
>
>
> http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
>
> This has likely already run its course (it spread fairly quickly in the
> first hours, and appears to have reached saturation by Saturday) but I
> wanted to spread the word in case ISPs are unaware. It appears this worm
> is also responsible for an increase in NXDOMAIN queries hitting recursive
> resolvers (which may be your best indicator of infection).
>
> Damian
> --
> Damian Menscher :: Security Reliability Engineer :: Google :: AS15169
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
> This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
>
More information about the nsp-security
mailing list