[nsp-sec] UBNT airOS worm in the wild

[John Brown]

So is the following a correct set of statements:

If the UBNT device is on a public address (non-rfc-1918) then risk is
virtually unlimited.
If the UBNT device is on a PRIVATE (RFC-1918) address then the risk is
related to a host PC with access to that RFC1918 space ?
Ergo, a WISP that runs the management address in RFC1918 space and
doesn't NAT it to the outside.....
One of their subscriber machines would have to trigger the "infection"
on that providers internal network..

??

On Mon, May 16, 2016 at 1:11 PM, Damian Menscher <damian at google.com> wrote:
> ----------- nsp-security Confidential --------
>
> On Mon, May 16, 2016 at 7:50 AM, Smith, Donald <Donald.Smith at centurylink.com
>> wrote:
>
>> TLP (the link is public but checking)?
>>
>
> Existence of worm is TLP:WHITE (public link).
>
> What is the tie-in to nxdomain?
>>
>
> This part is TLP:AMBER: The worm spreads by picking a random IP, then
> trying to infect it.  It apparently (not entirely certain why, but I
> suspect it's either ssh or curl doing it) triggers a A/AAAA DNS query on
> the IP it tries to infect.  As a result, this triggers an NXDOMAIN response
> (.[0-9]{3} isn't a valid gTLD).
>
> Damian
>
> Subject: [nsp-sec] UBNT airOS worm in the wild
>>
>> ----------- nsp-security Confidential --------
>>
>> Starting Friday, a worm started spreading affecting UBNT airOS devices:
>>
>>
>> http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
>>
>> This has likely already run its course (it spread fairly quickly in the
>> first hours, and appears to have reached saturation by Saturday) but I
>> wanted to spread the word in case ISPs are unaware.  It appears this worm
>> is also responsible for an increase in NXDOMAIN queries hitting recursive
>> resolvers (which may be your best indicator of infection).
>>
>> Damian
>> --
>> Damian Menscher :: Security Reliability Engineer :: Google :: AS15169
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security
>> counter-measures.
>> _______________________________________________
>> This communication is the property of CenturyLink and may contain
>> confidential or privileged information. Unauthorized use of this
>> communication is strictly prohibited and may be unlawful. If you have
>> received this communication in error, please immediately notify the sender
>> by reply e-mail and destroy all copies of the communication and any
>> attachments.
>>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________