Mēris botnet information

Many of you have asked, what is this Mēris botnet that some news outlets are discussing right now, and if there is any new vulnerability in RouterOS.

As far as we have seen, these attacks use the same routers that were compromised in 2018, when MikroTik RouterOS had a vulnerability, that was quickly patched.

Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.

We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too.

As far as we know right now - There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several contractors.

If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you, especially if this configuration APPEARED NOW, RECENTLY, WHILE RUNNING A NEW ROUTEROS RELEASE: Please contact us immediately.

More specifically, we suggest to disable SOCKS and look in the System → Scheduler menu. Disable all rules you can’t identify. By default, there should be no Scheduler rules, and SOCKS should be off.

Is socks present in v7.1 RC3?

Since these infected users still appear to be upgrading to recent RouterOS versions, can the upgrade process look for non-Mikrotik binaries or other signs of infection and warn the administrator to netinstall? If there was a system exploit to run arbitrary code, simply removing socks and scripts and adding a firewall is not enough, as RouterOS does not allow admins to see all processes running on the router. A netinstall is the only way to be sure.

I highly doubt an open socks proxy or similar is responsible for DDOS as that means the attacker still has to generate the traffic elsewhere.

There are no non-mikrotik binaries involved, only legitimate SOCKS, L2TP and Scheduler configuration.

What was the entry point for the vulnerability - non-firewalled winbox, socks or http ?

The most entry point is the same username and password on all devices after 4 years…

What native functions in RouterOS support sending pipelined HTTP requests at these kind of rates? I find it unlikely that the attackers are simply proxying their DDoS traffic through infected Mikrotik devices - why not attack the target directly if they have that much bandwidth available? Especially as they do not know the upstream bandwidth or CPU power of the infected device, not all the proxied traffic is likely to make it out so it would actually reduce the power of their attack. This doesn’t make sense.

Starting today I see a new flood of random GRE traffic on the internet, not sure if it is caused by this botnet or if it is just coincidence.
It appears to consist of GRE packets with random addresses both outside and inside, and with a UDP payload with random portnumbers and 512 bytes of random data.
Likely they hope that some places will just unpack such GRE traffic when sent to them, and then forward the tunneled traffic. But I don’t think MikroTik routers would do that, they would only accept GRE traffic from sources that are configured as peers in a GRE tunnel, right?
But I have seen such storms before, probably during earlier botnet outbreaks.

On GRE you can omit only the local source, but you must specify the remote address…
The source can be spoofed, but I hope no one extabilish GRE link on Internet without at least IPsec…

For the last few days/week or two, I’ve been receiving a higher than normal amount of tcp portscans and small attacks against my home network. They all seem to be coming from the same IPs, or at least the same /24, usually they seem to be either scanning huge groups of around 10k or more ports each time, or they’re continually hitting the same port over and over.
Might not be related to this botnet, but I thought I’d share some oddities I’ve been seeing

I also have seen them

These types of lower-level attacks and exploits is quite scary. Some equipment by default picks up ICMP, GRE, ESP/AH packets and other non-TCP/UDP packets and process them in the kernel. Sometimes it’s default to allow IPSec IKE as well.

This shows number of hits on my router on port 8291 Winbox, last 4 month. It only counts one IP for each user a day, since all who tries to access a non open port are blocked for 24 hours. There has been no increase of traffic.
8291.jpg

Based on my experience installing MOAB for many users .. 100% had very poor firewall security measures due to ignorance and or lack of diligence … once a router has been compromised the ONLY recourse is to netinstall and manually configure … MikroTik should make the Netinstall procedure much more transparent [much easier to use] since many get confused by the procedures needed. The DEFAULT firewall currently provided by MikroTik is an excellent starting point … unfortunately many ignore it.

One of many problems is that many router are at remote location and netinstall only works locally. Some are high up in tower or roof tops etc.

Netinstall work also remotely…
If you have at least on control one device, you can netinstall remotely the others…
Obviously exceptions apply.

yes, it would be helpful for Mikrotik to make a video that explains their default firewall and to let new users know that they should ignore 98% of the crap on youtube and to go to the forum to get advice when changing the default firewall rules. Concur the netinsall process is a tad convoluted and any way to make it more intuitive or easier would be appreciated.

Second posting here.

[quote=edyatl post_id=879293 time=1631381800 user_id=191327]
And how to check router against Meris malware? Are there any tips how to check and fix? Is there official cure realise?
[/quote]

As stated in the first post:



If you do see a RouterOS device that has malicious scripts or SOCKS configuration that was not created by you

[quote=madars post_id=879316 time=1631389517 user_id=191331]


Speaking of the latter point: keeping up to date IP lists is harder than it needs to be. For example, MikroTik script limits file access to 4 kilobytes, and while there is a workaround to load IP lists up to 63K, it leaves little room for growth if your IP lists have comments. Is there a better way coming in new RouterOS? :slight_smile: [/url].
[/quote]

That 63K has also been been resolved see last posting in the mentioned tread. Import can as large till the router runs out of storage space.