Mikrotik firewall virus rules

What is even more interesting is how it behaves when you connect to the proxy on the router. A specifically crafted, forbidden page that runs a cryptocurrency miner before it displays the actual web content the user tries to access.

Taking a closer look at the above picture, you might have noticed it tries to run a script:. After uncovering several levels of obfuscation, we discovered that the script launches a javascript cryptocurrency miner that runs in your browser. Interestingly, the originally intended web page reloads itself into an IFRAME element after 10 milliseconds, so the user sees the original content inside an iframe, while the miner runs in the background.

This way, the user will happily browse the original content without even knowing that something fishy is going on in the background. How is it possible that the same URL displays the real content after 10 milliseconds, and not the miner again? To understand how this works, we need to dive into the configuration of MikroTik routers. We got the configuration script that sets up the MikroTik router for this cryptomining campaign. The infection starts by misusing CVE , a critical vulnerability that allows the attacker to get access to any file on the router without authorization or user interaction.

In this case, the strain targets the file containing the database of credentials, allowing the attacker to log into your device. While this is a serious vulnerability, it cannot be misused unless the attacker can connect to the management interface. Using either the aforementioned vulnerability or weak credentials, the attacker gains access to the router and then executes a multi-stage attack. The first thing he does is place a script on the router.

Once there, the script is scheduled to run once every five minutes. During this stage, a script called i First, the script tries to delete any previously scheduled jobs and scripts that run on the router including rules, schedules, and more. There is quite a long list full of various names of scripts to kill, which makes us think that this strain has been around for a while and has been modified as more and more jobs are added to its kill list.

Next, it remaps ports for TELNET and SSH access protocols to unusual ports to prevent easy detection and to prevent others from connecting to the administration interface of the router; it also opens these ports to the internet if they are not opened already. As you will see in our analysis, this was not in the original script when the campaign began.

The next step is to reset the proxy error page, which is later used for the miner payload, and to enable the web proxy itself.

It also adds a rule to ensure that any additional request to the proxy is denied, and the content of error. This redirects every request by any computer and other devices inside the network through a web proxy to an unsecured webpage HTTP.

Ok is a very important detail. Keep reading. This is another key line of code for the campaign to work. The two lines of code above tell the router to check every 15 seconds when it is connecting to an unsecured page HTTP , redirect the traffic through the proxy just once because as you are redirected, the IP address of your computer is added into the! Ok list for another 15 seconds. Diagram of an example how the injection works. The team here at MikroTik wish you happy holidays. We hope you enjoy the video we have prepared for you.

There's also the annual inventory on January 4 - 5. Shipping will resume on Jaunuary 6, Warehouse hours: 7AM - 3PM. Please plan the pickup of your shipments accordingly. Happy holidays! RouterOS - the beating heart of MikroTik that rewards curiosity and sparks creativity.

Even the smallest of routers can achieve greatness with this software. When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain the exception is the passthrough action. If a packet has not matched any rule within the built-in chain, then it is accepted. There is a bit different interpretation in each section with the similar configuration.

For example, with the following configuration line you will match packets where tcp-flags does not have SYN, but has ACK flags:. Lets say our private network is We will set up firewall to allow connections to router itself only from our local network and drop the rest. Also we will allow ICMP protocol on any interface so that anyone can ping your router from internet.

To protect the customer's network, we should check all traffic which goes through the router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be dropped all unwanted packets:.

From MikroTik Wiki. Categories : Manual Firewall. Navigation menu Personal tools Log in. Namespaces Manual Discussion. Views Read View source View history. Main Page Recent changes. Action to take if packet is matched by the rule: accept - accept the packet. Packet is not passed to next firewall rule. Time interval after which the address will be removed from the address list specified by address-list parameter.

Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created. We have tried to reach all users of RouterOS about this, but many of them have never been in contact with MikroTik and are not actively monitoring their devices. We are working on other solutions too. There are no new vulnerabilities in these devices. RouterOS has been recently independently audited by several third parties. In collaboration with independent security researchers, we have found that there exists malware that attempts to reconfigure your MikroTik device from a Windows computer inside your network.