byUBNT-James05-16-201611:43 AM - edited 07-21-201612:06 PM
There have been several reports of infected airOS M devices over the last week. From the samples we have seen, there are 2 different payloads that uses the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.
This is an HTTP/HTTPS exploit that doesn't require authentication. Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.
Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts. Users using legitimate rc.scripts should run 5.6.4 for the time being.
airMAX M (Including airRouter)
NOTE: If you cannot access the devices, please try the username: moth3r and password: fuck.3r or moth3r/fucker with CureMalware.
Features: -Checks, cures, and upgrades Ubiquiti M-series devices infected by ExploitIM malware. Does not upgrade AC- series devices. -Supports parallel execution to multiple devices. -Removes old Access Controller authentication keys from infected devices. Requires re-adoption.
0.7 -> 0.8
Update: - force device reboot after cure action - check and remove the same set of files if infected - extend files to be checked for infection - use the same user and password as current connection to be stored to config - remove unused content before upgrade to have enough space for upgrade
This tool requires Java and will run on OSX/Linux and Windows. It will search for and remove both variants we have seen, and their baggage. It has the option to upgrade firmware to 5.6.5. Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them. Please use check and cure only if you are using legitimate rc.scripts.
NOTE: This tool will only automatically updated airOS M devices.
Skynet/PimPamPum/ExploitIM malware removal tool v1.0 for Ubiquiti devices
Copyright 2006-2016, Ubiquiti Networks, Inc. <email@example.com>
This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.
Possible formats for IP(s):
IP list <192.168.1.1, 192.168.1.2>
IP range <192.168.1.1-192.168.1.254>
Enter IP(s): 192.168.1.31
Check and Cure 
Check, Cure and Update 
Enter action <1|2|3>: 3
Enter ssh port :
Enter user name [ubnt]: ubnt
Reuse password <y|n>[y]: y
Processing firstname.lastname@example.org:22 ...
Password for email@example.com:
CRITICAL: Infected by exploitim
WARNING: User Script(s) is(are) installed:
IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE!
IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE!
Uploading firmware: /firmwares/XM.bin ...
Current ver: 329220
New version: 329221
No need to fix.
Writing 'u-boot ' to /dev/mtd0(u-boot ) ... [%100]
Writing 'kernel ' to /dev/mtd2(kernel ) ... [%100]
Writing 'rootfs ' to /dev/mtd3(rootfs ) ... [%100]
Make sure there is no unknown users and ssh keys in system.cfg:
grep -E "users|sshd.auth.key" /tmp/system.cfg
We recommend removing all custom scripts is you are not using them:
rm -fr /etc/persistent/rc.* /etc/persistent/profile
cfgmtd -w -p /etc/; reboot -f
If you also are not using ssh key authentication then it is recommended to clean persistent:
cfgmtd -w; reboot -f
We are releasing 5.6.5 with the following changes.
New: Disable custom scripts usage
New: Enable syslog by default
Fix: Security updates (malware scripts check and removal)