0

I recently saw this article of a version of Mirai being spread to Android based devices via ADB enabled. My question relates to how Mirai does scanning.

Lets assume I have a Android based device (like tablet or smart TV) in my home behind a router. If a Mirai bot sends a TCP SYN to some port (like 5555 for ADB) to my router's public IP, assuming there is no port forwarding already on the router for 5555 (which is possible for most people): (1) can that TCP packet even reach devices inside the house ? (2) Does this also mean people using devices behind router don't have to worry about their devices being infected with Mirai ? (3) Is there any way attacker can overcome this situation to reach the device behind the router ?

Jake
  • 1,095
  • 3
  • 12
  • 20

1 Answers1

1

If a Mirai bot sends a TCP SYN to some port ... to my router's public IP, assuming there is no port forwarding already on the router for 5555 can that TCP packet even reach devices inside the house

Provided that no port forwarding is done, no connection establishment can be done from outside. This includes SYN scanning. See also Scan a computer behind NAT.

Does this also mean people using devices behind router don't have to worry about their devices being infected with Mirai ?

There is Mirai like you describe and there are different variants of Mirai, i.e. it evolved and also changed behavior. One of the variants directly addresses vulnerabilities in the router, i.e. does not need to rely on port scanning. See 100,000-strong botnet built on router 0-day could strike at any time.

Is there any way attacker can overcome this situation to reach the device behind the router ?

Apart from vulnerabilities in the router: Even if there is no explicit port forwarding is configured there can be port forwardings caused by UPnP. And there can be tunnels to the inside created by issues like NAT slipstream. Apart from this internal devices might be attacked using CSRF or similar, which also might be used by an attacker to add explicit port forwardings to a vulnerable router.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you for taking the time to answer my question. – Jake Jun 01 '21 at 22:04
  • If a vulnerability in the router is exploited, will that provide a way for the attacker to add port forwarding rules ? They could add rules for multiple internal IP addresses and use a specific internal port like 5555. – Jake Jun 01 '21 at 22:09
  • @Jake: it __might__ provide a way but there is no definite "it __will__". Details depend on the vulnerability. – Steffen Ullrich Jun 02 '21 at 04:46