Page 1 of 1

Blocking Meris botnet across the network

Posted: Tue Sep 28, 2021 11:01 pm
by Tomas
This script is based on MÄ’RIS botnet domains provided in the latest MikroTik newsletter. There are multiple possible mitigation strategies outlined in this post, each with it's own upsides and downsides. All the the RouterOS scripts here are idempotent (can be ran multiple times without negative effects), so they can be used in Mass Config Push to deploy in your network.

1) Mitigating on the DNS level

If you have a MikroTik serving as a DNS server for your network, you can deploy this script that will block resolution for Meris C&C (command and control) servers on the DNS level. This can be deployed on your DNS resolver to protect all devices using your DNS server from the botnet. Or if you wish, you can deploy this to each individual MikroTik on your network.

Code: Select all

{
# domains reported to host malicious L2TP servers
:local l2tpDomains {"eeongous.com"; "leappoach.info"; "mythtime.xyz"}

# domains reported to host malicious scripts
:local scriptDomains {"1abcnews.xyz"; "1awesome.net"; "7standby.com"; \
  "audiomain.website"; "bestony.club"; "ciskotik.com"; "cloudsond.me"; \
  "dartspeak.xyz"; "fanmusic.xyz"; "gamedate.xyz"; "globalmoby.xyz"; \
  "hitsmoby.com"; "massgames.space"; "mobstore.xyz"; "motinkon.com"; \
  "my1story.xyz"; "myfrance.xyz"; "phonemus.net"; "portgame.website"; \
  "senourth.com"; "sitestory.xyz"; "spacewb.tech"; "specialword.xyz"; \
  "spgames.site"; "strtbiz.site"; "takebad1.com"; "tryphptoday.com"; \
  "wchampmuse.pw"; "weirdgames.info"; "widechanges.bes"; "tzancetom.com"}

# malicious domains reported by the community on the internet
:local communityDomains {"bestmade.xyz"; "gamesone.xyz"; "mobigifs.xyz"; \
  "myphotos.xyz"; "onlinegt.xyz"; "picsgifs.xyz"}

/ip dns static
:foreach i in=($l2tpDomains, $scriptDomains, $communityDomains) do={
  :if ([:len [find name="$i" type="A" address="127.0.0.1"]] = 0) do={
    add name="$i" type="A" address="127.0.0.1"
  }
  :if ([:len [find regexp="^.+\\.$i\$" type="A" address="127.0.0.1"]] = 0) do={
    add regexp="^.+\\.$i\$" type="A" address="127.0.0.1"
  }
}
}
2) Mitigating in forward firewall at network edge

If you wish, you can drop traffic to the offending domains in the forward chain on your edge router, effectively blocking communication for any devices (including those NOT under your control) in your network. Please note this is not as effective as DNS-based blocking, since it only blocks direct domains and not subdomains. Please note the script places the firewall rule on the top of the firewall, adjust as needed to your firewall structure.

Code: Select all

{
# domains reported to host malicious L2TP servers
:local l2tpDomains {"eeongous.com"; "leappoach.info"; "mythtime.xyz"}

# domains reported to host malicious scripts
:local scriptDomains {"1abcnews.xyz"; "1awesome.net"; "7standby.com"; \
  "audiomain.website"; "bestony.club"; "ciskotik.com"; "cloudsond.me"; \
  "dartspeak.xyz"; "fanmusic.xyz"; "gamedate.xyz"; "globalmoby.xyz"; \
  "hitsmoby.com"; "massgames.space"; "mobstore.xyz"; "motinkon.com"; \
  "my1story.xyz"; "myfrance.xyz"; "phonemus.net"; "portgame.website"; \
  "senourth.com"; "sitestory.xyz"; "spacewb.tech"; "specialword.xyz"; \
  "spgames.site"; "strtbiz.site"; "takebad1.com"; "tryphptoday.com"; \
  "wchampmuse.pw"; "weirdgames.info"; "widechanges.bes"; "tzancetom.com"}

# malicious domains reported by the community on the internet
:local communityDomains {"bestmade.xyz"; "gamesone.xyz"; "mobigifs.xyz"; \
  "myphotos.xyz"; "onlinegt.xyz"; "picsgifs.xyz"}

/ip firewall address-list
:foreach i in=($l2tpDomains, $scriptDomains, $communityDomains) do={
  :if ([:len [find list="meris" address="$i"]] = 0) do={
    add list="meris" address="$i" comment="Meris botnet C&C server"
}

/ip firewall filter
add chain=forward action=drop src-address-list=meris place-before=0
add chain=forward action=drop dst-address-list=meris place-before=0
}
3) Mitigating in output firewall on individual devices

Alternatively, you can add a rule to drop traffic to the Meris C&C servers in the output chain of the firewall of each of your routers if you wish. As before, the firewall rule will be added on the top of the firewall, adjust as needed to your firewall structure.

Code: Select all

{
# domains reported to host malicious L2TP servers
:local l2tpDomains {"eeongous.com"; "leappoach.info"; "mythtime.xyz"}

# domains reported to host malicious scripts
:local scriptDomains {"1abcnews.xyz"; "1awesome.net"; "7standby.com"; \
  "audiomain.website"; "bestony.club"; "ciskotik.com"; "cloudsond.me"; \
  "dartspeak.xyz"; "fanmusic.xyz"; "gamedate.xyz"; "globalmoby.xyz"; \
  "hitsmoby.com"; "massgames.space"; "mobstore.xyz"; "motinkon.com"; \
  "my1story.xyz"; "myfrance.xyz"; "phonemus.net"; "portgame.website"; \
  "senourth.com"; "sitestory.xyz"; "spacewb.tech"; "specialword.xyz"; \
  "spgames.site"; "strtbiz.site"; "takebad1.com"; "tryphptoday.com"; \
  "wchampmuse.pw"; "weirdgames.info"; "widechanges.bes"; "tzancetom.com"}

# malicious domains reported by the community on the internet
:local communityDomains {"bestmade.xyz"; "gamesone.xyz"; "mobigifs.xyz"; \
  "myphotos.xyz"; "onlinegt.xyz"; "picsgifs.xyz"}

/ip firewall address-list
:foreach i in=($l2tpDomains, $scriptDomains, $communityDomains) do={
  :if ([:len [find list="meris" address="$i"]] = 0) do={
    add list="meris" address="$i" comment="Meris botnet C&C server"
}

/ip firewall filter
add chain=output action=drop dst-address-list=meris place-before=0
}