๐ MMD-0059-2016 - Linux/IRCTelnet - New DDoS botnet aims IoT
๐ก Newskategorie: Malware / Trojaner / Viren
๐ Quelle: blog.malwaremustdie.org
Summary
This post is a report of what it seems to be a new original made IRC botnet ELF malware, that is obviously used for performing DDoS attack via IRC botnet. It is a new coded one with partially is having specification as per Tsunami/Kaiten protocol, but it is a re-coded one with the different way, with adding some more features in messaging and malicious/attack vectors used. The malware (the bot client) is designed to aim IoT device via telnet protocol, by using its originally coded telnet scanner function, which is brute-forcing the known vulnerable credential of the Linux IoT boxes, via command sent from a CNC malicious IRC server.
It is obviously a combined concept of kaiten (for IRC protocol used), the GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite (for telnet scanner) and using the Mirai's botnet's leaked credential list. Furthermore, it is having an encoded CNC info for avoiding plain text sight. And having some hard-coded Italian language messages in the user's communication interface. The botnet is also supported to IPv4 and IPv6 protocol.
I use name Linux/IRCTelnet as codename for this finding. Some friends are advising to name as per language that spotted, but I personally don't think it is ethic to use other country's or language's or culture's into naming of malware..
Attack vector
The spreader (a.k.a. "loader") attacks were coming via telnet brutes from below IP sources with the time stamp:
Knowing the specific data used for the attack efforts, we know that he attack to infect this botnet was started on October 25th, 2016.
2016-10-25 17:09:52| IP=88.250.211.251
2016-10-26 15:21:10| IP=122.54.151.163
2016-10-26 16:28:24| IP=88.250.221.78
2016-10-27 00:14:23| IP=37.233.16.70
2016-10-27 17:16:05| IP=37.233.19.216
With executing a one-liner shell command to download and install the malware with this template and example:
The malware installer script itself is as per below:
So it is using better coded shell script than other skiddos we know. It kills the previous running instance of the same malware, removing the previous binaries (if any), and download the latest version from the designated CNC and run it, to then removing the binaries and the installer script itself.
Since the loader script is actually written in the malware itself, the attack possibilities are limited to the already infected nodes, but not eliminated the similar script executed directly from the actor's environment himself. If we look into the samples and architectures aimed for this infection, all of the listed architecture that is using OS compatible with linux kernel 2.6.x (2.6.32 or above likely) can be infected and participated into the attacking vectors.
Below is the list of the attacker nodes in GeoIP:
{
ip: "88.250.221.78",
region: "Manisa",
country: "TR",
org: "AS9121 Turk Telekomunikasyon Anonim Sirketi"
ip: "88.250.211.251",
region: "Yalova",
country: "TR",
org: "AS9121 Turk Telekomunikasyon Anonim Sirketi"
ip: "122.54.151.163",
hostname: "122.54.151.163.pldt.net",
country: "PH",
org: "AS9299 Philippine Long Distance Telephone Company"
ip: "37.233.16.70",
country: "MD",
org: "AS31252 STARNET S.R.L"
ip: "37.233.19.216",
country: "MD",
org: "AS31252 STARNET S.R.L"
}
The binary analysis
I used these binaries to analyze Linux/IRCTelnet, statically compiled & unstripped:
Those ELF for the embedded platform were mostly compiled with uClibc, except for the ARM binary which is having obviously using GCC with the trace:
/home/firmware/build/temp-armv5l/gcc-core/gcc/config/arm/
Stripping the static compiler's source codes you can see the original sources as below files:
So it's not a big project. And most importantly, it is not being compiled by a person who has much experience in making ELF malware too :) (please read between the lines)
main.c
utils.c
irc.c
scan.c
attacks.c
The interesting part is the usage Italian language in messages hardcoded in this ELF..
Reverse engineering
Main process
After dwelling through some assembly and reconstructing the C code, comparing each result to each ELF generated and went back & forth, the main.c of this malware's source code can be reconstructed to similar like this one:
The telnet scanner
The telnet scanner function is called by passing the login and password data to function called SCAN_CONTROL(), and it may look something like this logic:
The login and passwords itself is hardcoded in the binary file, usernames are as follows:
Passwords:
root ADMIN
admin access
ttnet system
Admin sysAdmin
password enter
nokia Symbol
XA1bac0MX conexant
1234 sitecom
dreambox adslolitec
public home-modem
0987654321 D-Link
1234567 user
12345 987654321
1111 12345678
changeme2 switch
default jvc
administrator extendnet
1234567890 adminttd
private microbusiness
654321 3333
87654321 6666
123456789 8888
PASSWORD 0000
camera 4444
speedxess 5555
barricade 7777
epicrouter 9999
admin1234567890 12345Admin
changeme 56789Admin
admin1234 1234Admin
123456 meinsm
4321 ikwd
54321 wbox123
1234admin visual
2222 166816
1q2w3e admin_1
qwerty smcadmin
7654321 sky
superuser
The encoded CNC can be found in below function with its decoder:
*)The garbled characters was caused by my char-encoded screen, some was cut in the middle..
Teh logic is simple, in some effort you can bring some information needed like below:
The CNC and Panel..
In additional to the threat landscape, we have the CNC IP address and payload panel IP address which are located in France:
{
"ip": "137.74.234.206",
"country": "FR",
"loc": "48.8582,2.3387",
"org": "AS16276 OVH SAS"
"ip": "164.132.237.180",
"country": "FR",
"loc": "48.8582,2.3387",
"org": "AS16276 OVH SAS"
}
Botnet protocol and more on telnet scanning detail
Main communication protocol, which is based on the IRC client protocol, it is hard coded in the irc.c, with several like per coded in kaiten or STD, with new fresh coding that can be seen something like shown in the RE code snipped below:
As for the CNC protocol, we make a PoC for the decoded values, we logged in, and soon, several commands for scanning the telnet protocol of the specific target was received. I saved the log as per below:
Here we can see the UnReal ircd was used, around 3,400 users are connected, which it seems the herds botnet volume (if the data of bogus server is correct), the botherder is using the nickname "R2D2" and there are more data that you can read from this log.
What happened after the three scan command received was, the bot client is scanning the first two prefix ip address range for the telnet service in order to infect them, you can see the saved logs in my testbed as below:
Yes, of course, no PCAP no love, so here we go, the PoC in screenshot PCAP:
//////// Scan result /////////
TCP 127.0.0.1:36040->49.204.1.60:23 (SYN_SENT)
TCP 127.0.0.1:58298->49.204.211.14:23 (SYN_SENT)
TCP 127.0.0.1:58298->49.204.211.14:23 (SYN_SENT)
:
TCP 127.0.0.1:33637->59.36.224.103:23 (SYN_SENT)
TCP 127.0.0.1:45555->59.36.158.245:23 (SYN_SENT)
:
TCP 127.0.0.1:47767->219.129.1.113:23 (SYN_SENT)
TCP 127.0.0.1:49476->219.129.110.120:23 (SYN_SENT)
:
The scanning, credential bruting, and Italian language messaging..
Apparently the command sent from CNC is in the form of two first bits of an IP address and then the bot client will do the scan, as per coded in SCAN() function, for the ip addresses in the defined segment. During the scanning itself the login brute command is issued too, by calling the SCAN_CONTROL function mentioned previously.
This this SCAN() function also was PoC'ed the Italian message used was sent to the CNC via private message to inform the herder of the scanning progress.. So..it seems we have an Italian speaker botnet actor here. The reverse engineered code of the last part of scanning function is as per below:
I leave this for the law enforcement to follow deeper.
Attack vector & IPv6 support
Combination of DoS attack method designed in this botnet is as per following coded list:
Hmm..this looks scary.. A lot of DoS attack combination is planned.. I am not DDoS expert so I can not say whether these attacks as powerful as it sounds, but the intention is definitely, seriously..bad.
As per you see in the list, this botnet is supported attacks of IPv4 and IPv6 through main attack generator sender functions called sendV4() and sendV6(). Not only the attack but spoofing IP address also be done in the Ipv4 or IPv6 form.
push offset "%d.%d.%d.%d"
push offset spoof4
:
push offset "%x:%x:%x:%x:%x:%x:%x:%x"
push offset spoof6
The samples. epilogue and additional..
Samples are in the VT with the following hashes:
6c28655b6db1e7a15b1a63cbf8c5381f52c3dd21d2f0c77ed3df493c5fee9c2dWith having detection ratio from antivirus around 3/53
c79a27d2da7fe7abdf760a99e3981a4ff08d272a8c4a8a424f50a44073c19622
e61df7abaa0cf737360ec69eea6b213ba11859122a15fa16ca6c1f763f3932f4
3260c30a0b920483fe0d3f4236cb9eb0aa5024eeda5a649816b492ac2ae0e8e1
a1282c299c8d5c5dd81946af0374bd5688039f778c23052d3d5535889b312189
Mitigation for Linux/IRCTelnet infection is as per also mentioned in the previous analysis about protecting your IoT. There is a lot of badness aiming global served telnet open service, if you don't really need it, please turn the service off, or use it with the access restriction and avoid the usage of the known vulnerable usernames or passwords.
Stay safe and #MalwareMustDie!
Reversed, written and analyzed by @unixfreaxjp [link] on October 29th 2016. ...