Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot”
And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.
Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.
In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.
Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.
The beginning of the story: another IoT malware in the wild?
But let’s go back to the beginning of the story when my very good friend @0xrb found in his
It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for
The C2 of the botnet was: 18.104.22.168
We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.
Coming to the core topic: IoT botnet threat and their ecosystem
New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.
So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).
The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this
Internet of things are on improvement for its
Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection
About the Author:
(SecurityAffairs – AirDropBot, malware)