Exclusive: MalwareMustDie analyzes a new IoT malware dubbed Linux/ AirDropBot

Pierluigi Paganini September 30, 2019

After 2 years of waiting, MalwareMustDie returns with an excellent page of malware analysis of a new IoT malware: Linux/AirDropBot.

Yes, I have to confess, it was hard to wait all this time, but the reward it was worth it: unixfreaxjp is return, with a new, great page of reverse engeeniring published on the MalwareMustDie blog post: “MMD-0064-2019 – Linux/AirDropBot

And this is not only “the” Odisseus’s opinion, just because I can be addressed as a member of  MalwareMustDie crew: this last post IT IS a masterpiece technically speaking, because here unixfreaxjp reveals some unique and undocumented best practices in order to reverse Linux malware binaries (Intel and not Intel platforms), providing to every whitehat reverser many references and howtos to deal with ELF Linux malware, mixing theory and practice and showing how is incredibly useful the use of Radare r2 and Tsurgi distribution.

Don’t know if is because I have asked to my friend unixfreaxjp many times to publicly show how Radare r2 can be be used with great results, but after this post we can definitively state that, once again, Radare r2 has nothing to envy of the best commercial tools used in many reverse engineering tutorials that are available on Youtube.

In fact this time we have not a “simple” blog post, but a rich, strong and powerful technical lesson on how stripped binaries can be reversed even if they are “indeed” stripped.

Unixfreaxjp step by step leads the reader to understand how a malware code is build, which are the methods, which are the secrets, with are the hidden techniques used by the coders to hide and encrypt as much as possible the C2 address, how the operative commands coming from the C2 are parsed, and how almost everything can be reconstructed to get the source code back from any stripped binary.

The beginning of the story: another IoT malware in the wild?

But let’s go back to the beginning of the story when my very good friend @0xrb found in his honeypot this new “Mirai like” Linux malware, which has important differences with the Mirai implementation. He understood immediately that there was something strange in this new “Mirai variant”, to proposing the sample to MalwareMustDie team: here it is his early tweet.

It is possible to give a look also to the logs of the malware that @0xrb published on Pastebin: here a lot of information is made available during the running phase. One of them, for example, is the C2 server.

The C2 of the botnet was: 147.135.174.119

As unixfreaxjp states in his post, @0xrb has successfully submitted the sample to MalwareMustDie team in order to better analyze it, and the result is another great page of Linux malware reversing, that every malware analyst should read and re-read.

We will overfly the technical analysis because the MalwareMustDie post is extremely clear and explanatory in every single part of its analysis.

Coming to the core topic: IoT botnet threat and their ecosystem

New Linux developed malware aiming internet of things is happening a lot, and as previously mentioned, it has been driven by the money scheme that is fueling its botnet ecosystem as per previously posted in Security Affairs, this is still the main reason why new freshly coded malware in this sector is always coming up.

First spotted in the internet on August 3rd, 2019, a new Linux/AirDropBot has been reported, is a malware that has been built to aim many embedded Linux OS platform, it is meant to propagate its botnet into several originally coded and built for aiming the IoT used platforms. It’s still not in the final stage of development judging from some uncoded functions,  but the adversary mission is clear, to get as much Linux IoT infected as possible and get rid of his competitors. It was first detected as Mirai or Gafgyt like during the detection spotted in the first series of samples, and this may make researchers in Linux malware ignored its first existence.

So many processors are aimed by the malware, but if CPU like ARC Cores, Renesas SH, Motorola m68000, Altera Nios II, Tensilica Xtensa and Xilinx MicroBlaze CPU is aimed along with other generic cross-compiled CPU (MIPS/ARM/PPC/SPARC/Intel), the herder meant serious business to “pwn” the reachable IoTs. The binary is having two categories, the one that acts as bots and meant to infect the small devices and for bigger systems it has the worm-like vulnerability scanner aims CGI page on routers (in this version is aiming HTTP port 8080 on specific product CGI file) that can infect itself in a worm-like style along with the telnet scanning basis (attacking TCP port 23 or 2323).

The analysis made in MalwareMustDie blog’s recent post “MMD-0064-2019 – Linux/AirDropBot” is showing the latest binary sets, used by the adversaries behind this botnet. Scanner function for exploiting a certain router’s vulnerability is hardcoded and this threat is also aiming at other exploit too on older samples delivery. The overall idea is a known ones but the code is newly made.

Final considerations on the behavior to take in order to face this threat.

Internet of things are on improvement for its security quality, and governments all over the globe are seriously handling this, for example in the US the “Security Feature Recommendations for IoT Devices” by NIST is a good recommended plan, in the UK a voluntary code of practice (CoP) to help manufacturers boost the security of internet-connected devices that make up the internet of things (IoT) has been published, or in Japan the Project to Survey IoT Devices and to Alert Users has been started. Yet, there are a lot of products to handle and vulnerabilities for these products which are also researched at the same time by adversaries.
This makes IoT threat is still making a lot of issues since day-by-day new exploit issue actually comes up, old issues are re-used, unpatched segments are revealed and aimed.

Are we the wrong track then? I don’t think so. Yes, the process takes time and what we can do is keep on improving the detection on a new threat, containment, and response as prevention to strengthen the defense scheme for the platform, along with the parallel legal works on stopping adversaries. If we are committing to keep on doing these steps the adversaries will find more demerits than merits to keep on hammering is with their botnets.

About the Author: 

Odisseus – Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – AirDropBot, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment