Analysis of Linux.Omni

Following our classification and analysis of the Linux and IoT threats currently active, in this article we are going to investigate a malware detected very recently in our honeypots, the Linux.Omni botnet. This botnet has particularly attracted our attention due to the numerous vulnerabilities included in its repertoire of infection (11 different in total), being able to determine, finally, that it is a new version of IoTReaper.

Analysis of the binary

The first thing that strikes us is the label given to the malware at the time of infection of the device, i.e., OMNI, because these last few weeks we were detecting OWARI, TOKYO, SORA, ECCHI… all of them versions of Gafgyt or Mirai and, which do not innovate much compared to what was reported in previous articles.

So, analyzing the method of infection, we find the following instructions:

As you can see, it is a fairly standard script and, therefore, imported from another botnet. Nothing new.

Although everything indicated that the sample would be a standard variant of Mirai or Gafgyt, we carried out the sample download. [Read more…]

Analysis of Linux.Haikai: inside the source code

A few days ago we got the source code of the Haikai malware, which corresponds to one of the many implementations carried out by the continuous recycling of source code belonging to different IoT botnets. Although we have not identified any new developments compared to previous IoT malware versions, it has allowed us to obtain a lot of information on techniques, improvements and authors.

It should also be noted that, according to different records obtained, this botnet has been in operation for most of the last month of June.

In the following lines the code will be analyzed, as well as the possible attributions and the implementations not referenced in the execution thread, which allow us to guess that the code is mutating in different lines in parallel for the same function.

So let’s start by analyzing the structure of the files. [Read more…]

Simple & crazy covert channels (I): Asciinema (en)

In the preparation of our audits, we often waste a lot of time developing tools that require a lot of work and, in many cases, do not go unnoticed by those users with a more technical profile.
However, there are other simpler (and equally effective) methods to carry out the exfiltration of information, such as through tools that were not initially designed for this purpose and which, with relatively simple adjustments, allow us to carry it out.

Thus, in the following article the analysis of the asciinema tool will be carried out, as well as the different possibilities of use and how it can be integrated with an attack vector.

Asciinema is a very nice tool that I usually use for demos whose sole function is to register the user’s session and to provide a URL that allows us to easily share the user’s activity. Very valuable information that can be used in a malicious way.

Below, we will see if we could use it as a Linux keylogger and what modifications would be necessary to apply.
[Read more…]

Analysis of Linux.Okiru

In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.

During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.

As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]

Linux.IotReaper Analysis

A couple of days ago we learned about the existence of a new threat IoT considerably more elaborated than any of the ones detected to date (http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/), said botnet has been named by Netlab 360 as IotReaper. So, from the malware laboratory of S2 Grupo we have obtained and analyzed some of the related samples.

Infrastructure

The infrastructure of the network is quite similar to that of the Mirai botnet, which is formed by four elements:

  • Report Server: Responsible for collecting the information sent by the bots.
  • Server Downloader: Responsible for providing malware samples via HTTP. The presence of an element allows the continuous incorporation of updates without the need to leave obsolete versions of the malware.
  • Server C2: Responsible for sending denial of service orders.
  • Bot: IoT device infected by the IotReaper botnet.

[Read more…]

Analysis of Linux.Helios

For several weeks we have been detecting a new variant of malware for Linux and IoT architectures from the malware laboratory of S2 Grupo, registered for the first time on the VirusTotal platform on October 18, which we have called Linux.Helios, due to the name of certain functions present in the sample.

We emphasize that the main antivirus signatures do not unanimously classify this sample: they range from ELF.DDoS to Tsunami, through Gafgyt or Mirai.
[Read more…]

Mirai meets OpenSSL

It is not a surprise that new variants of Mirai and more come to light, being available to anyone the source code of the bot, the CnC server and the download server. However, they all had relatively similar features (except for the variant for Windows, of course).

On March 19 came a new version of Mirai that caught our attention because of its size. While the usual is to find Mirai binaries of around tens of Kbs, this new sample has 1.6 Mbs. The TELNET connection that preceded the download of the binary is exactly the same as in previous catches.
[Read more…]

Linux.Mirai: Attacking video surveillance systems

During the Olympic Games in Rio de Janeiro, one of our sensors in Brazil detected a particularly interesting intrusion into a honeypot TELNET service.

This interaction used unusual credentials since the most received were, unlike what was expected, vyzxv and xc3511.

After an initial search no reference to attacks related to these credentials were found, but it was concluded that the credentials were recurring in DVRs (Digital Video Recorder) of the Chinese brand Dahua (e.g. DH-3004). Dahua is a leading global provider of surveillance solutions, because according to the IMS 2015 report they enjoy the largest mar-ket share.

[Read more…]