IoT Malware Types Revealed
The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.
Linux.Darlloz
The Linux.Darlloz was discovered in late 2013. The worm exploited an old PHP vulnerability
(CVE-2012-1823) to access a system, it escalated privileges through default and common
credential lists, it propagated through the network, and it established a backdoor on the system.
While the original malware only infected computers running Intel x86 chip architectures, other
versions were designed to target ARM, PPC, MIPS and MIPSEL chip architectures commonly
used in IoT devices. The worm also scanned systems for Linux.Aidra and attempted to remove
any files related to the threat and to block any ports used by Aidra for communication [1].
Aidra
Aidra was discovered after the publication of the 2013 research paper that described the results
of the 2012 Internet Census. The malware was designed to search for open telnet ports that could
be accessed using known default credentials [2]. According to its author, Federico Fazzi, the
malware was introduced in early 2012 as an IRC-based mass scanning and exploitation tool. The
code can be compiled for MIPS, MIPSEL, ARM, PPC, x86/x86-64 and SuperH. Aidra is
designed to target IoT devices that run embedded forms of Linux with active Telnet connectivity
and default or no password. Some variants of Aidra can retrieve router passwords through the
/cgi-bin/firmwarecfg bug found on some outdated D-Link and Netgear devices.
The malware attempts to connect to a telnet port using default credentials and if it succeeds, it
downloads and executes a script called getbinaries.sh, which removes other malware binaries and
prevents the device from being compromised by other competing malware. Some variants
attempt to change the device credentials. Malware binaries are downloaded to /var/run, /var/tmp,
/var/etc. Consequently, the malware can be removed by rebooting the device because the
directories are stored in RAM. Then the infected device connects to an IRC server, joins a
channel, reads a topic, and follows the instructions. Aidra is capable of scanning, flooding, and
spoofing targets randomly or recursively. Further, its code can be easily tailored to a threat
actor’s needs [3].
Qbot/ Qakbot
Qbot is a network-aware worm capable of harvesting credentials and creating backdoors [4].
The Qbot malware, first discovered around 2009, continues to be adapted and employed by script
kiddies and cybercriminals [5]. Qbot leverages the Rig exploit kit against vulnerable websites to
gain write access on the backend and to inject malicious JavaScript onto the site. To avoid
suspicion, the malicious JavaScript may be appended onto the beginning or end of a legitimate
JavaScript. The Rig exploit kit is a two-tier model consisting of a gate and a landing page. While
a new set of domains are used for each IP address, the dense population of each IP address with
many subdomains allows for a degree of undesired visibility into the botnet structure. The
majority of the gate and landing page domains are registered through GoDaddy accounts; many
of which are believed to be exploited compromised accounts. The Rig Gate URL returns the main_color_handle variable is returned. It contains a large string of characters that are used to
determine the Rig exploit kit landing page. The string is passed through a function that replaces
all illegal characters in HEX notation (0-9 and a-f) and then translates the result to ASCII and
embeds the current page with an i frame with the landing page loaded with the exploit. Random
variable names, dynamically generated from the Rig Gate URL contained in the kit, are used in
the malicious script to obfuscate the functionality.
Users’ Windows sessions are injected with the malware via a watering-hole attack or a drive-by
download; alternately, modified Qbot derivatives deliver the malware through malicious emails.
Once installed on the system, the malware runs a network speed test and it sends an initial
beacon, containing a list of installed software, user privileges, and the infected network external
IP address, to the FTP server. The malware injects itself into a running explorer.exe process and
it infects processes as they start up. The bot injects a DLL into processes that will extract its
strings, configuration, APIs, and critical strings block into heap-allocated buffers, when run.
Qbot contains its configuration parameters, such as FTP credentials, C2 settings, and timestamps,
in an internal table. The malware places system-wide inline hooks to intercept or modify network
traffic, to modify or redirect browser queries, to infect new processes, and to hide its presence.
Qbot uses a domain generation algorithm for all C2 communications [31].
Upon installation, modern variants contact the C2 infrastructure to receive instructions, to
update, and to mutate the appearance of the malware by self-recompiling or self-re-encrypting
the malware as a server-based polymorphism, an obfuscation mechanism meant to confound
anti-malware application and research efforts. The server-based polymorphism enables Qbot to
avoid most anti-virus products because the malware updates itself to a new version every few
days, and re-encrypts itself to remain undetectable for long periods of time. The malware can
detect whether it is running in a Virtual Machine sandbox and it can alter its behavior to avoid
detection [32].
Once Qbot has infected a system, it begins harvesting credentials contained in Windows
Credential Store (Outlook, Windows Live Messenger, Remote Desktop, Gmail Messenger) and
password stored by the Internet Explorer credential manager. Further credentials are sniffed from
network traffic. The attackers can use the stolen credentials and system information to access
FTP servers or to infect vulnerable websites to further spread the malware [32]. Qbot attempts to
spread to open shares across the network through brute force password attempts or through
attempts to access the Windows Credential Store. Qbot is also capable of intercepting browser
information, such as banking information, and writing the data into named pipes and then
sending it to a remote server [31].
Over a two-week investigation, BAE Systems discovered over 54,517 machines infected in a
Qbot botnet. Most these systems (85%) were located in the United States. The explosive
popularity of Mirai and subsequent oversaturation of the IoT threat landscape has led to a decline
in Qbot botnets.
BASHLITE/ Lizkebab/ Torlus/ gafgyt
BASHLITE botnets are responsible for enslaving over 1 million devices. One security firm
estimates that of compromised devices, 95 percent were IP cameras or DVR units, 4 percent
were home routers, and less than 1 percent were Linux servers. DVRs are high value bots
because the devices are configured with open telnet and other web interfaces, often rely on
default credentials, and are able to process high bandwidth, as is required to stream video. The
majority of the infected devices were located in Taiwan, Brazil, and Columbia. Due to
compartmentalization, the size of a monitored botnets is often difficult for security researchers to
estimate. Oppositely, the C2 IPs associated with campaigns are often hardcoded into the malware
and are easier to monitor [33].
The BASHLITE source code was leaked in early 2015 and has since been adapted into over a
dozen variants. The malware conducts two scans to discover vulnerable devices to infect. The
first attack vector utilizes the bots to port scan IP ranges for telnet servers and then it instructs
them to brute force credentials in order to access and infect the device. The second attack vector
employs external scanners to detect vulnerable devices and then infects those devices by using
brute force on the credentials, by exploiting known security vulnerabilities, or by leveraging
another attack vector [8]. Once the attacker has compromised a device, the malware tools
execute the “busybox wget” and “wget” commands to retrieve the DDoS payloads. The malware
does not identify the architecture of the compromised device; instead, it attempts to run different versions that have been compiled for different architectures, until one executes. Most
BASHLITE attacks are simple UDP and TCP floods, though the malware does support a less
used feature to spoof source addresses and some variants support HTTP attacks [6].
BASHLITE is a predecessor to Mirai, and the botnets are now in direct competition for a
diminishing pool of vulnerable IoT devices
[7].
Mirai
Mirai’s (Japanese for "the future") name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox a common tool for IoT embedded devices.
Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it’s able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. Because of this, it’s difficult to identify an infected system without doing a memory analysis.
Mirai opens ports and creates a connection with bot masters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.
The low detection ratio can also be explained by the Mirai feature to delete all malware files once it successfully sets the backdoor port into the system. It leaves only the delayed process where the malware is running after being executed.
Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks. Mirai’s C&C (command and control) code is coded in Go, while its bots are coded in C.
Like most malware in this category, Mirai is built for two core purposes:
- Locate and compromise IoT devices to further grow the botnet.
- Launch DDoS attacks based on instructions received from a remote C&C.
To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).
Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks.
On September 30, 2016, a script kiddie using the moniker “Anna-senpai” posted the Mirai source
code on Hack Forums, in a claimed attempt to “retire” due to acquired wealth and due to a
dissolving botnet base resulting from ISP intervention.
Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. these were mostly CCTV cameras—a common exploit of DDoS botnet herders. Other victimized devices included DVRs and routers.
Overall, IP addresses of Mirai-infected devices were spotted in 164 countries, appearing even in such remote locations as Montenegro, Tajikistan and Somalia
How to Prevent Infection
To prevent infection:
- Stop the telnet service and block TCP port 48101 if you’re not currently using it
- Set Busybox execution to be run only for a specific user
- Scan for open telnet connections on your network
Mitigation
In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:
- Disconnect device from the network.
- While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
- Ensure that the password for accessing the device has been changed from the default password to a strong password.
- You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.
Preventive Steps
In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
- Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
References :
[1] "The Internet of Things: New Threats Emerge in a Connected World," in Symantec, Symantec, 2014.
[Online]. Available: https://www.symantec.com/connect/blogs/internet-things-new-threats-emerge-
connected-world-0. Accessed: Oct. 25, 2016.
[2] M. Mimoso, C. Brook, and T. Spring, "New IoT Botnet Malware borrows from Mirai," Threatpost,
2016. [Online]. Available: https://threatpost.com/new-iot-botnet-malware-borrows-from-
mirai/121705/. Accessed: Nov. 1, 2016.
[3] "Lightaidra 0x2012," in House of Vierko, 2012. [Online]. Available: http://vierko.org/tech/lightaidra-
0x2012/. Accessed: Nov. 10, 2016.
[4] "The Return of Qbot," in BAE Systems, 2016. [Online]. Available:
https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9. Accessed: Oct. 26, 2016.
[5] G. Cluley, "Mutating Qbot worm Infects over 54, 000 PCs at organizations worldwide," in Tripwire,
Tripwire, 2016. [Online]. Available: https://www.tripwire.com/state-of-security/featured/qbot-
malware/. Accessed: Oct. 26, 2016.
[6] T. Spring, K. Carpenter, and M. Mimoso, "BASHLITE family of Malware Infects 1 Million IoT devices,"
in Threat Post, Threatpost, 2016. [Online]. Available: https://threatpost.com/bashlite-family-of-
malware-infects-1-million-iot-devices/120230/. Accessed: Oct. 25, 2016.
[7] B. Krebs, "Source code for IoT Botnet ‘Mirai’ released," in KrebsonSecurity, 2016. [Online]. Available:
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/. Accessed: Oct. 23,
2016.
[8] B. Krebs, "KrebsOnSecurity hit with record DDoS," in KrebsonSecurity, 2016. [Online]. Available:
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/. Accessed: Oct. 23, 2016.
Compiled Version by Author
