IoT Malware Types Revealed
The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.
The Linux.Darlloz was discovered in late 2013. The worm exploited an old PHP vulnerability (CVE-2012-1823) to access a system, it escalated privileges through default and common credential lists, it propagated through the network, and it established a backdoor on the system. While the original malware only infected computers running Intel x86 chip architectures, other versions were designed to target ARM, PPC, MIPS and MIPSEL chip architectures commonly used in IoT devices. The worm also scanned systems for Linux.Aidra and attempted to remove any files related to the threat and to block any ports used by Aidra for communication .
Aidra was discovered after the publication of the 2013 research paper that described the results of the 2012 Internet Census. The malware was designed to search for open telnet ports that could be accessed using known default credentials . According to its author, Federico Fazzi, the malware was introduced in early 2012 as an IRC-based mass scanning and exploitation tool. The code can be compiled for MIPS, MIPSEL, ARM, PPC, x86/x86-64 and SuperH. Aidra is designed to target IoT devices that run embedded forms of Linux with active Telnet connectivity and default or no password. Some variants of Aidra can retrieve router passwords through the /cgi-bin/firmwarecfg bug found on some outdated D-Link and Netgear devices.
The malware attempts to connect to a telnet port using default credentials and if it succeeds, it downloads and executes a script called getbinaries.sh, which removes other malware binaries and prevents the device from being compromised by other competing malware. Some variants attempt to change the device credentials. Malware binaries are downloaded to /var/run, /var/tmp, /var/etc. Consequently, the malware can be removed by rebooting the device because the directories are stored in RAM. Then the infected device connects to an IRC server, joins a channel, reads a topic, and follows the instructions. Aidra is capable of scanning, flooding, and spoofing targets randomly or recursively. Further, its code can be easily tailored to a threat actor’s needs .
Users’ Windows sessions are injected with the malware via a watering-hole attack or a drive-by download; alternately, modified Qbot derivatives deliver the malware through malicious emails. Once installed on the system, the malware runs a network speed test and it sends an initial beacon, containing a list of installed software, user privileges, and the infected network external IP address, to the FTP server. The malware injects itself into a running explorer.exe process and it infects processes as they start up. The bot injects a DLL into processes that will extract its strings, configuration, APIs, and critical strings block into heap-allocated buffers, when run. Qbot contains its configuration parameters, such as FTP credentials, C2 settings, and timestamps, in an internal table. The malware places system-wide inline hooks to intercept or modify network traffic, to modify or redirect browser queries, to infect new processes, and to hide its presence. Qbot uses a domain generation algorithm for all C2 communications .
Upon installation, modern variants contact the C2 infrastructure to receive instructions, to update, and to mutate the appearance of the malware by self-recompiling or self-re-encrypting the malware as a server-based polymorphism, an obfuscation mechanism meant to confound anti-malware application and research efforts. The server-based polymorphism enables Qbot to avoid most anti-virus products because the malware updates itself to a new version every few days, and re-encrypts itself to remain undetectable for long periods of time. The malware can detect whether it is running in a Virtual Machine sandbox and it can alter its behavior to avoid detection .
Once Qbot has infected a system, it begins harvesting credentials contained in Windows Credential Store (Outlook, Windows Live Messenger, Remote Desktop, Gmail Messenger) and password stored by the Internet Explorer credential manager. Further credentials are sniffed from network traffic. The attackers can use the stolen credentials and system information to access FTP servers or to infect vulnerable websites to further spread the malware . Qbot attempts to spread to open shares across the network through brute force password attempts or through attempts to access the Windows Credential Store. Qbot is also capable of intercepting browser information, such as banking information, and writing the data into named pipes and then sending it to a remote server .
Over a two-week investigation, BAE Systems discovered over 54,517 machines infected in a Qbot botnet. Most these systems (85%) were located in the United States. The explosive popularity of Mirai and subsequent oversaturation of the IoT threat landscape has led to a decline in Qbot botnets.
BASHLITE/ Lizkebab/ Torlus/ gafgyt
BASHLITE botnets are responsible for enslaving over 1 million devices. One security firm estimates that of compromised devices, 95 percent were IP cameras or DVR units, 4 percent were home routers, and less than 1 percent were Linux servers. DVRs are high value bots because the devices are configured with open telnet and other web interfaces, often rely on default credentials, and are able to process high bandwidth, as is required to stream video. The majority of the infected devices were located in Taiwan, Brazil, and Columbia. Due to compartmentalization, the size of a monitored botnets is often difficult for security researchers to estimate. Oppositely, the C2 IPs associated with campaigns are often hardcoded into the malware and are easier to monitor .
The BASHLITE source code was leaked in early 2015 and has since been adapted into over a dozen variants. The malware conducts two scans to discover vulnerable devices to infect. The first attack vector utilizes the bots to port scan IP ranges for telnet servers and then it instructs them to brute force credentials in order to access and infect the device. The second attack vector employs external scanners to detect vulnerable devices and then infects those devices by using brute force on the credentials, by exploiting known security vulnerabilities, or by leveraging another attack vector . Once the attacker has compromised a device, the malware tools execute the “busybox wget” and “wget” commands to retrieve the DDoS payloads. The malware does not identify the architecture of the compromised device; instead, it attempts to run different versions that have been compiled for different architectures, until one executes. Most BASHLITE attacks are simple UDP and TCP floods, though the malware does support a less used feature to spoof source addresses and some variants support HTTP attacks . BASHLITE is a predecessor to Mirai, and the botnets are now in direct competition for a diminishing pool of vulnerable IoT devices
On September 30, 2016, a script kiddie using the moniker “Anna-senpai” posted the Mirai source code on Hack Forums, in a claimed attempt to “retire” due to acquired wealth and due to a dissolving botnet base resulting from ISP intervention.
How to Prevent Infection
 "The Internet of Things: New Threats Emerge in a Connected World," in Symantec, Symantec, 2014. [Online]. Available: https://www.symantec.com/connect/blogs/internet-things-new-threats-emerge- connected-world-0. Accessed: Oct. 25, 2016.
 M. Mimoso, C. Brook, and T. Spring, "New IoT Botnet Malware borrows from Mirai," Threatpost, 2016. [Online]. Available: https://threatpost.com/new-iot-botnet-malware-borrows-from- mirai/121705/. Accessed: Nov. 1, 2016.
 "Lightaidra 0x2012," in House of Vierko, 2012. [Online]. Available: http://vierko.org/tech/lightaidra- 0x2012/. Accessed: Nov. 10, 2016.
 "The Return of Qbot," in BAE Systems, 2016. [Online]. Available: https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9. Accessed: Oct. 26, 2016.
 G. Cluley, "Mutating Qbot worm Infects over 54, 000 PCs at organizations worldwide," in Tripwire, Tripwire, 2016. [Online]. Available: https://www.tripwire.com/state-of-security/featured/qbot- malware/. Accessed: Oct. 26, 2016.
 T. Spring, K. Carpenter, and M. Mimoso, "BASHLITE family of Malware Infects 1 Million IoT devices," in Threat Post, Threatpost, 2016. [Online]. Available: https://threatpost.com/bashlite-family-of- malware-infects-1-million-iot-devices/120230/. Accessed: Oct. 25, 2016.
 B. Krebs, "Source code for IoT Botnet ‘Mirai’ released," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/. Accessed: Oct. 23, 2016.
 B. Krebs, "KrebsOnSecurity hit with record DDoS," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/. Accessed: Oct. 23, 2016.
Compiled Version by Author