LuaBot is the first Linux DDoS botnet written in Lua Language

Pierluigi Paganini September 11, 2016

The researcher MalwareMustDie discovered LuaBot, a trojan completely coded in Lua language that is targeting Linux platforms to recruit them in DDoS botnet.

Let’s continue our tour in Linux security, focusing on malicious code specifically designed to target such systems.

The popular security researcher MalwareMustDie, who recently reported the new ELF trojan backdoorLinux/Mirai, also discovered a Trojan that infects Linux systems involved in distributed denial of service (DDoS) attacks.

The malware was dubbed Linux/Luabot beacause it is written in the Lua programming language (version 5.3.0) and targets the Linux based systems.

Lua is a lightweight multi-paradigm programming language, it is cross-platform since it is written in ANSI C. It was designed primarily for embedded systems and clients.

Web servers and Internet of Things (IoT) devices are privileged targets of the Linux/Lua botnet.

“On Mon, Aug 29, 2016 at 5:07 PM I received this ELF malware sample from a person (thank you!). There wasn’t any detail or comment what so ever just one cute little ARM ELF stripped binary file with following data:” wrote the researcher in a blog post.

“This is a new ELF botnet malware, coded in Lua [link] language ( @$LuaVersion: Lua 5.3.0). It is the first time to find an lua language ELF compiled malware, specifically in ARM cpu architecture, so let’s call it as “Linux/LuaBot”.”

The analysis of the binary revealed the signature of Sample Matrix RSA-4096 Certificate, it’s a trace of the MatrixSSL certification used by the bot clients to establish secure HTTPS connections.

The binary also included the MatrixSSL’s code libraries for encryption operations and a MalwareMustDie also noticed it included a hardcoded coder’s message (“Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”) reported in the following image.

LuaBot linux/lua botnet binary


The bot was controlled by a C&C server hosted in the Netherlands on the infrastructure of dedicated server hosting service WorldStream.NL.

MalwareMustDie also discovered a portion of code labeled as “penetrate_sucuri,” likely referencing the implementation of avoidance mechanism that are able to elude the popular Sucuri Web Application Firewall.

The researcher has no doubt, this is a very complex and effective botnet, the author of the Linux/Lua botnet implemented a command interface that could be exploited to run crypted remote commands.

“If you see carefully in the above description, there are the “cmdline”, and “cmdline args” spotted in several parts in ELF reversed code, forensics results and also source code trace too.” explained MalwareMustDie.

“The hacker can do a lot of things with it via a crypted remote commands pushed to his bots through this command interface, so this bot can be used to execution for the Lua script. So one of the botnet functionality is the remote execution via this interface.” states the analysis.

A rapid test on the online scanning service VirusTotal demonstrated that the binary was still fully undetected (FUD) state at the time of the analysis.

MalwareMustDie received after his first analysis the DDoS component used by the Linux/Lua botnet, it was the missing component it was searching for.  Also in this case, the module was written in Lua and has  zero-detection rate.

“This sample [link] is explaining the “missing link” of the DDoS function expected from this botnet. This module was coded in Lua and using the same static compilation environment, with zero detection ratio too. This additional ELF could be “the payload” that we are waiting for. This module is explaining a lot of detail on how the attack is performed, a simple download and execution command executed by the infected nodes from remote access via shell or internal command line interface is enough to trigger this attack.” explained the researchers.

According to MalwareMustDie the number of ELF malware that are surfacing on the Internet is rapidly growing.

“There are plenty new ELF malware coming & lurking our network recently & hitting out Linux layer IoT and services badly.” explained the researcher.

The data is confirmed also by the investigation conducted by other research teams, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the Bashlite malware.

The BASHLITE malware includes the code of the ShellShock exploit and it had been used by threat actors in the wild to run distributed denial-of-service (DDoS) attacks.

It could infect multiple Linux architectures, for this reason, crooks used it to target Internet of Things devices.

In June, experts from the security firm Sucuri spotted a botnet composed of tens of thousands of CCTV devices that had been used by crooks to launch DDoS attacks against websites.

I suggest you reading the MalwareMustDie analysis on the Luabot, it is full of interesting data.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Luabot Bot,  malware)

you might also like

leave a comment