Exclusive: MalwareMustDie spotted a new IoT Linux/IRCTelnet malware made in Italy

Pierluigi Paganini October 29, 2016

Exclusive: The security researcher MalwareMustDie has found a new Linux/IRCTelnet malware– made in Italy – that aims IoT botnet connected by IRC and Telnet. It is able to generate an IPv6 DDoS and performing NEW dangerous capabilities that Mirai was unable to cover.

In  a brief interview to Security Affairs @unixfreakjp of MalwareMustDie group explains which are the main characteristics in order to be able to fight against this new malware with a proper security awareness.

After Mirai escalation it has become clear that the new landscape and very remunerative environment of the DDoS attacks will be more and more populated in the near future by IoT devices, “things” that normally are delivered without adequate quality control and are compromised by flaws that can be easily exploited.

Nevertheless, in the recent times, we have learned that IoT has been often rooted by using a brute force attack, succeeding also because IoT devices are deployed, as we said elsewhere, without changing the default credentials.

This was exactly the scheme of Mirai, as we have described in the past articles.

However, what we have here it’s something new and magnificently described by the last post of the by now worldwide famous whitehat researcher that has discovered and reverse engineered Mirai malware, @unixfreaxjp of the MalwareMustDie group.

In his post, he specifies, in fact, that the new IRC botnet ELF malware is yes having the specification of Tsunami/Kaiten protocol, but is recorded “in a different way adding some more features in messaging and malicious/attack vectors used”.

An explosive mix of new and classic features in this made in Italy new IRC botnet ELF malware

Here a syntactical outline of key points of this new Linux/IRCTelnet malware (the bot client) which has the following characteristics and conceptual schemes:

1) designed to attack IoT using telnet protocol, yes by now IoT is the new Eldorado, we know,

2) using the telnet scanner as in the past done by GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite of which we report a reconstructed C code snapshot:

Linux/IRCTelnet malware

Figure 1 The telnet scanner.

3) using the Mirai leaked credential list and brute force passwords dictionary hardcoded in the binary code like represented below:

Linux/IRCTelnet malware -2

Figure 2. The bruteforce password dictionary

4) using a combined concept of Kaiten (IRC protocol used) by sending commands from a malicious C&C IRC server. Below we report the log made by @unixfreakjp using a PoC implemented for decoding the values and behavior of the malware.

Linux/IRCTelnet malware -3

Figure 3. The IRC C&C Server log

5) it is made in Italy: among some other evidence, there are some Italian strings found inside the binary code, containing Italian words as shown in the next figure. We know that he attack to infect this botnet was started on October 25th, 2016.

Linux/IRCTelnet malware 4

Figure 4. The Italian messages inside the binary code of the new Linux/IRCTelnet malware.

We want to underline the noble position of MalwareMustDie post who publicly stated in his Blog, that he didn’t want to include in the codename of this new malware nothing related to the Italian country.

But let’s analyze quickly the new features of the malware because there are something utterly new and certainly scaring.

The first time of IPv6 use to aims IoT (and IP spoofing of the bots)

During the reverse phase, inside the new malware has been discovered a generator of “TCP6” and “UDP6” packets that can be associated with the option “spoof6” coded.

It seems to be the first time that IPv6 has been used to aims IoT and since now is possible to generate DDoS attacks spoofed where is impossible to recognize the IP of the infected bot.

The reconstructed code related to the flooding looks bad and it seems that a lot of “DoS attack combination is planned”.

Linux/IRCTelnet malware 5

Figure 5. The DDoS attack sequence of the Linux/IRCTelnet malware

The comment of @unixfreaxjp of MawareMustDie to the new IPv6 capability is that “this botnet is supported attacks(DDoS) of IPv4 and IPv6 packets through the attack generator sending functions called sendV4() and sendV6().” And during the attack, there is another capability that is the “spoofing IP address also be done in the IPv4 or IPv6 form” that is really scaring.

Below is reported the flooding generating function on IPV6:

Linux/IRCTelnet malware 6

Figure 6. Reverse of the flooding generating function on IPv6

Then we can say that the focus of this new feature is the flooding based on IPv6 and the Author of the MMD Post ask to himself, and to all the Security Researcher Community: “Are we ready to dealing with IoT IPv6 DDoS now”?


Figure 7. Reddit discussion on IPv6

This is the big deal of the moment and the challenge of the future: but let’s go to the interview that @unixfreakjp of MalwareMustDie has released a few hours ago to Security Affairs.

First question:

  1. Do you think that Linux/IRCTelenet is more dangerous than Mirai?
  2. Mirai is dangerous in its own way. With new DDoS attack functions, low awareness, and hard to fetch the sample. Also with AV that was not using MIRAI as the new name but sticks with an old name of malware…it is lowering the security alert response. So when it hit hard, people get surprised.

This Linux/IRCTelnet , if being ignored as per what happened in Mirai, can be a dangerous threat too. This is the first malware run in IRC cnc that is using telnet scanner to infect other IoT, and it is aiming IoT, due to the vulnerable vectors in that vector.

So, I don’t say Linux/IRCTelnet is more dangerous than Mirai. Each of them has its own dangerous vector, it will depend on us on how to respond to handle this threat

Second Question:

  1. What are the capability of the “IP spoof option in IPv4 or IPv6”?
  2. When an infected IoT is performing attack, in example, via UDP6 or TCP6, Linux/IRCTelnet is having a option to spoof the source IP of the attacker (itself’s IP) for not revealing the original IP in the generated packet used to flood the target

And this spoofing and also the attack is supported to IPv6. This is important since there is no DDOS botnet that is coded and designed to hit services in IPv6 yet.

Third Question:

  1. How do you know that the usable bot in this new botnet is about 3500?
  2. A. I show you a figure:


Fourth Question:
Q. Do you think this malware is originally coded?
A. After further analysis comparing the overall done reversed code to the historically detected ELF malware botnet, we found a very good match, that confirms the source code used for this botnet is based on the root of Aidra botnet. I was not so sure about this until I reversed the whole source code and comparing the overall done reversed code to the historically detected ELF malware botnet libraries. And I found a very good match, along with several modifications and overhaul on original Aidra code. Built based on old codes of legendary Aidra bot, added with new logic of Torlus/Gayfgt’s for telnet scanner and using the Mirai’s leaked vulnerable IoT device’s login credential, is driving a high infection speed of Linux/IRCTelnet, so it can raise almost 3,500 bot clients within only 5 days from the firstly its loader detected. Indeed, the spoofing and IPv6 used was designed and trade mark of Aidra botnet family, and to make a new version of this botnet based on the recent vulnerable threat landscape is really inviting a bad news.. All of the reversed details stayed. I was reversed the malware BEFORE I even know this fact . It is very surprising to see a new type of Aidra botnet in this era, and this botnet is really a re-designed and modified of old Aidra to be a brand new threat landscape that we will face now.

This is the log of the IRC Server, as you see 3486 “users” were connected at that time.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.

(Security Affairs – IoT, Linux/IRCTelnet malware)

[adrotate banner=”9″] [adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – IoT, Linux/IRCTelnet malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment