Exclusive: MalwareMustDie spotted a new IoT Linux/IRCTelnet malware made in Italy

Exclusive: The security researcher MalwareMustDie has found a new Linux/IRCTelnet malware– made in Italy – that aims IoT botnet connected by IRC and Telnet. It is able to generate an IPv6 DDoS and performing NEW dangerous capabilities that Mirai was unable to cover.

In  a brief interview to Security Affairs @unixfreakjp of MalwareMustDie group explains which are the main characteristics in order to be able to fight against this new malware with a proper security awareness.

After Mirai escalation it has become clear that the new landscape and very remunerative environment of the DDoS attacks will be more and more populated in the near future by IoT devices, “things” that normally are delivered without adequate quality control and are compromised by flaws that can be easily exploited.

Nevertheless, in the recent times, we have learned that IoT has been often rooted by using a brute force attack, succeeding also because IoT devices are deployed, as we said elsewhere, without changing the default credentials.

This was exactly the scheme of Mirai, as we have described in the past articles.

However, what we have here it’s something new and magnificently described by the last post of the by now worldwide famous whitehat researcher that has discovered and reverse engineered Mirai malware, @unixfreaxjp of the MalwareMustDie group.

In his post, he specifies, in fact, that the new IRC botnet ELF malware is yes having the specification of Tsunami/Kaiten protocol, but is recorded “in a different way adding some more features in messaging and malicious/attack vectors used”.

An explosive mix of new and classic features in this made in Italy new IRC botnet ELF malware

Here a syntactical outline of key points of this new Linux/IRCTelnet malware (the bot client) which has the following characteristics and conceptual schemes:

1) designed to attack IoT using telnet protocol, yes by now IoT is the new Eldorado, we know,

2) using the telnet scanner as in the past done by GayFgt/Torlus/Lizkebab/Bashdoor/Bashlite of which we report a reconstructed C code snapshot:

Figure 1 The telnet scanner.

3) using the Mirai leaked credential list and brute force passwords dictionary hardcoded in the binary code like represented below:

Figure 2. The bruteforce password dictionary

4) using a combined concept of Kaiten (IRC protocol used) by sending commands from a malicious C&C IRC server. Below we report the log made by @unixfreakjp using a PoC implemented for decoding the values and behavior of the malware.

Figure 3. The IRC C&C Server log

5) it is made in Italy: among some other evidence, there are some Italian strings found inside the binary code, containing Italian words as shown in the next figure. We know that he attack to infect this botnet was started on October 25th, 2016.

Figure 4. The Italian messages inside the binary code of the new Linux/IRCTelnet malware.

We want to underline the noble position of MalwareMustDie post who publicly stated in his Blog, that he didn’t want to include in the codename of this new malware nothing related to the Italian country.

But let’s analyze quickly the new features of the malware because there are something utterly new and certainly scaring.

The first time of IPv6 use to aims IoT (and IP spoofing of the bots)

During the reverse phase, inside the new malware has been discovered a generator of “TCP6” and “UDP6” packets that can be associated with the option “spoof6” coded.

It seems to be the first time that IPv6 has been used to aims IoT and since now is possible to generate DDoS attacks spoofed where is impossible to recognize the IP of the infected bot.

The reconstructed code related to the flooding looks bad and it seems that a lot of “DoS attack combination is planned”.

Figure 5. The DDoS attack sequence of the Linux/IRCTelnet malware

The comment of @unixfreaxjp of MawareMustDie to the new IPv6 capability is that “this botnet is supported attacks(DDoS) of IPv4 and IPv6 packets through the attack generator sending functions called sendV4() and sendV6().” And during the attack, there is another capability that is the “spoofing IP address also be done in the IPv4 or IPv6 form” that is really scaring.

Below is reported the flooding generating function on IPV6:

Figure 6. Reverse of the flooding generating function on IPv6

Then we can say that the focus of this new feature is the flooding based on IPv6 and the Author of the MMD Post ask to himself, and to all the Security Researcher Community: “Are we ready to dealing with IoT IPv6 DDoS now”?

Figure 7. Reddit discussion on IPv6

This is the big deal of the moment and the challenge of the future: but let’s go to the interview that @unixfreakjp of MalwareMustDie has released a few hours ago to Security Affairs.

First question:

1. Do you think that Linux/IRCTelenet is more dangerous than Mirai?
2. Mirai is dangerous in its own way. With new DDoS attack functions, low awareness, and hard to fetch the sample. Also with AV that was not using MIRAI as the new name but sticks with an old name of malware…it is lowering the security alert response. So when it hit hard, people get surprised.

This Linux/IRCTelnet , if being ignored as per what happened in Mirai, can be a dangerous threat too. This is the first malware run in IRC cnc that is using telnet scanner to infect other IoT, and it is aiming IoT, due to the vulnerable vectors in that vector.

So, I don’t say Linux/IRCTelnet is more dangerous than Mirai. Each of them has its own dangerous vector, it will depend on us on how to respond to handle this threat

Second Question:

1. What are the capability of the “IP spoof option in IPv4 or IPv6”?
2. When an infected IoT is performing attack, in example, via UDP6 or TCP6, Linux/IRCTelnet is having a option to spoof the source IP of the attacker (itself’s IP) for not revealing the original IP in the generated packet used to flood the target

And this spoofing and also the attack is supported to IPv6. This is important since there is no DDOS botnet that is coded and designed to hit services in IPv6 yet.

Third Question:

1. How do you know that the usable bot in this new botnet is about 3500?
2. A. I show you a figure:

This is the log of the IRC Server, as you see 3486 “users” were connected at that time.

About the Author: Odisseus

Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.

(Security Affairs – IoT, Linux/IRCTelnet malware)

Edited by Pierluigi Paganini

(Security Affairs – IoT, Linux/IRCTelnet malware)

[adrotate banner=”5″]

[adrotate banner=”13″]