A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.
As it turns out, the malware has managed to remain highly elusive because there are very few samples available for researchers to work with. The threat is targeting routers, DVRs, WebIP cameras, and other embedded Linux devices, which makes it difficult to fetch samples for analysis. Furthermore, the malware is also deleting itself from the infected devices to hinder detection and analysis.
Dubbed Linux/Mirai, the backdoor infects devices via the Linux system's SSH or Telnet accounts, because some of them use default passwords. After gaining shell access to the exposed device, the attacker would download and execute the malware, sometimes without parameters. During execution, the malware opens the /etc/watchdog file in read-write state and changes the work directory to the root directory.
The backdoor uses the PF_INET socket and is opening UDP/53 port to access Google DNS server at 22.214.171.124 to establish a connection, MalwareMustDie! reveals. The threat also detects the outbound interface and opens a random TCP/port by re-using the previously used socket. If the operation is successful, the malware closes the socket.
While analyzing the threat, researchers observed that it delays the launch of its nefarious operations to avoid early detection. Immediately after infection, the malware just waits, while making sure that the opened backdoor port is up and used. What’s more, while the malicious process is still running, the backdoor deletes itself from the infected device.
The networking process, however, continues, and the malware opens the PF_INET socket for TCP and starts listening to the incoming connection. The main process exits but forks to a new process PID. In some cases, the malware wouldn’t fork, meaning that the infection doesn’t take place. On devices where the forked process exists, however, the attacker can start issuing malicious commands.
The backdoor, researchers say, packs a telnet scanner function that allows it to find and infect other nodes with accessible telnetd.
The Trojan uses hardcoded usernames and passwords to brute-force discovered devices and, once it has gained shell access, it sends a “shell one-liner command to install malware.” The command, which is also hardcoded, also instructs the malware to delete itself after infection, which, researchers say, fully explains why Mirai samples are so difficult to come by.
According to MalwareMustDie!, the backdoor is the next generation of BASHLITE, a botnet recently revealed to have infected millions of IoT devices. Mirai is designed to scan the Telnet service running on devices such as DVR and WebIP Camera on Busybox, other Busybox powered Linux IoT boxes, and unattended Linux servers, to recruit them into a botnet.
In fact, researchers say, the same actor using Bashlite (also known as Torlus or GayFgt) appears to be using this piece of malware too, given the same attack M.O, hacktivism being involved, and similar coding style. However, they also note that the new threat might have only re-used GayFgt/Torlus shared code and might not be created by the same developer.