LuaBot Linux Botnet Is Written in Lua Language

Wednesday, September 07, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

A newly discovered Linux botnet that was coded using the Lua programming language is targeting Internet of Things (IoT) devices in addition to Linux systems and servers, researchers warn.

Because it was written in Lua and because it recruits the infected machines in a botnet, the new threat is called Linux/LuaBot. Discovered by MalwareMustDie!, the botnet appears to be created for launching distributed denial of service (DDoS) attacks, though its exact purpose is yet unknown.

While analyzing the threat, the security researchers found multiple traces of the Lua language in the code, such as .lua source files, Lua runtime libraries, and some of the used botnet commands. The malware is packed as an ELF binary and is targeting ARM platforms, which suggests that IoT devices might be a main target. What is unknown at the moment, however, is how exactly the malware infects hosts.

During analysis, MalwareMustDie! discovered that LuaBot would try to increase limit on open files and then would fork itself to two new processes during startup. The main process is terminated after the first forked process is started. Just before the forking, however, the malware sends a message and opens the file socket bound to the 203508 hard-coded mutex.

This new process will assign a PID and then fork its process one more time. This second forked process is the malware’s main process, which is bound to the file socket with the previously created mutex. This main process is responsible for the following activity: checks the active (file) sockets and network sockets, reads all processes and PIDs in /proc, checks the current user privileges, and checks the interface name and its IP.

The malware also assembles BotID and writes it on stdout, and runs the test_domain() lua function to load domains (google.com, facebook.com, baidu.com, amazon.com andwikipedia.org) to be looked up to specific DNS servers. The malware then connects to the command and control (C&C) server at 217.23.3.47 using port TCP/1085.

Initially, the bot would send a HTTP/1.1 GET command, to which the server replies with encrypted data. After decryption, the data was found to be a list of IPs that are “all nodes of AS4998 from 109.236.80.0/20, 217.23.0.0/20 and 93.190.140.0/22” and which belong to WorldStream.NL, a dedicated server hosting service in the Netherlands.

On the infected machines, the malware also changes the setting of iptables (Linux firewall), in addition to opening a backdoor and starting to listen to all inbound network traffic that uses port TCP/11833. The analysis revealed what appears to be a botnet management protocol and some botnet monitoring functions in the code, along with another set of IP addresses, showing that the malware’s developers have been hard at work with preparing the network infrastructure for the botnet.

Code usually found in DNS query handling tools was also found in the malware, along with lua resolver code for DNS query, and the botnet appears able to send UDP packets to any desired destination, while also capable of remote communication via an included telnet function. The malware also includes code that appears specifically targeted at Sucuri.

According to MalwareMustDie!, while there’s no solid proof that the botnet can be used for DDoS attacks, the code includes remote command line functions (cmdline and cmdline args), which suggests that attackers are able to perform various actions on the infected machines.

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Related: Linux Trojan Brute Forces Routers to Install Backdoors

Related: Go-Based Linux Trojan Used for Cryptocurrency Mining

Possibly Related Articles:
11074
malware Linux IoT LuaBot
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.