Remaiten-a Linux bot targeting routers and IoT Devices
ESET researchers are actively detecting Trojans targeted at embedded systems, including routers, gateways, and wireless access points. Recently, we have discovered a relevant bot, which integrates the functions of Tsunami (also known as Kaiten) and Gafgyt, and has made some improvements compared with the former, provides new functions. This new threat is Linux/Remaiten. So far, we have found three versions of Linux/Remaiten, with versions 2.0, 2.1, and 2.2 respectively. According to the Code, the trojan author called "KTN-Remastered" or "KTN-RM ".
In this article, we will explain the special propagation mechanism of Linux/Remaiten, new features, and differences between different versions.
0x01 improved propagation Mechanism
The most prominent feature of Linux/Gafgyt is Telnet scanning. During a Telnet scan, Trojan will try to connect to a random IP address through Internet port 23. If the connection is successful, Trojan will attempt to guess the logon Credential Based on the built-in user name/password list. After successful logon, Trojan will issue a shell command to download multiple executable bot files of different architectures and try to run these bots. This infection method is simple, but it may cause a lot of interference, because only one binary can run in the current architecture.
Linux/Remaiten improves the propagation mechanism by carrying downloader. Trojan downloader is a CPU architecture dedicated to embedded Linux devices, such as ARM and MIPS. After logging on to the affected device through telnet, Trojan will try to determine the device platform and transmit downloader for the platform. The downloader task is to contact the CC server to request the Linux/Remaiten bot binary for the device platform. Then, run the bot binary program on the new victim device to create a new bot for attackers.
0x02 technical analysis downloader
Linux/Remaiten downloader is a small ELF executable file embedded in the bot binary. During execution, downloader connects to the CC server of the bot, sends the following request, and then initiates another line:
Mips
Mipsel
Armeabi
Armebeabi
The CC server responds to an ELF bot binary based on the Request Architecture. Note: The TCP port used to connect to the CC server is not the IRC server of the bot.
Figure 1-downloader requests a bot binary to CC
Figure 2-downloader connecting to CC
The only task of downloader is to send a command mentioned above to the CC server and write the response to stdout. In this example, the command sent is mips.
Figure 3-downloader requests a mips-based bot to CC
0x03 bot Analysis
During execution, the bot runs in the background by default. When the "-d" command is used to run the bot, the bot will remain on the foreground. Once started, the process is disguised as a legal name, such as "-bash" or "-sh ". We observed that version 2.0 and Version 2.1 use "-bash" and Version 2.2 uses "-sh ".
Figure 4-bot startup
Next, the create_daemon function will create a name named ". the creation location of the kpid file is a preset daemon directory (the first with write permission) below. The function will also write the PID to this file.
Figure 5-daemon file directory
If the ". kpid" file already exists, the running Trojan process will be killed based on the PID in the file. Then, the file is removed, and a new ". kpid" is created and executed.
Figure 6-tracking the creation of pid files
0x04 connect to the CC Server
In the bot binary, a CC Server IP Address Table is hardcoded. The bot randomly selects an address and connects to the selected CC through a hard-coded port. Different variants use different ports.
Figure 7-bot connection to a CC Server
If the connection is successful, the bot then enters the IRC channel. CC will respond to a welcome message and subsequent instructions. The bot parses and executes these commands on the infected device.
Figure 8. Welcome Message returned by CC to bot
0x05 handle IRC commands
The bot can process a variety of generic IRC commands. These commands and function handlers are listed in arrays.
Figure 9-IRC command
The most interesting is the "PRIVMSG" command. This command requires the bot to execute some malicious operations, such as flooding, downloading files, and telnet scanning. Commands sent through "PRIVMSG" are also presented in the form of static arrays.
Figure 10-available bot commands
Most of the functions are from Linux/Tsunami and Linux/Gafgyt. The following strings in the binary are related to malicious behaviors. These detailed descriptions let us know the functions of these strings.
Figure 11-flooding
Figure 12-Telnet scan, download files, and kill other bots
0x06 built-in downloader
As we mentioned earlier, Linux/Remaiten is particularly characterized by carrying multiple small Downloaders. If there is a version that meets the architecture of the affected device, the trojan will transmit the corresponding downloader to the device. During execution, downloader will contact CC to request a bot binary.
Figure 13-built-in Payload
Figure 14-payload Structure
0x07 Telnet slave
Figure 15-guess the telnet logon credential
When the CC sends the "QTELNET" command, the Remaiten telnet token will start. The analysis found that the command provided by the trojan author is correct: the telnet is indeed an enhanced Gafgyt telnet protocol.
The Telnet scan is completed in stages and can be attributed:
Select a random public IP address and connect it to port 23.
Username/password Group
Determine the architecture of the affected device
Send and execute the corresponding downloader
Trojan will judge the device architecture by executing the "cat $ SHELL" command and parse the result. The SHELL environment variable contains the path of the executable file, which is currently used as a command line translator. If this file is an ELF executable file, parse the file header to determine its architecture.
Figure 16-determine the affected platform and check whether there is a downloader suitable for the Platform
Figure 17-some functions responsible for parsing ELF Headers
Then, the bot selects the appropriate payload and sends it to the new affected device.
Figure 18-function responsible for selecting a payload Based on the device Architecture
The first step is to find a writable directory. Linux/Remaiten has a common Writable Path table.
Figure 19-downloader storage directory
Several empty executable programs are created: ". t", "retrieve", and "binary ". The "retrieve" file contains downloader, and "binary" is the bot requested from the CC server. It seems that the. t file was not used before version 2.2.
Figure 20-Prepare to transfer and execute a payload
Linux/Remaiten uses a strange method to create an empty Executable File: Trojan will copy the binary busybox (which appears on most embedded devices ), then use the> file command to short the binary.
Downloader is transmitted via telnet. By sending the echo command, each byte is encoded with hexadecimal "\ x" in ascending order. We have seen Trojans spread on Embedded Linux devices, such as Linux/Moose.
Figure 21-transfer hexstring with echo
After the transfer is complete, downloader starts and obtains the complete Linux/Remaiten payload. Downloader requests a bot binary from the CC and writes it to the standard output. The deployment command redirects the output to the "binary" file. Finally, start the "binary" file and activate the new IRC bot.
Figure 22-run downloader and bot
0x08 send status to CC
Before resuming the telnet scan, the bot reports its progress to the CC server. The bot sends a new device IP address, the correct user name/password, and whether it is infected with other devices. If the automatic infection method fails, the botnet administrator may manually infect other devices or collect data from unsupported architectures?
Figure 23-notify CC server bot deployment status
0x09 kill other bots
Another interesting command is "KILLBOTS ". After this command is issued, the bot will enumerate the processes that are running, and then decide whether to ignore or kill the process based on certain standards, mainly the process name. Different versions of the bot may select different process names.
Figure 24-name of the process to be killed
Figure 25-process name to be ignored
Linux/Remaiten only kills processes started by an Interactive shell Based on the tty device Number of the process. In addition, the trojan will report to the CC server which processes are killed. This may be to modify the process whitelist or blacklist.
Figure 26-bot killing Process
0x0A Linux/Remaiten change log
Different versions of the bot client are slightly different, such as modifying the process whitelist and blacklist, and changing the downloader directory. We have reason to suspect that there may be differences between different compilation versions, even if the version number does not change. In the bot we analyzed, the downloader binary is the same, but the IP address and port are different.
Like Gafgyt, v2.2 still executes the wget/tftp Command to download the shell script. Then, the shell script downloads the bot binary. Before downloader is transmitted, the propagation code first tries this method.
Figure 27-notify CC to deploy a bot through wget/tftp
The shell script is released by another server, which also sends the Gafgyt bot.
Figure 28-shell script published by another server
From the al. sh file, this is the first time we have found a bot for platforms such as PowerPC and SuperH. Although there are cross-platform compilation tools, we are surprised that attackers may encounter problems when compiling their own Trojans. We do not know which device is running in PowerPC or SuperH.
Figure 29-bot downloaded by shell script
Figure 30-start of shell script
The CC server used in version 2.0 provides an unexpected welcome message, which references a MalwareMustDie blog.
Figure 31-2.0 CC references the MalwareMustDie blog
Perhaps this is to avenge MalwareMustDie's exposure of trojans such as Gafgyt.