Malware Targeting Cable Modems

LuaBot – a malware targeting Linux platforms was quite active in last few months is trying to spread its wings transcending multiple attack vectors. It potentially also targets IoT devices and web servers turning these infected systems into bots within a larger botnet controlled by a perpetrator.

LuaBot Malware

LuaBot Malware

As per some reports this malware is used as a part of the larger cyber crime scheme. This includes remote attackers exploiting the target devices in order to dump the device configurations and certificates.

As per Bernardo from wootsec blogs, some users also have reported the certificates being sold for bitcoins to modern ‘cloners’ all around the world. As per Malware Must Die, LuaBot is also used for multiple DDoS attacks.

Last year during mid-2015 Bernardo disclosed some cyber vulnerabilities, which affected multiple ARRIS cable modems. In his blog, he has detailed about cable modem research and the ARRIS nested backdoor.

As per the analysis one of the platforms which malware targets include Puma 5 (ARM/Big Endian), which is a cable modem including ARRIS TG862 family.

It was identified that the infection happens in multiple phases and the dropper is similar to many common worms which target embedded device across multiple architectures. The final stage was an ARMEB version of the Luabot malware.

The malware targets Puma 5 (ARM/Big Endian) cable modems, including the ARRIS TG862 family. The infection happens in multiple phases and the dropper is very similar to many common worms (router exploits) that target embedded devices from multiple architectures.

The final stage is an ARMEB version of the LuaBot Malware. This was further researched in a blog Malware Must Die. This specific ARMEB was unknown and undetected when reported. Now the detection rate is relatively high as per VirusTotal.

History of the malware

The malware is written in the Lua programming language (version 5.3.0). Lua is a lightweight multi-paradigm programming language which is cross-platform since it is written in ANSI C. It is designed primarily for embedded systems.

Initially, for LuaBot there was no malicious detection besides adding devices to a botnet. Later it was identified that one of the modules allowed Trojan to perform an L7 DDoS attack.

As per the research carried on this Trojan, it was revealed that the bot communicates with a C2 server hosted in Europe (Netherlands). The analysis also revealed that this malware allows an attacker to use routers as proxies in order to relay malicious traffic.

In a post by Malware Must Die, they mentioned: “There is plenty new ELF malware coming & lurking our network recently & hitting out Linux layer IoT and services badly”. This calls for attention from security professionals across the globe who are managing assets with Linux as a platform.

Recently, Sucuri also disclosed vulnerabilities in home automation router (IOT) that were exploited to launch an application level DDoS attack. The strider cyber espionage group disclosed by Symantec last month also had modules written in Lua.

Exploit and Infection

As we discussed above, this malware is a part of the bigger cyber scheme botnet. As per the analysis carried by Bernardo, he observed most of the cable modems were compromised by a command injection in the restricted command line (CLI) accessible via the ARRIS Password of The Day Backdoor.

As per Bernardo, Telnet honeypots such as have been logging these type of exploit attempts from some time. Many attempts of brute forcing the username “system” and the password “ping : sh”, have been logged but they are, in fact, commands used to escape from the restricted ARRIS telnet shell.

The researcher carried detailed reverse engineering of the malware which can be found on his blog.

It was identified that the malware isn’t that complex to have any persistence mechanisms for surviving reboots. That is, it wouldn’t try to reflash the firmware or modify a volatile partition of the device such as NVRAM for example.

The malware in its first stage payload restricts remote access to the devices using custom iptables rules. This is considerably one of the interesting approaches which can quickly masscan the internet and block external access to those smart home IoT devices and selectively infect them using the final stage payload, which is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the Puma5 toolchain. The malware’s final stage is also available at researcher’s cross-utils repository.

Indicators of Compromise (IOC):

The following are the Indicator of Compromise (IOC) shared by the researcher:

LuaBot ARMEB Binaries:

  • drop (5deb17c660de9d449675ab32048756ed)
  • .nttpd (c867d00e4ed65a4ae91ee65ee00271c7)
  • .sox (4b8c0ec8b36c6bf679b3afcc6f54442a)
  • .sox.rslv (889100a188a42369fd93e7010f7c654b)
  • .arm_puma5 (061b03f8911c41ad18f417223840bce0)

GCC Toolchains:

  • GCC: (Buildroot 2015.02-git-00879-g9ff11e0) 4.8.4
  • GCC: (GNU) 4.2.0 TI-Puma5 20100224

Dropper and CnC IPs:

  • 148.18.122
  • 87.205.92

IP Ranges whitelisted by the Attacker:

  • 148.18.0/24
  • 56.30.0/24
  • 79.182.0/24
  • 114.135.0/24
  • 213.143.0/24
  • 53.8.0/24

Securing devices

Figure 1 Shodan results 2015

Figure 1 Shodan results 2015

Late 2015, there were over 600,000 vulnerable ARRIS devices exposed on the Internet and 490,000 of them had telnet services enabled (Figure 1).

If we perform the same query as per this month (October/2016) we can see that the number of devices exposed was reduced to approximately 42,756 (Figure 2).

Figure 2 Shodan results 2015

Figure 2 Shodan results from 2015

Definitely, a couple of media coverage and cyber bulletins contribute to the above list, but a large percentage of the systems and devices are expected to be still infected and have external access restricted by some form of malware.

With the use of proprietary Backdoors, lack of proper patch management practices and firmware updates, and the ease to craft, crafting exploits make the Linux devices an easy target for online criminals.

Securing IoT devices is one of the most important factors driving the to-do for security consultants managing smart devices across brands supporting Linux. Since we understand the data processing in Smart appliances and devices can take place in multiple ways ranging from locally (on the device), to, remotely, with information being sent to the point of presence (such as mobiles, tabs etc.).

Once the data is sent to another device, it can be scrutinized and replaced by either another device or a human being. Manufacturers thus, have to commence building security and privacy for the devices and proactively ship updated to the devices and firmware.

Information collected by smart device sensors which are connected to the cloud or other smart devices can yield a tremendous amount of data which further can be combined, analyzed and acted upon, all potentially without adequate accountability, transparency, security or meaningful consent.

Thus, customers also have an important role to play with keeping their devices patched and secured periodically.

Leave a Reply