Malware Targeting Cable Modems

LuaBot – a malware targeting Linux platforms was quite active in last few months is trying to spread its wings transcending multiple attack vectors. It potentially also targets IoT devices and web servers turning these infected systems into bots within a larger botnet controlled by a perpetrator.

LuaBot Malware
LuaBot Malware

As per some reports this malware is used as a part of the larger cyber crime scheme. This includes remote attackers exploiting the target devices in order to dump the device configurations and certificates.

As per Bernardo from wootsec blogs, some users also have reported the certificates being sold for bitcoins to modern ‘cloners’ all around the world. As per Malware Must Die, LuaBot is also used for multiple DDoS attacks.

Last year during mid-2015 Bernardo disclosed some cyber vulnerabilities, which affected multiple ARRIS cable modems. In his blog, he has detailed his research about cable modems and the ARRIS nested backdoor.


The malware that we are discussing here targets cable modems which belong to the Puma 5 Big Endian/ARM class.

These cable modems include the famous family of ARRIS TG862 as well.

Hackers use multiple stages to infect different devices.

And the dropper that they use is extremely similar to the one that many other common worms use as well.

Most of the time the dropper takes advantage of the various router exploits.

The dropper achieves that by targeting embedded devices that come from various and usually multiple architectures.

There is also a final stage.

And this stage makes use of the ARMEB variant of the well-known LuaBot Malware.

This was further researched in a blog Malware Must Die. This specific ARMEB was unknown and undetected when reported. Now the detection rate is relatively high as per VirusTotal.

History of the related malware

Hackers use Lua(which is a programming language) to write the malware in question.

More specifically, they usually use the 5.3.0 version of Lua to write their malware.

What is Lua?

Wikipedia says that Lua is another one of those lightweight and inherently multi-paradigm computer programming languages.

It also has some useful cross-platform features because of the fact that Lua is actually written in the well-known ANSI C standard.

Lua is also designed mainly for various embedded systems.

Initially, for LuaBot there was no malicious detection besides adding devices to a botnet. Later it was identified that one of the modules allowed Trojan to perform an L7 DDoS attack.

As per the research carried on this Trojan, it was revealed that the bot communicates with a C2 server hosted in Europe (Netherlands). The analysis also revealed that this malware allows an attacker to use routers as proxies in order to relay malicious traffic.

In a post by Malware Must Die, they mentioned that they had identified a large number of ELF malware directly coming and lurking around their networks.

All of these malware tried to hit their Linux layer Internet of Things and services in a negative manner.


This calls for attention from security professionals across the globe who are managing assets with Linux as a platform.

Recently, Sucuri also disclosed vulnerabilities in home automation router (IOT) that were exploited to launch an application level DDoS attack. The strider cyber espionage group disclosed by Symantec last month also had modules written in Lua.

Exploit and Infection

As we discussed above, this malware is a part of the bigger cyber scheme botnet. As per the analysis carried by Bernardo, he observed most of the cable modems were compromised by a command injection in the restricted command line (CLI) accessible via the ARRIS Password of The Day Backdoor.

As per Bernardo, Telnet honeypots such as have been logging these type of exploit attempts from some time. Many attempts of brute forcing the username “system” and the password “ping : sh”, have been logged but they are, in fact, commands used to escape from the restricted ARRIS telnet shell.

The researcher carried detailed reverse engineering of the related malware which can be found on his blog.

It was identified that the malware isn’t that complex to have any persistence mechanisms for surviving reboots. That is, it wouldn’t try to reflash the firmware or modify a volatile partition of the device such as NVRAM for example.

The malware has multiple stages.

In the first stage, it uses a payload.

This payload restricts remote access to the devices that use custom IP tables rules.

And researchers agree that this is considered as one of the more interesting approaches which can with little or no delay mass scan the internet.

It can and does block external access to the various smart home IoT devices as well.

Then it can selectively infect these devices by utilizing its final stage payload, which is a 716KB ARMEB ELF binary, statically linked, stripped and compiled using the Puma5 toolchain. The malware’s final stage is also available at researcher’s cross-utils repository.

Securing devices

Figure 1 Shodan results 2015
Figure 1 Shodan results 2015

In late 2015, various media reports said that they had discovered more than 600,000 insecure and vulnerable ARRIS devices.

And all of these devices were operating in an exposed environment on the internet.

Moreover, about 490,000 of these exposed ARRIS devices had their telnet services features enabled by default.

We can also search for a similar query on a per this month basis (October/2016) and we should have no problems in observing that the number of devices exposed came down to around 42,756 (Figure 2).

Figure 2 Shodan results 2015
Figure 2 Shodan results from 2015

Definitely, a couple of media coverage and cyber bulletins contribute to the above list, but a large percentage of the systems and devices are expected to be still infected and have external access restricted by some form of malware.

Most of these exposed devices use proprietary Backdoors and if we couple that with the lack of proper patch management practices and the ease to craft, and firmware updates, crafting exploits make the Linux devices an easy target for all types of online hackers.

Securing IoT devices is one of the most important factors driving the to-do for security consultants managing smart devices across brands supporting Linux. Since we understand the data processing in Smart appliances and devices can take place in multiple ways ranging from locally (on the device), to, remotely, with information being sent to the point of presence (such as mobiles, tabs etc.).

Once the data is sent to another device, it can be scrutinized and replaced by either another device or a human being. Manufacturers thus, have to commence building security and privacy for the devices and proactively ship updated to the devices and firmware.

Smart device sensors can collect information because they are connected, via the internet, to the cloud.

Moreover, other smart devices can also ome in and yeild an impressive amount of user data.

All of this means that hackers, potentially, can combine, analyze and then act upon what they come up with using the collected data.

And of course, they can do so without any hint of adequate accountability.

If things go in this direction then security, transparency and any form of meaningful consent also go out of the picture.

Thus, customers also have an important role to play with keeping their devices patched and secured periodically.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.