xxd sample | head |
upx -d sample |
Deletes previous files named /usr/networkstmp and /usr/networks and writes new files with these names, these are copies of itself to persist |
The stored ELF file is chosen depending on the target architecture (determined on execution) and the different headers for the different architectures can be found embedded in the source:
Pesistence is achieved by downloading the payload using HTTP from a remote address requests and storing the output in several scripts and every script attempt to spawn the binary in /usr/networks. In this fragment it can be spotted performing an HTTP request and storing data to a file.
To ensure that the system is not easily accessible it drops connections to known ports (SSH, TELNET) and 2323 is used by some devices for TELNET as an alternative to 23:
run_bash_command((int)"iptables -I INPUT -p tcp --destination-port 22 -j DROP");
run_bash_command((int)"iptables -I INPUT -p tcp --destination-port 23 -j DROP");
run_bash_command((int)"iptables -I INPUT -p tcp --destination-port 2323 -j DROP");
run_bash_command((int)"iptables -I OUTPUT -p tcp --source-port 22 -j DROP");
run_bash_command((int)"iptables -I OUTPUT -p tcp --source-port 23 -j DROP");
run_bash_command((int)"iptables -I OUTPUT -p tcp --source-port 2323 -j DROP");
A characteristic one is the following one named S95Baby stored in /etc/init.d/S95baby.sh:
Loads the lists of users and passwords for bruteforce attacks:
Attacks against vulnerable devices using the realtek SDK
https://www.exploit-db.com/exploits/37169/
Commands:
[ss] – Bot role
[ssx] – enable/disable tag [ss]
[cpu] – CPU architecture
[cpux] – enable/disable tag [cpu]
[nd] – new DHT node
[hp] – DHT node hash prefix
[atk] – DDoS attack type
[ver] – Value in V section in DHT protocol
[sv] – Update config
[ud] – Update bot
[dr] – Download and execute payload from the specified URL
[rn] – Execute the specified command
[dip] – ip:port to download Mozi bot
[idp] – report bot
[count] – URL that used to report bot