{"id":11245,"date":"2018-01-25T20:41:20","date_gmt":"2018-01-26T04:41:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/01\/25\/news-5016\/"},"modified":"2018-01-25T20:41:20","modified_gmt":"2018-01-26T04:41:20","slug":"news-5016","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/01\/25\/news-5016\/","title":{"rendered":"IoT Botnet: More Targets in Okiru's Cross-hairs"},"content":{"rendered":"

Credit to Author: Rommel Joven & David Maciejak| Date: Thu, 25 Jan 2018 19:05:59 +0000<\/strong><\/p>\n

\n

\"\"<\/p>\n

Recently, security researcher @unixfreaxjp<\/a> discovered<\/a> a new variant of the Okiru botnet, which includes an ELF malware that targets the ARC CPU architecture. This was a significant discovery since ARC or Argonaut RISC Core<\/a> processors are widely used for System on a Chip (SoC) in IoT devices, and are currently being dispatched in more than 1.5 billion products per year. Arc processors are also the second most popular CPU in the world, and have been licensed by more than 190 companies<\/a>. The sheer number of potential targets makes this botnet variant more dangerous than ever, and could potentially cause the same degree of havoc as occurred with the DNS service provider Dyn.<\/p>\n

The first Okiru sample appeared around October 2017, and FortiGuard Labs<\/a> created a write up<\/a> of its development last December, which included worm capabilities and the embedding of two different exploits. As a follow up, we will now share our findings on the latest Okiru variant that targets ARC processors.<\/p>\n

Let’s get right to it.<\/p>\n

Okiru ARC<\/h1>\n

ARC sample: 2356c1d64995ee825c728957f7428543101c3271ac46e78ce2c98278a4480e4d<\/em><\/p>\n

During our analysis of the Okiru sample, we found it had ELF files embedded in its code. To dump the embedded files we created an IDA python script and searched the magic string “7F 45 4C 46” (ELF). With this we were able to uncover 11 files with different architectures.<\/p>\n

\"\"<\/p>\n

Fig 1. Ida Output Window<\/p>\n

Upon analysis of the dumped file we determined that these executables function as downloaders. This means that Okiru has the capability to infect a wide range of IOT devices as long as they’re supported by the architecture of its downloaders.<\/p>\n

So are these embedded downloaders new? Well, no.<\/p>\n

To explain, let’s take a look at another Okiru sample, which was seen October 31, 2017:<\/p>\n

Intel x86 sample: e5fc493874f2a49e1a1594f3ee2254fa30e6dd69c6f24d24a08a562f03b2fd26 <\/em><\/p>\n

This sample has the same embedded ELF downloaders as the Okiru ARC. Also, the code includes a function for checking the architecture, as shown below. The most interesting elemet is the last one, where e_machine<\/a> is compared to 93, which<\/em> is the ARC International ARCompact processor.<\/p>\n

\"\"<\/p>\n

Fig 2. Targeted Architecture<\/p>\n

 <\/p>\n

Even though the ARC Okiru was only seen recently, based on the sample from last October it is clear that Okiru has been checking for ARC devices for some time. This suggests that even though it wasn’t supported at that time, it was already on Okiru’s cross-hairs.<\/p>\n

Downloaders<\/h1>\n

Having dumped the 11 downloader files from Okiru, we focused our analysis on the Intel x86 sample. The pseudocode of the downloader is quite straight-forward, starting by connecting to its C&C 37.48.99.233 at port 5543. Interestingly, the port used is not a reserved port and could be beneficial for bypassing firewall rules if not properly configured.<\/p>\n

\"\"<\/p>\n

Fig 3. Downloader Pseudocode<\/p>\n

The data being sent to its C&C is a hardcoded_value <\/em>that corresponds to the device’s architecture (see table 1). During our analysis, the C&C was already down and had no response. But reading the code we can see that the C&C responds with some data, which we suspect is the main payload with the correct architecture, and afterwards, this data is written locally to the device.<\/p>\n

The following are the supported architectures for the payload (as of now.)<\/p>\n

\"\"
Table 1. Architecture with the hardcoded values<\/p>\n

Conclusion<\/h1>\n

By actively adding support for other architectures, Okiru has created a leverage to its other Mirai-based botnets. And with majority of IoT devices still using default and\/or predictable passwords, only time will tell on the number of botnets that Okiru will be able to control.<\/p>\n

FortiGuard Labs will continue to monitor the latest threats and developments in IoT and share interesting findings.<\/p>\n

We thank our teammates Jasper Manuel and Dario Durando for the additional analysis.<\/em><\/p>\n

 <\/p>\n

-= FortiGuard Lion Team =-<\/p>\n

 <\/p>\n

IOC<\/strong><\/p>\n

e5fc493874f2a49e1a1594f3ee2254fa30e6dd69c6f24d24a08a562f03b2fd26 – ELF\/Mirai.AO!tr<\/em><\/p>\n

2356c1d64995ee825c728957f7428543101c3271ac46e78ce2c98278a4480e4d – Linux\/Mirai.Y!tr.bdr<\/em><\/p>\n

CC<\/em><\/strong><\/p>\n

37.48.99.233<\/em><\/p>\n

Sign up for our weekly FortiGuard <\/em>intel briefs<\/em><\/a> or<\/em> to be a part of our <\/em>open beta<\/em><\/a> of Fortinet’s FortiGuard Threat Intelligence Service.<\/em><\/p>\n<\/div
https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Rommel Joven & David Maciejak| Date: Thu, 25 Jan 2018 19:05:59 +0000<\/strong><\/p>\n

The first Okiru sample appeared around October 2017 ,and FortiGuard Labs created a write up of its development last December, which included worm capabilities and the embedding of two different exploits. As a follow up, we will now share our findings on the latest Okiru variant that targets ARC processors.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-11245","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11245","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11245"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11245\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11245"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}