A newly discovered Linux botnet that was coded using the Lua programming language is targeting Internet of Things (IoT) devices in addition to Linux systems and servers, researchers warn.
Because it was written in Lua and because it recruits the infected machines in a botnet, the new threat is called Linux/LuaBot. Discovered by MalwareMustDie!, the botnet appears to be created for launching distributed denial of service (DDoS) attacks, though its exact purpose is yet unknown.
While analyzing the threat, the security researchers found multiple traces of the Lua language in the code, such as .lua source files, Lua runtime libraries, and some of the used botnet commands. The malware is packed as an ELF binary and is targeting ARM platforms, which suggests that IoT devices might be a main target. What is unknown at the moment, however, is how exactly the malware infects hosts.
During analysis, MalwareMustDie! discovered that LuaBot would try to increase limit on open files and then would fork itself to two new processes during startup. The main process is terminated after the first forked process is started. Just before the forking, however, the malware sends a message and opens the file socket bound to the 203508 hard-coded mutex.
This new process will assign a PID and then fork its process one more time. This second forked process is the malware’s main process, which is bound to the file socket with the previously created mutex. This main process is responsible for the following activity: checks the active (file) sockets and network sockets, reads all processes and PIDs in /proc, checks the current user privileges, and checks the interface name and its IP.
The malware also assembles BotID and writes it on stdout, and runs the test_domain() lua function to load domains (google.com, facebook.com, baidu.com, amazon.com andwikipedia.org) to be looked up to specific DNS servers. The malware then connects to the command and control (C&C) server at 220.127.116.11 using port TCP/1085.
Initially, the bot would send a HTTP/1.1 GET command, to which the server replies with encrypted data. After decryption, the data was found to be a list of IPs that are “all nodes of AS4998 from 18.104.22.168/20, 22.214.171.124/20 and 126.96.36.199/22” and which belong to WorldStream.NL, a dedicated server hosting service in the Netherlands.
On the infected machines, the malware also changes the setting of iptables (Linux firewall), in addition to opening a backdoor and starting to listen to all inbound network traffic that uses port TCP/11833. The analysis revealed what appears to be a botnet management protocol and some botnet monitoring functions in the code, along with another set of IP addresses, showing that the malware’s developers have been hard at work with preparing the network infrastructure for the botnet.
Code usually found in DNS query handling tools was also found in the malware, along with lua resolver code for DNS query, and the botnet appears able to send UDP packets to any desired destination, while also capable of remote communication via an included telnet function. The malware also includes code that appears specifically targeted at Sucuri.
According to MalwareMustDie!, while there’s no solid proof that the botnet can be used for DDoS attacks, the code includes remote command line functions (cmdline and cmdline args), which suggests that attackers are able to perform various actions on the infected machines.