Tuesday, September 6, 2016

LuaBot First Botnet Malware To Target Linux Platforms

LuaBot First Botnet Malware To Target Linux Platforms
View the binary’s ASCII in the last part and you’ll see the first email address | Credit: MalwareMustDie 


Researchers Finds LUA Language ELF Compiled Malware Called As Linux/LuaBot.


Trojan coded in Lua to target linux Platforms to adding into a Botnet explain by security researcher from MalwareMustDie.

The code is interacted with the udp.lua, as per its name suggesting a lua library of User Datagram Protocol function and struct, This is showing the malware has its own lua resolver code for the DNS query, and has ability to form its own UDP packet to be sent to any destination.

There’s also the telnet.lua codes compiled in this ELF, which is after being reversed it seems to be a simple telnet basic communication functions interpreted in lua language (that can be found many references in the internet) that may allow Linux/LuaBot to communicate remotely through this protocol.

What is LUA?

Lua is a powerful, efficient, lightweight, embeddable scripting language. It supports procedural programming, object-oriented programming, functional programming, data-driven programming, and data description.
Lua combines simple procedural syntax with powerful data description constructs based on associative arrays and extensible semantics. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine, and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting, and rapid prototyping.

According to Softpedia,

At the moment, the LuaBot trojan is packed as an ELF binary that targets ARM platforms, usually found in embedded (IoT) devices. Based on his experience, this seems to be the first Lua-based malware family packed as an ELF binary spreading to Linux platforms.

MalwareMustDie” also found penetrate_sucuri” part, a symbol (suggested a reversed function) traced to be coded in the lua source file: *cough* “checkanus_sucuranus.lua” and “checkanus.lua”, which I took only a peek for it, it forms (http) action to a defined target. 

0 comments: