This article is more than 1 year old

Linux botnet exploits Log4j flaw to hijack Arm, x86 systems

On a plus side, their code's not very good

A new Linux botnet is using the infamous Log4j vulnerability to install rootkits and steal data.

Researchers at Chinese internet security company Qihoo's 360's Network Security Research Lab discovered the botnet family, which they dubbed B1txor20, as it was infecting hosts via the Log4j vulnerability. It primarily targets Linux Arm and 64-bit x86 systems. Compromised devices are commandeered, and brought into the network as remote-control bots, hence the term botnet.

"In addition to traditional backdoor functions, B1txor20 also has functions such as opening a Socket5 proxy and remotely downloading and installing a rootkit," the threat researchers wrote this week. 

In total, 360 Netlab found four different B1txor20 samples that the team said provide 15 functions. In addition to those mentioned above, these include reading and writing files, starting and stopping proxy services, and running reverse shells on compromised machines. The software nasty is, we're told, designed primarily to receive and execute commands from its masters, and exfiltrate sensitive data.

They also noted that the malware wasn't using all of its nefarious features (such as uploading "/boot/conf- XXX" info), and that some of these have bugs. One of the buggy bits deletes the socket file after binding the domain socket, "which makes the socket unconnectable and thus the whole function is useless," 360 Netlab noted.

However, the threat researchers aren't putting it past the criminals to make use of dormant features or fix the bugs in the future.

"We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20's siblings in the future," the security firm added.

Because the popular Apache Log4j logging library is so widely used among enterprise apps and cloud services, the remote code execution flaw made it an especially attractive security hole for criminals. Since the Log4j vulnerability was disclosed late last year, several malware groups have taken advantage of this attack vector.

The 360 Netlab researchers noted: "Elknot, Gafgyt, Mirai are all too familiar." B1txor20 is just the latest example of Log4j instances still remaining vulnerable. 

Here's how the new botnet works. The malware uses DNS tunneling to establish command-and-control (C2) communications and disguise its backdoor traffic. Then the bots wait to execute any malicious commands sent by the C2 server.

As the security shop explained:

Simply put, when B1txor20 executes, it will first disguise itself as a [netns] process, run a single instance through the PID file/var/run/, and then use /etc/machine-id, /tmp/.138171241 or /dev/urandom to generate the BotID, then decrypt the domain name used for DNS Tunnel and the RC4 secret key used to encrypt the traffic and test the connectivity of the DNS server, and finally use DNS Tunnel to send registration information to C2 and wait for the execution of the commands issued by C2. 

And finally, in what they deemed a "small note," the researchers said the domain name has been registered for six years, "which is kinda unusual?" Or maybe it points to excellent planning on the part of the miscreants. ®

More about


Send us news

Other stories you might like