Linux botnet exploits Log4j flaw to hijack Arm, x86 systems

On a plus side, their code's not very good

A new Linux botnet is using the infamous Log4j vulnerability to install rootkits and steal data.

Researchers at Chinese internet security company Qihoo's 360's Network Security Research Lab discovered the botnet family, which they dubbed B1txor20, as it was infecting hosts via the Log4j vulnerability. It primarily targets Linux Arm and 64-bit x86 systems. Compromised devices are commandeered, and brought into the network as remote-control bots, hence the term botnet.

"In addition to traditional backdoor functions, B1txor20 also has functions such as opening a Socket5 proxy and remotely downloading and installing a rootkit," the threat researchers wrote this week. 

In total, 360 Netlab found four different B1txor20 samples that the team said provide 15 functions. In addition to those mentioned above, these include reading and writing files, starting and stopping proxy services, and running reverse shells on compromised machines. The software nasty is, we're told, designed primarily to receive and execute commands from its masters, and exfiltrate sensitive data.

They also noted that the malware wasn't using all of its nefarious features (such as uploading "/boot/conf- XXX" info), and that some of these have bugs. One of the buggy bits deletes the socket file after binding the domain socket, "which makes the socket unconnectable and thus the whole function is useless," 360 Netlab noted.

However, the threat researchers aren't putting it past the criminals to make use of dormant features or fix the bugs in the future.

"We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20's siblings in the future," the security firm added.

Because the popular Apache Log4j logging library is so widely used among enterprise apps and cloud services, the remote code execution flaw made it an especially attractive security hole for criminals. Since the Log4j vulnerability was disclosed late last year, several malware groups have taken advantage of this attack vector.

The 360 Netlab researchers noted: "Elknot, Gafgyt, Mirai are all too familiar." B1txor20 is just the latest example of Log4j instances still remaining vulnerable. 

Here's how the new botnet works. The malware uses DNS tunneling to establish command-and-control (C2) communications and disguise its backdoor traffic. Then the bots wait to execute any malicious commands sent by the C2 server.

As the security shop explained:

Simply put, when B1txor20 executes, it will first disguise itself as a [netns] process, run a single instance through the PID file/var/run/, and then use /etc/machine-id, /tmp/.138171241 or /dev/urandom to generate the BotID, then decrypt the domain name used for DNS Tunnel and the RC4 secret key used to encrypt the traffic and test the connectivity of the DNS server, and finally use DNS Tunnel to send registration information to C2 and wait for the execution of the commands issued by C2. 

And finally, in what they deemed a "small note," the researchers said the domain name has been registered for six years, "which is kinda unusual?" Or maybe it points to excellent planning on the part of the miscreants. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Linus Torvalds says Rust is coming to the Linux kernel 'real soon now'
    Maintainer lack of familiarity won't be an issue, chief insists, citing his own bafflement when faced with Perl

    At The Linux Foundation's Open Source Summit in Austin, Texas on Tuesday, Linus Torvalds said he expects support for Rust code in the Linux kernel to be merged soon, possibly with the next release, 5.20.

    At least since last December, when a patch added support for Rust as a second language for kernel code, the Linux community has been anticipating this transition, in the hope it leads to greater stability and security.

    In a conversation with Dirk Hohndel, chief open source officer at Cardano, Torvalds said the patches to integrate Rust have not yet been merged because there's far more caution among Linux kernel maintainers than there was 30 years ago.

    Continue reading

Biting the hand that feeds IT © 1998–2022