MalwareMustDie, a security researcher came across a new Linux Trojan two weeks again, which he claims is the first Linux malware to be coded in the Lua language.
After reverse engineering the code, there was proof that the Trojan was believed to be only targeting the IoT infrastructure and also had some features which could make them launch some DDoS attacks. It is also believed to have an unconfirmed function which can bypass the DDoS protection on the Sucuri, which is a web security based vendor. In the source code for the LuaBit, the malware’s author leaves a message which reads ‘Hi. Happy reversing, you can mail me …’ and he puts his email.
One French security researcher is believed to have contacted the author of the malware and had asked him some follow up questions. The researcher going by the name c0rz, managed to publish some of the answers online.
In the mini interview, the attacker said that he didn’t work for the info-sec community, and he wasn’t affiliated with any hacking groups or organizations. He said that he saw himself as nobody and that his malware was literally not harmful. He said this is because his malware can’t steal the router login details.
He also noted that he had been at work on the malware for a long time now, and the whole endeavor had begun as fun work, but now had turned some profit for him. After being asked what was giving him money he declined to comment on that issue. He also reiterated that he was not running any DDoS stresser service such as the vDos kids. He also stated that he was only involved with individuals and was not looking at banks and large organizations.
The malware author also claimed that he had his own zero days which he used in instances to infect the devices. One Brazilian security researcher who also looked at the malware said that it was primarily affecting the ARRIS routers. The Brazilian researcher is also the one who discovered the three backdoors to the ARRIS routers which affected close to 600,000 modems which were connected to the Internet then.
The Brazilian researcher, Bernardo Rodrigues, said that if you could perform the sam query on devices you notice that the exposed devices on the malware would be down to just approximately 35,000. He also said that in the first stages of infection, LuaBit is making use of the firewall rules which enables it to block the access to the device and then from the external connections.
This is an obvious self protection feature of the malware. The malware doesn’t include a boot persistence mechanism, therefore when a router is restarted the malware will be removed from the device.
There are no known attacks made by the LuaBit as yet, and even though the presence of the HTTP flooding functions is still mystifying, the whole purpose of the malware at the moment is a mystery.