Amnesia IoT Botnet Infects Devices Worldwide

Computer security researchers discovered the Amnesia IoT botnet which infects devices worldwide made by over 70 vendors.

Amnesia IoT Botnet Discovered

Researchers from Unit 42 alerted the security community about the discovery of a new threat. It is dubbed as the Amnesia IoT botnet which is a variant of Tsunami. The hackers behind it have updated the code and abuse the same unpatched remote code execution issue. The alarming fact is that the problem was disclosed back in March 2016 and it appears that a lot of devices remain unpatched.

The original Tsunami botnet attacked DVR boxes which allowed the hackers to retrieve information about the devices and infiltrate internal networks. A coordinated attack was made against CCTV systems which utilized vulnerable devices and as a consequence it was discovered that a large number of vendors sell devices that can be compromised.

The Amnesia IoT botnet takes this approach in its own wave of attacks. The hackers employ a large network of infected hosts to target network devices worldwide. However the majority of victims have been identified to be living in the United States of America. Some of its unique features include the following:

  • The specialists believe that the Amnesia malware is the first Linux virus which has adopted virtual machine evasion techniques that are able to defeat sandbox environments used by malware researchers. Such techniques are typical for advanced viruses that target Microsoft Windows and Google Android.

  • The Amnesia malware engine detects if it is running in a virtualized environment – VirtualBox, VMWare or QEMU. If they are detected the engine deletes the virtualized system. This means that the sandbox server or cloud service is also affected by the operation. Scanning is done by checking for the availability of strings in files that are used by the Linux Desktop Management Interface (DMI) for storing the hardware’s product and manufacturer data. The Linux’s root directory, user home directory and current working directory are deleted if the check is passed.

  • The remote code execution vulnerability is triggered by scanning for the relevant system and then infects them through a predefined pattern.

  • The virus contains code that allows the engine to remove restrictions for the following restrictions – File descriptors/handles amount, Local port range, TCP memory buffer, TCP send buffer and TCP receive buffer.

  • The built-in flood command can spoof 48 user agents 3 different HTTP referrer values.

  • Wide Architecture Support – The developers have developed versions for a wide range of architectures: armv4l, armv5l, i386, m68k, MIPS, MIPSEL, PowerPC, PowerPC-440fp, SPARC and x86_64.

The hackers can directly attempt the exploit on all discovered devices. A popular way of discovering possible targets is the use of fingerprints associated with the device identifiers. This is relatively easy to use via specialized search engines. The researchers from Unite 42 were able to discover over 227 000 potential targets. Communication with the C&C servers is done using the IRC protocol. The researchers were able to extract the possible commands in a list:

  • HTTP Flood

  • UDP Single Flood

  • UDP Pulse Flood

  • Server Change

  • Nick Client Change

  • KILL Client

  • Downloads a file from a remote server

  • Client Version Request

  • Kills All Current Processes

  • Help Dialog

  • Sends A Command To The Server

  • Command Execution

  • Kills Bots

  • Gets The IP address of the bots

As the Amnesia IoT botnet targets a specific type of devices the hackers included two other commands – CCTVSCANNER and CCTVPROCS which are used to scan and exploit the vulnerabilities. The infection follows a predefined routine which is comprised of the following steps:

  1. The Amnesia Iot botnet initiates the scan module which checks if the target device can be exploited.

  2. This is done by searching for a special string called “Cross Web Server” which is inserted in the HTTP response.

  3. The virus engine then proceeds to send secondary requests which contain the actual payloads compromised of shell commands. They aim to craft a shell script file which is then executed.

  4. Depending on the obtained user privileges the Amnesia malware creates a persistent environment. This is done by modifying existing files or creating new ones.

  5. All running Telnet and SSH related processes are killed.

  6. The remote C&C servers are contacted and a slave system shell is created. The discovered IRC server runs on UnrealIRCd-4.0.3.1 and its associated web server that hosts the scripts is hosted using the Nginx/1.6.2 application. The x86/64 devices are managed via the #channel router while all CCTV devices are managed over another channel which is titled #r00ter.

  7. The criminals have created three decoy addresses which are hardcoded into the malware. The virus automatically chooses one of them during the initialization phase. All of the three domains resolve to the same IP address which also hosted another IoT threat in the past – DropPerl.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The Amnesia IoT Botnet Is Associated With The Radiation Campaign

Specialists from CyberX associate the mass infection with an attack campaign called Radiation. According to them its uniqueness can be attributed to the type of target devices and enhancements done to the core threat. The name of the campaign comes from an unknown process which was identified in one of victim devices called radioactive. It is executed with root privileges and crafts a shell script which downloads all malware versions from a site that has the radioactive name. During investigation the CyberX staff discovered that 15 000 IoT devices all over the world are managed by the Radiation administrators.

The specialists believe that the criminals behind the threat are experienced programmers as they have managed to bypass some of the commonly used sandbox environments in Gnu/Linux systems. System administrators who deploy virtual machines should use the snapshots function as it allows for quick recovery to a preset state. This is a possible workaround which can be used to remove the malicious instance. However in some cases the Amnesia IoT botnet can destroy the whole server.

By using a quality anti-malware solution computer users can protect themselves from all types of malware and can remove active infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *