TOP > 研究成果 > IoTPOT > News

研究成果

IoTPOT captures new binaries of ZORRO family!

[bin 68 to bin 83 of Table 1]
Created June 16, 2015



ZORRO Family  [ bin 68 to 75 of Table 1]

In June 07, 2015, IoTPOT captured new binaries of "ZORRO family" designed to run on 8 different CPU architectures. After successful login, attacker checks and customizes the environment first as in previous versions of ZORRO family as shown in Figure - 1. Then, attacker appends series of binaries to random file name and makes his own shell to download malware binaries from malware download server as in Figure- 2 and 3 respectively. The attacking IP to IoTPOT and IP address of malware download server are same. Within 5 days [from June 07 to June 11], IoTPOT detected 14,911 times of such infection from 1 IP.

A read error occured.
Figure 1 - Checking and Customizing Environment

A read error occured.
Figure 2 - Making attacker’s own shell

A read error occured.
Figure 3 - Downloading Malware using attack’s own shell


ZORRO Family  [ bin 77 to 83 of Table 1]

In June 08, 2015, IoTPOT captured another new binaries of "ZORRO family" designed to run on 8 different CPU architectures. Malware infection process is same as June 07 version of ZORRO family. Only IP address of malware download server and names of downloaded binaries are different. Figure - 4 shows downloaded binaries. IoTPOT observes such infection only for 4 days. Within 4 days [from June 08 to June 11], IoTPOT detected 10,659 times of such infection from 1 IP. By sandbox analysis, these binaries scan port 23 as shown in Figure - 5.


A read error occured.
Figure 4 - Downloaded binaries
A read error occured.
Figure 5 - Scanning on port 23
back