Skip to content

lightaidra 0x2012 (aidra)

Lightaidra 0x2012 was introduced in the beggining of 2012, described by its author (Federico Fazzi) as an IRC-based mass router scanner/exploiter. The source code is available on the net at packetstorm.
Aidra can be compiled for mips, mipsel, arm, ppc, x86/x86-64 and superh. Basically this affects domestic routers and AP stations, DSL/cable modems, VoIP devices, STB and IPTV devices, IP cameras, smartphones, etc. A typical victim is any embedded Linux device with running telnet and default or no password set. In some cases aidra can retrieve the router password through the well-known /cgi-bin/firmwarecfg bug found on some D-Link and Netgear devices with old firmware.

How it works? Well, the malware first connects to the telnet port. When succeeded, a default user:pass combination like root:root, root:admin is tried out, but can be commanded to try whatever the botnet master wants. After logging in aidra downloads a script called getbinaries.sh which is then executed. The script is fair simple: remove old malware binaries first to ensure we run ours; download our binaries and run them; try to change the passwd; modify startup scripts/iptables (not always); remove getbinaries.sh. Once executed, aidra connects to an irc server and joins a channel. Then reads the topic and does whatever it says (i.e. .advscan->random root admin). Your device is already grown zombie. ;-)
All malware binaries are downloaded to /var/run, /var/tmp, /var/etc on the zombie device (in /tmp in a case of a x86 device), which is cleared on reboot. Usually a reboot is enough to clean the device, because of the embedded nature – filesystems mounted read-only, tmp and run directories stored in RAM . Unfortunately those devices are rebooted not so often and infection can persist for a very long time. Besides, if the password is not changed, the device can be re-infected in the future (also note that some modified getbinaries.sh scripts will try to change the default password!). As of january 2012, infection is still spreading. There are private irc servers with thousands of zombies. The best known of them are located in USA, Italy, France, Austria, Germany, Netherlands. Aidra is an advanced malware tool, its source can be customized to fit the bot-net master needs (predefined irc servers, channels and passwords to use for joining them, custom binary names) and can scan/flood/spoof targets randomly or recursively. Below is an example of an infected router (WRT54GC) running DD-WRT with default user root and no password set.


login: root
Password: [Enter]
---------------------------------------------------------------
DD-WRT build #23
some code portions OpenWRT and EWRT
additional thanks to Cesar Gonzales, Toxic,
Elektik, MBChris, Nbd, TheIndividual
and all the wonderful supporters of this Project

http://www.dd-wrt.com

---------------------------------------------------------------

BusyBox v1.01 (2005.12.23-18:13+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ # uname -a
Linux 2.4.32 #431 Sun Dec 25 16:58:55 UTC 2005 mips unknown
~ # ls -l /
drwxr-xr-x 1 root root 371 Dec 25 2005 bin
drwxr-xr-x 1 root root 0 Jan 1 1970 dev
drwxr-xr-x 1 root root 330 Dec 25 2005 etc
drwxr-xr-x 1 root root 0 Dec 25 2005 jffs
drwxr-xr-x 1 root root 178 Dec 25 2005 lib
drwxr-xr-x 1 root root 0 Dec 25 2005 mmc
drwxr-xr-x 1 root root 0 Dec 25 2005 mnt
dr-xr-xr-x 33 root root 0 Jan 1 2000 proc
drwxr-xr-x 1 root root 495 Dec 25 2005 sbin
drwxrwxrwx 1 root root 0 Jan 1 2000 tmp
drwxr-xr-x 1 root root 47 Dec 25 2005 usr
lrwxr-xr-x 1 root root 7 Dec 25 2005 var -> tmp/var
drwxr-xr-x 1 root root 1434 Dec 25 2005 www
~ # df -h
Filesystem Size Used Available Use% Mounted on
/dev/root 2.8M 2.8M 0 100% /
~ # mount
/dev/root on / type squashfs (ro)
none on /dev type devfs (rw)
proc on /proc type proc (rw)
ramfs on /tmp type ramfs (rw)
~ # ps w
PID Uid VmSize Stat Command
1 root 176 S /sbin/init noinitrd
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
10 root SW [mtdblockd]
81 root 136 S resetbutton
115 root 228 S /usr/sbin/telnetd
119 root 384 S httpd
133 root 136 S /sbin/wland
187 root 184 S /tmp/ppp/redial 30
12411 root 444 S pppoecd vlan1 -u xxxxxx -p xxxxxx -r 1492 -t 1492 -i 0
12423 root 284 S udhcpd /tmp/udhcpd.conf
12429 root 336 S dnsmasq --conf-file /tmp/dnsmasq.conf
12451 root 216 S igmprt -f -i ppp0
12501 root 412 S process_monitor
12506 root 272 S /usr/sbin/cron
13628 root 176 S /var/run/mipsel <--- suspicious, right? ;-)
1114 root 1752 S /var/run/mipsel
1115 root 1752 S /var/run/mipsel
1814 root 440 S -sh
1819 root 312 R ps w
~ # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 77.234.254.x:2474 77.247.184.6:23 TIME_WAIT
tcp 0 0 77.234.254.x:2539 77.247.200.40:23 TIME_WAIT
tcp 0 0 77.234.254.x:2537 77.247.200.42:23 TIME_WAIT
tcp 0 0 77.234.254.x:2472 77.247.184.30:23 TIME_WAIT
tcp 0 0 77.234.254.x:2540 77.247.200.38:23 TIME_WAIT
tcp 0 0 77.234.254.x:2538 77.247.200.36:23 TIME_WAIT
tcp 0 0 77.234.254.x:2501 77.247.188.82:23 TIME_WAIT
tcp 0 0 77.234.254.x:2500 77.247.188.22:23 TIME_WAIT
tcp 0 0 77.234.254.x:2499 77.247.187.242:23 TIME_WAIT
tcp 0 0 77.234.254.x:2462 77.247.177.246:23 TIME_WAIT
tcp 0 0 77.234.254.x:2533 77.247.199.206:23 FIN_WAIT2
tcp 0 0 77.234.254.x:2507 77.247.188.125:23 TIME_WAIT
tcp 0 0 77.234.254.x:2506 77.247.188.121:23 TIME_WAIT
tcp 0 0 77.234.254.x:2541 77.247.200.37:23 TIME_WAIT
tcp 0 0 77.234.254.x:2546 77.247.207.x:23 ESTABLISHED <--- potential zombie
tcp 0 0 77.234.254.x:2545 77.247.207.2:23 TIME_WAIT
tcp 0 0 77.234.254.x:2531 77.247.196.1:23 TIME_WAIT
tcp 0 0 77.234.254.x:2525 77.247.190.202:23 TIME_WAIT
tcp 0 0 77.234.254.x:2544 77.247.201.151:23 TIME_WAIT
tcp 40 0 77.234.254.x:3634 109.236.84.29:5863 ESTABLISHED <--- irc server
udp 0 0 0.0.0.0:2055 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
raw 32548 0 0.0.0.0:2 0.0.0.0:* 0
raw 32548 0 0.0.0.0:2 0.0.0.0:* 0
raw 0 0 0.0.0.0:2 0.0.0.0:* 0
raw 0 0 0.0.0.0:255 0.0.0.0:* 0
raw 0 0 0.0.0.0:255 0.0.0.0:* 0
raw 0 0 0.0.0.0:255 0.0.0.0:* 0
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 25229249
unix 3 [ ] STREAM CONNECTED 25229248
~ # ls /tmp
cron.d dnsmasq.conf hosts resolv.conf root
crontab etc ppp resolv.dnsmasq udhcpd.conf
udhcpd.leases var udhcpd.statics

~ # iptables -nvL (showed nothing special)
~ # cd /var/run
/tmp/var/run # ls -la
drwxr-xr-x 1 root root 0 Jan 1 2000 .
drwxr-xr-x 1 root root 0 Jan 1 2000 ..
-rw-r--r-- 1 root root 5 May 9 19:54 .lightpid
-rw-r--r-- 1 root root 9494 May 10 05:12 .lightscan <--- hosts running telnet
-rwxr-xr-x 1 root root 203408 May 9 19:54 arm
-rw-r--r-- 1 root root 6 May 9 14:06 crond.pid
-rw-r--r-- 1 root root 6 May 9 14:06 dnsmasq.pid
-rw-r--r-- 1 root root 3 Jan 1 1970 httpd.pid
-rwxr-xr-x 1 root root 266209 May 9 19:54 mips
-rwxr-xr-x 1 root root 266270 May 9 19:54 mipsel <--- the binary for that device
-rwxr-xr-x 1 root root 196039 May 9 19:54 ppc
-rw-r--r-- 1 root root 6 May 9 14:06 ppp0.pid
-rwxr-xr-x 1 root root 180728 May 9 19:54 sh
-rw-r--r-- 1 root root 6 May 9 14:06 udhcpd.pid
/tmp/var/run # cat .lightscan
/tmp/var/run # ls -la
drwxr-xr-x 1 root root 0 Jan 1 2000 .
drwxr-xr-x 1 root root 0 Jan 1 2000 ..
-rw-r--r-- 1 root root 5 May 9 19:54 .lightpid
-rw-r--r-- 1 root root 0 May 10 05:21 .lightscan <--- scan log just flushed :-(
-rwxr-xr-x 1 root root 203408 May 9 19:54 arm
-rw-r--r-- 1 root root 6 May 9 14:06 crond.pid
-rw-r--r-- 1 root root 6 May 9 14:06 dnsmasq.pid
-rw-r--r-- 1 root root 3 Jan 1 1970 httpd.pid
-rwxr-xr-x 1 root root 266209 May 9 19:54 mips
-rwxr-xr-x 1 root root 266270 May 9 19:54 mipsel
-rwxr-xr-x 1 root root 196039 May 9 19:54 ppc
-rw-r--r-- 1 root root 6 May 9 14:06 ppp0.pid
-rwxr-xr-x 1 root root 180728 May 9 19:54 sh
-rw-r--r-- 1 root root 6 May 9 14:06 udhcpd.pid
/tmp/var/run # cat .lightscan
/tmp/var/run # ps w
PID Uid VmSize Stat Command
1 root 176 S /sbin/init noinitrd
2 root SW [keventd]
3 root SWN [ksoftirqd_CPU0]
4 root SW [kswapd]
5 root SW [bdflush]
6 root SW [kupdated]
10 root SW [mtdblockd]
81 root 136 S resetbutton
115 root 228 S /usr/sbin/telnetd
119 root 384 S httpd
133 root 136 S /sbin/wland
187 root 184 S /tmp/ppp/redial 30
12411 root 444 S pppoecd vlan1 -u xxxxxx -p xxxxxx -r 1492 -t 1492 -i 0
12423 root 284 S udhcpd /tmp/udhcpd.conf
12429 root 336 S dnsmasq --conf-file /tmp/dnsmasq.conf
12451 root 216 S igmprt -f -i ppp0
12501 root 412 S process_monitor
12506 root 272 S /usr/sbin/cron
13628 root 176 S /var/run/mipsel
1814 root 504 S -sh
1837 root 1736 S /var/run/mipsel
1838 root 1736 S /var/run/mipsel
4791 root 1736 S /var/run/mipsel
4792 root 1736 S /var/run/mipsel
4793 root 1736 S /var/run/mipsel
4794 root 1736 S /var/run/mipsel
4795 root 1736 S /var/run/mipsel
4796 root 1736 S /var/run/mipsel
4797 root 1736 S /var/run/mipsel
4798 root 1736 S /var/run/mipsel
4799 root 1736 S /var/run/mipsel
4800 root 1736 S /var/run/mipsel
4801 root 1736 S /var/run/mipsel
4802 root 1736 S /var/run/mipsel
4803 root 1736 S /var/run/mipsel
4804 root 1736 S /var/run/mipsel
4805 root 1736 S /var/run/mipsel
4806 root 1736 S /var/run/mipsel
4807 root 1736 S /var/run/mipsel
4808 root 1736 S /var/run/mipsel
4809 root 1736 S /var/run/mipsel
4810 root 1736 S /var/run/mipsel
4811 root 1736 S /var/run/mipsel
4812 root 1736 S /var/run/mipsel
4813 root 1736 S /var/run/mipsel
4814 root 1736 S /var/run/mipsel
4815 root 1736 S /var/run/mipsel
4816 root 1736 S /var/run/mipsel
4817 root 1736 S /var/run/mipsel
4818 root 1736 S /var/run/mipsel
4819 root 1736 S /var/run/mipsel
4820 root 1736 S /var/run/mipsel
4821 root 1736 S /var/run/mipsel
4822 root 1736 S /var/run/mipsel
4823 root 1736 S /var/run/mipsel
4824 root 1736 S /var/run/mipsel
4825 root 1736 S /var/run/mipsel
4826 root 1736 S /var/run/mipsel
4827 root 1736 S /var/run/mipsel
4828 root 1736 S /var/run/mipsel
4829 root 1736 S /var/run/mipsel
4830 root 1736 S /var/run/mipsel
4831 root 1736 S /var/run/mipsel
4832 root 1736 S /var/run/mipsel
4833 root 1736 S /var/run/mipsel
4834 root 1736 S /var/run/mipsel
4835 root 1736 S /var/run/mipsel
4836 root 1736 S /var/run/mipsel
4837 root 1736 S /var/run/mipsel
4838 root 1736 S /var/run/mipsel
4839 root 1736 S /var/run/mipsel
4840 root 1736 S /var/run/mipsel
4841 root 1736 S /var/run/mipsel
4842 root 1736 S /var/run/mipsel
4843 root 1736 S /var/run/mipsel
4844 root 1736 S /var/run/mipsel
4845 root 1736 S /var/run/mipsel
4846 root 1736 S /var/run/mipsel
4847 root 1736 S /var/run/mipsel
4848 root 1736 S /var/run/mipsel
4849 root 1736 S /var/run/mipsel
4850 root 1736 S /var/run/mipsel
4851 root 1736 S /var/run/mipsel
4852 root 1736 S /var/run/mipsel
4853 root 1736 S /var/run/mipsel
4854 root 1736 S /var/run/mipsel
4855 root 1736 S /var/run/mipsel
4856 root 1736 S /var/run/mipsel
4857 root 1736 S /var/run/mipsel
4858 root 1736 S /var/run/mipsel
4859 root 1736 S /var/run/mipsel
4860 root 1736 S /var/run/mipsel
4861 root 1736 S /var/run/mipsel
4862 root 1736 S /var/run/mipsel
4863 root 1736 S /var/run/mipsel
4864 root 1736 S /var/run/mipsel
4865 root 1736 S /var/run/mipsel
4866 root 1736 S /var/run/mipsel
4867 root 1736 S /var/run/mipsel
4868 root 1736 S /var/run/mipsel
4869 root 1736 S /var/run/mipsel
4870 root 1736 S /var/run/mipsel
4871 root 1736 S /var/run/mipsel
4872 root 1736 S /var/run/mipsel
4873 root 1736 S /var/run/mipsel
4874 root 1736 S /var/run/mipsel
4875 root 1736 S /var/run/mipsel
4876 root 1736 S /var/run/mipsel
4877 root 1736 S /var/run/mipsel
4878 root 1736 S /var/run/mipsel
4879 root 1736 S /var/run/mipsel
4880 root 1736 S /var/run/mipsel
4881 root 1736 S /var/run/mipsel
4882 root 1736 S /var/run/mipsel
4883 root 1736 S /var/run/mipsel
4884 root 1736 S /var/run/mipsel
4885 root 1736 S /var/run/mipsel
4886 root 1736 S /var/run/mipsel
4887 root 1736 S /var/run/mipsel
4888 root 1736 S /var/run/mipsel
4889 root 1736 S /var/run/mipsel
4890 root 1736 S /var/run/mipsel
4891 root 1736 S /var/run/mipsel
4892 root 1736 S /var/run/mipsel
4893 root 1736 S /var/run/mipsel
4894 root 1736 S /var/run/mipsel
4895 root 1736 S /var/run/mipsel
4896 root 1736 S /var/run/mipsel
4897 root 1736 S /var/run/mipsel
4898 root 1736 S /var/run/mipsel
4899 root 1736 S /var/run/mipsel
4900 root 1736 S /var/run/mipsel
4901 root 1736 S /var/run/mipsel
4902 root 1736 S /var/run/mipsel
4903 root 1736 S /var/run/mipsel
4904 root 1736 S /var/run/mipsel
4905 root 1736 S /var/run/mipsel
4906 root 1736 S /var/run/mipsel
4907 root 1736 S /var/run/mipsel
4908 root 1736 S /var/run/mipsel
4909 root 1736 S /var/run/mipsel
4910 root 1736 S /var/run/mipsel
4911 root 1736 S /var/run/mipsel
4912 root 1736 S /var/run/mipsel
4913 root 1736 S /var/run/mipsel
4914 root 1736 S /var/run/mipsel
4915 root 1736 S /var/run/mipsel
4916 root 1736 S /var/run/mipsel
4917 root 1736 S /var/run/mipsel
4918 root 1736 S /var/run/mipsel
4919 root 312 R ps w
/tmp/var/run # reboot

The system is going down NOW !!

Sending SIGTERM to all processes.

In case you suspect an infection or just found a device with default/no password which was telnetting you, there are some suspicious files to look for:
/var/run/getbinaries.sh
/var/run/get.sh
/var/run/sysupd.sh
/var/run/{arm,mips,mipsel,mipsel.b,b.mipsel,ppc,sh,shv,shon.gz,x32,x64,x32_64,sys1,sys2,sys3,sys4,sys5}
/var/run/{re,mi,fa,sol,si}
/var/run/{m1,m2,m3,m4,m5}
/var/run/{mx,msx,sx,ax,px}
/var/run/{boa,app,mish,initms,inits,initsh,initar,initpc,init32,init64}
/var/run/{cron,sync,udps,usrs,wftp,ksoft,netms,udevh,ufwh,sync,rsync}
(/var/etc/) /tmp/etc/{initar,initms,initpc,inits,initsh,init32,init64}
/var/tmp/{ryn,syn}
/var/run/.lightpid
/var/run/{.lightscan, .scan.log, stat.log}
/var/etc/{httpms,httpa,httpdm,httpp,https,udha,udhm,udhms,udhp,udhs}
/var/run/{mipbox,ipbox,spbox,mpbox,apbox}

Any executable code residing in /var/run is suspicious! Binaries do not belong to /var/run! Also check established connections with netstat and look for alteration in and/or stopped services:
/etc/init.d/rcS
/etc/init.d/S002.sh
/etc/init.d/S50inetd
/etc/init.d/inet
/etc/init.d/inetd
/etc/rcS

Firewall rules can be added to accept/reject telnet connections. Wget binary is moved to -wget or simply deleted. Sometimes password is tried to be changed and “nameserver 8.8.8.8″ included in /etc/resolv.conf. Be aware that the malicious scripts can be modified to evade suspucion or to deploy on different devices, malware binary names can be changed too and stored on different locations (if writable). Below is a list of the well-known machines which serve IRC and store malware binaries:

Servers providing compiled malware for download:
http://zoo.alfamoon.com/

http://64.31.48.49/fnc/getbinaries.sh

http://69.172.205.61/

http://82.211.56.232/

http://91.121.200.97/

http://94.23.196.90/

http://106.186.115.154/light/

http://108.166.187.75/

http://109.236.84.29/

http://149.154.157.31/

http://176.31.213.55/

http://www.successful2009mld.info/r00t/getbinaries.sh

http://aidra3.altervista.org/getbinaries.sh

http://176.99.4.157/sysupd.sh

http://178.33.104.73/initid.sh

http://209.105.239.234/

C&C servers

31.31.77.195:5060
46.105.227.81:65239
46.228.205.240:65239
46.249.42.153:9999
50.116.37.93:8080
69.172.205.61:7000
65.39.236.122:7000
65.39.236.122:12345
69.172.205.61:12345
74.207.254.237:5863
91.121.200.97:5863
94.23.196.90:16667
146.255.36.1
149.154.157.31:12345
149.154.157.31:5556
149.154.157.31:5557
158.255.211.125:12345
158.255.211.125:5555
158.255.211.125:5556
158.255.211.125:5557
176.31.32.103:6667
176.31.32.125:65239
176.31.213.55:65239
176.31.220.169:65239
176.99.4.5:4001
178.32.221.215:9999
190.10.8.228:6862
192.79.153.207:6667
209.105.239.234:65239
209.105.239.235:65239
209.105.239.238:65239
213.251.187.67:9999

Article last updated on 30/09/2013.

2 Comments

  1. PrisyncNo Gravatar wrote:

    Is this the source of that botnet?

    https://github.com/eurialo/lightaidra

    Thursday, October 24, 2013 at 15:27 | Permalink
  2. ВиеркоNo Gravatar wrote:

    It looks like it is, indeed.

    Wednesday, November 6, 2013 at 11:58 | Permalink

5 Trackbacks/Pingbacks

  1. [...] a list of malware hosts and C&C servers, check out the bottom of this analysis by Vierko. Share this:FacebookRedditStumbleUponEmailRelated Posts via CategoriesBash UDP Reverse Shell & [...]

  2. [...] server to prevent infection or takeover by others. You can read more on the technical details here. The infected devices could also be instructed to perform a TCP/UDP flood attack against a target. [...]

  3. [...] server to prevent infection or takeover by others. You can read more on the technical details here. The infected devices could also be instructed to perform a TCP/UDP flood attack against a target. [...]

  4. [...] You will need your translator on more than likely: http://vierko.org/tech/lightaidra-0×2012/ [...]

  5. Botnety na urządzeniach sieciowych on Tuesday, January 7, 2014 at 15:22

    […] ‘Lightaidra 0×2012′. O tej ostatniej mutacji można przeczytać więcej pod adresem lightaidra 0×2012 (aidra). W dokumentacji zamieszczonej w folderze z kodem źródłowym autor, Federico Fazzi, zamieścił […]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*