Finally, something new :) An IRC capable bot has been making the rounds. Now, instead of infecting PC’s or servers this baby goes after DSL modems.
Terry Baume has a pretty nice PDF on his site , I suggest you check it out. I downloaded the updated botbinary from the update site and noticed that it was around 3k smaller than the one Terry wrote about. I threw the UPX command line tool towards it but it failed. Now, I can chew x86 and a few others pretty nicely but I do admit this was the first time I’ve hit a MIPS binary.
After prodding it a bit with IDA it became obvious that the new version was also packed with UPX, but apparently the guys had either read Terrys PDF or seen that they’ve been seen, so they had manually modified the binary and made all telltale signs of UPX go away. Except for the entrypoint.
So, with a small dilemma of not having proper devices running MIPS and not being able to unpack itwith the command line tool the was one thing left: grab my favourite hexeditor and repair the file. So, after few minutes of wanking around I got the UPX commandline tool to swallow and unpack the sample :)
The malware can spread itself through telnet admin interfaces of the DSL modems. It also has the capability to scan for PHPMyAdmin installations _and_ Windows SMB shares.
It also seems to have the capability to perform clickfraud on clickhype.com if the author wishes so.
The version string in the sample I downloaded was 2.9L as opposed to 2.5L that Terry saw 2 months ago so it’s a pretty safe bet that this puppy is undergoing steady development. Will be really interesting to see how things develope from here. Playing in the MIPS device field gives you lot less targets to swing at but on the other hand there’s no competition and the risk of the infection being noticed is somewhat smaller.
The worst thing is that it’s possible to alter the DNS settings of all client inside the LAN through this. As well as transparently redirecting certain valuable connections into places where they shoudln’t go.
Only time will tell how this will proceed.