MalwareMustDie Juts took a crack at IoT Malware Linux/AirDropBot – Here is What He Found Out

It’s been two years, but MalwareMustDie is back with the full analysis of the net IoT malware: Linux/AirDropBot.

AirDrop Bot Linux

The long wait did a number on most of us, but it seems to be worth it. We have Unixfreaxjp back with a brand new reverse-engineering tool published on the blog of MalwareMustDie, the MMD-0064-2019 – Linux/AirDropBot is a total work of art in every regard. Technically speaking, we will find some new and improved practices that can help us reverse every single Linux malware binary in all types of environments. The WhiteHat Reversers include a lot of pointers and guidance to help us deal with ELF Linux malware. We get to witness the makings of Radare r2 and Tsurgi distribution.

The Linux Development that Will Break the Internet

Unixfreaxjp has been asked multiple times to help people use Radare r2, and he has done so with incredible levels of achievement on that end. But the amount of information he has released in this new post makes this explanation just the tip of the icing in a much larger cake. Radere r2 is posed to become one of the best reverse-engineering tools in the market, and it was created using the open code of Linux. You won’t need to pay expensive licenses if you learn how to use this tool. The information contained in this new blog post on MalwareMustDie is one of the most outstanding lessons about reversing stripped binaries while checking their authenticity.

In the post made by Unixfreaxjp we follow a complete guide to understanding the makings of malware code. The methodology used, as well as the secrets behind it. He even talks about the hidden code used by programmers to encrypt C2 addresses. He also goes over the operational commands that come from C2 and how they are parsed. He goes on explaining how every single line of code can be rebuilt to get the source code of origin back and running without stripped binaries. If we had to put this information in layman terms, this is probably the most important news about Linux software outside the realm of development.

Why Is This Happening Now? – The Backstory of These Findings

This all started back when user @0xrb came across “MiraiLike,” a piece of malware hidden in his honeypot that was created to target embedded Linux platforms. The goal for it seems to be the propagation of its code using a botnet function that targets IoT users. The real goal of it is still unclear since there are a lot of uncoded functions on it, but so far, the estimations seem to be that the purpose behind it was to target IoT developers and get rid of them. It is undoubtedly one of the most unethical ways to get ahead. Thanks to Mirai, the malware was detected as a sample, so it was a fantastic breakthrough since a fix was put in place before it disseminated among the Linux community.

When Unixfreaxjp got his hands on the sample, his skills were challenged. The final results are this new bog posts that every single IoT developer should read before continuing to work in Linux environments. The technical aspect of it will not be touched on this article since the blog posts itself is very clear and self-explanatory. It’s enough for us to know that we can count on the information from a reliable source. This is certainly not the first time that Linux IoT environments have been under attack, and it won’t be the last. Most of it has to do with the economics that fuels the botnet ecosystems that have been dealt with. The results have been posted in the Security Affairs blog. New malware is likely being scripted as you read this.

Steps Taken to Help Linux IoT Deal with Botnet Threats

A lot of processors are always hit by malware. Having new tech affected by it over generic hardware means that whoever is behind these attacks is taking his business seriously. It’s not about owning reachable IoT’s; the attack is intended to cripple Linux developers to prevent them from coding in new technologies. The binaries of the code in this latest malware have two distinctive categories. One bot to attack and infect portable devices, and a worm that infects larger systems by scanning CGI page routers to inflict themselves damage by getting infected with a single scan of TCP ports. The analysis posted on MalwareMustDie reveals the binary sets sued by the coders of the malware and offers options to deal with them.

Closing Thoughts About This Threat and How to Face It

The Internet of Things is not a fad that is goi8ng away. The integration of these systems in our daily lives is happening at a faster rate, and a very little group of people seems to be opposing progress with moves like this. Even if their intent is not to prevent technology from taking over certain aspects of our lives, they certainly seem bent on preventing people from creating alternatives to the products offered by the big license holders. Governments around the world take these attacks very seriously, with legislation being discussed and passed in Europe, Asia, and other locations. These laws, however, can’t stop malware developers from doing what they do, but it’s a step in the right direction, and that counts for something.