Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas. A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.

1. Meet Remaiten : Malware Builds Botnet on Linux
based routers and potentially other (IoT) devices
-A path from default to damage
Afifa Abbas
Security and Governance Specialist Engineer
Banglalink Digital Communications Limited

2. Malware and BOTNET
• A piece of software that is designed to
disrupt operation, gather information,
gain unauthorized access to system
resources for exploitation purpose
• A botnet is an interconnected network of
computers infected with malware
without the user‟s knowledge and
controlled by cybercriminals

3. C & C Architecture
botmaster
C & C C & C
bot bot
bot

4. Meet Remaiten, a new piece of malware
Targets Routers and Other Embedded (IoT)
Devices
The malware is popular as „Remaiten‟ that has the capabilities
of previously spotted „Tsunami‟ and Gafgyt malware and also
brought series of improvements and new features.
ESET researchers have discovered a new piece of malware is
targeting embedded systems with the mission to compromise and
make them a part of a botnet

5. How does “Remaiten” work?
• One of the capabilities “Remaiten” borrows from “Gafgyt” is telnet
scanning
• “Gafgyt” attempts to connect to random routers via 23 port
• It issues a shell command to download bot executables for multiple
architectures and tries to run them
• “Remainten” carries downloaders and tries to trigger the device‟s
platform to drop only the appropriate downloader
• When executed, the bot runs in the background and changes its process
name to look legitimate

6. How does “Remaiten” work?
• Using the “create_daemon” function, the bot creates the file name
“.kpid” in one of the predefined daemon directories and writes its PID
to the file
• The bot binaries include a hardcoded list of C&C server IP addresses,
malware chooses one randomly and connects to it on a hardcoded port
• After connecting successfully with C&C server the bot check-in on the
IRC channel and the server replies with the welcome message and
further instruction
• One IRC command “PRIVMSG” that instruct the bot to perform
nefarious operations such as flooding, downloading files etc.

7. Improved Spreading Mechanism
o Remaiten improves in spreading mechanism by carrying downloader
executables for CPU architectures such ARM and MIPS
o A downloader‟s purpose is to download additional (usually malicious)
software in an infected system and execute it.
o The downloader‟s job is to request the artitechture-appropriate bot
binary from bot‟s C&C server

8. Downloader Technical Analysis
• When a downloader is executed on victim‟s device, it determines the
device‟s architecture and connect to the bot‟s C&C server and send
commands based on the architecture
• The C&C will respond with a bot binary for the requested architecture.
Downloader requesting a bot binary from the C&C Downloader connecting to C&C

9. BOT Analysis
• When executed the BOT runs in the background
• The process changes its name to something legitimate
BOT startup

10. Connecting to C&C
• There is a list of C&C server hardcoded in bot binaries. One is chosen
at random and the bot connects to it on a hardcoded port.
BOT connecting to C&C server

11. Connecting to C&C
• If it successfully reaches the C&C server, the bot then checks-in on the
IRC channel
• The C&C should reply with a welcome message and further instructions
that will be executed by the bot on the infected device
C&C Bot welcome message

12. IRC command handling
• The bot can respond to various general IRC commands
• The command “PRIVMSG” is one of them that is used to instruct the
bot to perform its various malicious actions such as flooding,
downloading files, telnet scanning etc
IRC commands Available BOT commands

13. IRC command handling
Flooding capabilities Telnet Scanning

14. Embedded downloader
• Remaiten is unique in that it carries multiple small downloaders and can
upload them to the victim device if its architecture matches with one of
the available downloaders
• When executed the downloader will request a bot binary from C&C
server
Embedded payload

15. Embedded downloader
• The architecture is discovered by executing the command “cat $shell”
in victim device
Discover victim‟s platform List of directories where the downloader
might be saved

16. Telnet Scanner
• Remaiten‟s telnet scanner starts when the C&C server issues the
command “QTELNET”
• It is indeed an improved version of Gafgyt‟s telnet scanner
• The architecture is discovered by executing “ cat $shell” on the victim‟s
device
Guessing telnet login credentials

17. Send status to C&C
• Before resuming the telnet scanning, the bot informs the C&C server its
progress
• It sends the new victim device‟s IP address, the successful username
and password pair
Inform C&C about bot deployment status

18. “Gafgyt” is known for telnet scanning
“Tsunami” is mainly used for DDoS attack
“Remainten” carries a downloader that tries to trigger the device‟s
platform to drop only the appropriate downloader
“Remaiten” is the combination of previously spotted malware
Tsunami and Gafgyt
The downloader executes the appropriate bot binary
on the victim device and make it a part of botnet
“Remainten” enjoys new features

19. Attack Reasons!
• Weak default passwords / no password change enforcement
• Firmware vulnerabilities and service implementation errors
• Insecure default configuration
• Lack of user and vendor awareness
• Administrative service exposed in internet
There are specific issues concerning network devices

20. Why malware for network devices a
major issue?
• Installing malware on a router instead of on a PC or Mac means
that it will not be detected by contemporary desktop antivirus
solutions
Stealth
• with lots of vulnerabilities and a lack of awareness among most
users, network devices are just what the cybercriminals have been
looking forEasy Access
• routers usually run all the time and are rarely rebooted or
powered downConstant Access
• an attacker can transparently monitor all the traffic on a network
and search for packets containing sensitive information
Constant
Control

21. Malware “Remaiten” has not noticeable affect and run on
routers undetected and as legitimate process
How does malware treat routers?
1
• It compromises the router and make it a part of botnet
2
• They do not advertise their presence in the system
3
• They can surreptitiously infiltrate the system keep the
operation intact
4
• They can hide themselves in the system and secretly do their
thing

22. A device being part of a botnet!
• A devices part of botnet are no longer under the legitimate user‟s control
• Attacker easily gets login credentials of the device along with
configuration
• Attackers can use all machines in a botnet to launch DDoS to targeted
victim
• Attackers can change the DNS settings redirecting users to malicious
sites to get personal information
• Bot herders can also sell the use of „their' botnets to others who want to
perform these activities

23. What can be done!
Malware targets usually the improperly secured devices
• Ensure using strong passwords
• Check security settings and update firmware regularly
• Implement randomly generated default passwords by
vendors
• Place emphasize on firmware vulnerabilities
• Disable administrative ports like telnet, ssh in internet

24. What can be done!
• Disable hidden admin account from vendor
• Not to expose blacklisted ports from outside
• Not to rely on device‟s default settings
• Awareness among users and vendors
• Perform quarterly security audit
• Impose installing security updates
• R&D team for malware analysis
• Schedules back up and save data

25. What does future hold?
All malware evolves and multiplies. Here are
some predictions made by security experts
Attacks on proprietary
operating systems
from major vendors :
Constantly updated
malware :
as not every device runs a
Linux based OS
as cybercriminals may
create malware that
doesn‟t disappear after a
reboot

26. What does future hold?
Malware re-infects
PCs :
Hijacking software
update services :
malware containing code for
different router platforms or code
that re-infects PCs connected to a
router
so that instead of security patches
and software updates, malware is
downloaded and installed

27. Conclusion
• We do not need technology always to secure our network
• We have to learn to use our background knowledge
• Information Security awareness is a necessity
• Trust your own people
• Do not expect the usual always
• Expect the unexpected
• Stay safe and stay updated

28. Thank You