Undetected Worm - Malware Mistake
LARG*net runs an Antivirus competition that relies on honeypots that automatically upload new malware to VirusTotal to alert various threat feeds about attack information.
The uploaded viruses tend to be new so most anti-virus products miss them the first time. It takes about a week for these viruses to be well known enough that most antivirus will detect it. The collection and proliferation of these samples enable malware companies to analyze and detect them much quicker than they would on their own.
Recently we’ve had multiple attacking IP addresses using the same malware. It gets uploaded like all the others and yet is still regularly bypassing all antivirus after months. This doesn’t happen frequently so definitely warrants further investigation.
I started by reverse engineering the first stage of the malware and discovered that it tries to kill all previous variants of the virus, 13 versions in total. After killing it’s predecessors, the malware attempts to setup persistence so it will survive reboots.
Next it downloads the actual malware from a Digital Ocean host. I download the virus manually and note that it was not detected by my anti-virus. I also reported the malware link to Digital Ocean so that they can remove it.
The malware is a Linux ELF with UPX packing. I attempted to discover what it does with a malware sandbox analysis and it failed to analyze saying the operating system was wrong. At first glance it doesn’t appear to be malicious and seems to be protecting itself from detection somehow. This is the common malware cat and mouse game.
Further analysis on this secondary malware reveals it switches operating systems when you unpack it. Essentially the malware is useless since the authors clearly made a mistake when they compiled it. This mistake explains why the automated tools don’t detect the malware: it’s benign. Only Linux machines with Wine installed are vulnerable as they can run both Linux and Windows executibles.
I uploaded the Windows variant of the malware to VirusTotal and it was still undetected by everything at first but about 2 hours later a retroactive Firepower alert warned me that I had downloaded malware:
<*- Network Based Retrospective at Mon Jan 27 19:30:39 2020 UTC -*>
Sha256: 3f29a6d7dcf0a291667d58801fbe8d8cf6b102c4af69fc52dcd698764c6d4278
Disposition: Malware
Threat name: Auto.3F29A6D7DC.231464.in07.Talos
I did a bit more digging to determine what family of malware it originated from and found that it dates back to 2016. Back then it was known as the Linux.Lady trojan/worm and was designed to mine bitcoins. It fell off the face of the Earth and hasn’t really been heard of since.
Malware Mistakes
The first stage of the malware kills previous versions of the malware and the second stage initiates the command and control. In this case, the second stage does not function so the authors killed their own botnet.
Curiosity got the better of me so I looked back to 2016-2017 to when the Linux.Lady Raspberry Pi bitcoin mining worm started to spread wondering if the same group authored this second worm to replace that botnet.
This is one of the greatest advantages the good guys have over the bad guys. Malware authors don’t have the version control, code review, source code management, build testing, release automation, configuration management, or monitoring so they are far more likely to fall victim to their own function or syntax mistakes.