Raspberry Pi Malware uses IRC Remote Access Trojan (RAT)
Вставка
- Опубліковано 25 тра 2023
- j-h.io/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ j-h.io/snyk
🔥 UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
I love how this script taught me how IRC client server actually talk to one another XD
im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).
I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌
IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance.
Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...
Infecting other raspberry pi on the LAN that infected pi is. Like a school.
Your explanations help me get better in Linux and malware analyses. Your videos are great value!
Great video as always, John.
Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly.
IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell.
Sorry any typo, I'm not a native english speaker.
What is this Overflow thumbnail :D Also Pi with IRC RAT, lets go baby. Nice find
Haha we boomers used to run IRC with Telnet, so I recognize those responses immediately!
I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.
looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)
Would have been great to validate the credentials in the hash and then join those channels to see how many infected machines are connected.
And share the sample.
great video! Running down the code was pretty interesting
Now I feel very old. IRC as C2 was the default back in my days 😂
A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected.
And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.
@@twinklingwater Linux targets are just on average much harder targets and on average also provide a much lower return on time investment. Why bother
Ok I'll date myself a little bit here but this is not new. Sub7 server was using IRC for c2 like 25+ years ago.....lol
Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)
@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh
picked up a lot of background bash info thanks.
5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.
Exactly. He should've just stayed quiet instead of butchering it and saying "Dutchland".
@@taahaseois.8898
Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.
@@Lampe2020 Yeah. I can see that causing some confusion.
Could you please create some video about "Black Cat/AlphV ransomware" and how their tools work? Looks like a lot of big companies were hit recently
The thing that doesn't make sense is, it changing the password.
This would make the user take the Pi offline and reflash it, killing the RAT, in most cases
That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.
Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.
Did you report this to the IRC provider? It would be fun to break their botnet.... :D
Bro copied liveoverflow's thumbnail as revenge for the mockery in his last video 💀
Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.
Top thanks very much
Thumbnail like liveoferflow😅
John john john, how do u not know undernet is a pretty well known public irc server?
12:26 That is the IRC server looking up your reverse
The IT guy at the school I go to had the exact same thing happen to him.
between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.
The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.
hello john, i was wondering if I could have this bash script. it will be really useful for my learning
Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?
17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.
Read up on portscanning with programs with nmap and zmap. IP ranges are constantly being portscanned by some scriptkiddie somewhere.
Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p
It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends
what if that trojan is still active,
and we access those IRC channels and type the commands which is read by those trojans
and execute on the systems.
Don't we have a umm sort of access to the infected computers?
anyway
Great video sir John !!
You need the private key encrypt your commands. The script had the public key.
the best 👏👏👏
YEah but you still need to give sudo credentials? am i right?
Every time John does one of these files, I am blown away!
Now I know where "john the ripper" came from... c'mon... you know you created this John!!!!
wdym "john the ripper" came from? its an ancient program, it came from whoever wrote it in 1996, i don't get that comment
@@griffon2-6 you don't have to get it.
Orange Pi 5 > Raspberry Pi 4
Hehe. Though, I'll be getting the Yoga 370 instead. ^_^
clean, persist, backdoor, c2, rce, worm
can't classify that as a single type malware
Thank you sir for keeping me up to date. I JUST started a career in Cybersecurity and I will really like to be mentee
Nobody hacked you if you exposed a service on the web with default credentials. You hacked yourself.
ikr
If you have default credentials and open SSH. Well let's say they were lucky they weren't hijacked before.
@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next.
the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times
@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).
Exactly it is brain dead to do so.
old heads in the comment section remember irc being the gold standard for bot c2's.. also back then it was called c&c. those were the days.
I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?
Ok turns out the NOPASSWD is set in the default configuration of Raspberry Pi.
The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.
How young is John, not to know about IRC.
exactly
My first time joining a IRC server was in 1997 using a Beta version of BitchX😂
@@PandaBero83 mIRC was the first IRC client i used. But I also used BitchX and irssi, and nnscript for QuakeNet. I'm still using IRC on daily base.
I thought you were older, John. 🤣
Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁
IRC is likely one of the oldest way to control zombies / bots.
I remember hearing about this almost 25 years ago, and even then it wasn't new.
UnderNet should have given it away. One of the oldest of the irc networks around.
absolutely, it got me right at ping/pong
Did you try watching that IRC channel?
Why didnt he join that irc channel so see how many hosts were on there?
Just joined it there are no people in it
@@j_r_- I went there as well, let's register the channel and wait for the bots
This script is usefull!
Is the TLDR to change the default password?
you should already kinda know that...
@@suchtberater there hasn't been a default user/password on PI OS for years
@@An.Individual i wouldnt know, them mfs expensive asf.
God i love watching your videos lol
long time ago i found windows malware and it using facebook post comments as C2...
Ok that is cool
5:05 kaiten is another linux bot
Sweet
C nod is
Driving other works also never to confirm Li esys👀 problem my work and drive
Information please reply.
How many parkview balancing files and sell to change binck change this work headel min change blinc files open
Why do you look like the main character from beholder 3
Don’t worry everyone, you can’t buy a pi anyway 😮💨
Underrated comment
Why 🤔
LOL
Yes, you can. In the Raspberry Pi shop in London. But only as a kit, not alone as far as I know.
I bought 2x PI4B 4gb in last 2 weeks & I don't even need them. However they are out of stock again
IRC make us op
Man was clueless. Really never seen IRC before?
I find that beautiful. Malicious, but beautiful ;)
I got hacked with XMRig and LOLMiner on my Raspberry Pi after installing a package from either APT or NPM
admit it john you never used an IRC network
Raspberry pi vs rog ally 😂
It's not a good idea to leave negative comments or to give dislikes on this channel.
You might get hacked if you do that... 🤣
This dude never used irc
Early:3
I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.
Yes, I hand copied the entire script so I could dig in. Got the same 2.2k .7z file and can run it!! Guess I could have asked for the code, but… fun??
ha..
🍔🫕🍫🍫🏔
Stop kids please commenting shit thinking u are HaCkErs
does no one use the UFW ??? sudo ufw deny 6667