|Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC || GTFO|
SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a “HNAP1” URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot’s of different IP’s probing this URL.
The worm was named like this because it contains images from the movie “The Moon”. It’s possible to carve a few PNG’s inside the ELF binary:
Let’s start by running the file utility and readelf to identify the architecture (MIPS R3000 / Little Endian):
OpenWRT Malta CoreLV platform is intended to be used with QEMU (in big or little endian mode). The install procedure is pretty straightforward using OpenWRT Buildroot. OpenWrt Buildroot is the buildsystem for the distribution and it works on Linux, BSD or MacOSX. In case you didn’t remember, authors from Carna Botnet used it to cross-compile its binaries.
Installing prerequisites (on your favorite Debian Derivative):
Now head to the openwrt folder and set the proper settings for your Linux Kernel, choosing “MIPS Malta CoreLV board (qemu)” for the Target System and “Little Endian” for the subtarget. Don’t forget to save the config.
Now build your image (use the -j switch to speed up if you have multiple cores, e.g “-j 3”):
If you want to connect your emulated machined to a real network, follow the steps from Aurelien’s Blog or simply run the following commands to get Internet access:
You may remember that it was not possible to run busybox-simet using the standalone qemu-mips-static. It’s possible to fix that by manually patching QEMU or you can run it inside the proper virtual machine (OpenWRT Malta MIPS/Big Endian):
In order to emulate the Linksys Environment, let’s download and unpack the Firmware from E2500v2 (v1.0.07).
Let’s copy and extract the root filesystem (e2500.tar.gz) and the malicious binary (EXr.pdf) to our test machine (Debian MIPS). Remember to copy the worm to the appropriate “/tmp” folder. Backup your QEMU image, start sniffing the connections from the bridged network (tap1 on my case) and bind the necessary pseudo-devices to the chrooted path. You can run the binary directly on your Debian MIPS environment, but using chroot and the target filesystem is highly recommended. If you try to chroot and run the worm without linking these devices, it will refuse to run and it won’t drop the second stage binary.
You can use strace to log the syscalls and start your chrooted shell to run the malicious binary. I had some issues using strace on the 2.6.32 Debian MIPS Kernel (vmlinux-2.6.32-5-4kc-malta). The 3.2.0 (vmlinux-3.2.0-4-4kc-malta) version seems to be running fine.
If you don’t want to use strace, simply start sh chrooted and run the malware:
The worm tries to remove files containing certain extensions and perform a series of system checks. After a few seconds the binary is removed from /tmp/ and three files are written on the disk: .L26 (PID), .L26.lunar (Lunar Base URL) and .L26.out (Debug log).
It’s possible to dump QEMU’s physical memory using the pmemsave command by hitting CTRL+A, C (to enter QEMU’s administrative interface) and entering:
The 256MB raw dump will be saved on your host’s local path. You can now try to use volatility or run strings against it.
The worm starts scanning for ports 80 and 8080 on a hardcoded list of networks. If the /HNAP/ URL returns a string identifying the targeted routers, the malware sends a HTTP POST trying to exploit a command injection on the vulnerable CGI.
TheMoon will also start an HTTPS server (“Lunar Base”) on the router using the random port identified on the .L26.lunar file. The certificate’s Common Name, Organization and Organizational Unit are hardcoded and other values seem to be random. Trying to find these entries on scans.io SSL certificates datasets would be really interesting.
The HTTPS server hosts three files: gerty.png, lunar.png and favicon.ico:
Rkhunter reports a few warnings on the infected system. I have upload the complete output from rkhunter to Pastebin, get it here.