Mirai malware infects Linux with Busybox

For discussions about security.
Post Reply
Message
Author
User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

Mirai malware infects Linux with Busybox

#1 Post by Mike7 »

Hi, guys.

I don't understand much about these DoS attacks and the Mirai malware, but Wikipedia says that Mirai is Linux malware. Does this mean that my computer, which is running Carolite-1.2, could be infected? If so, how do I check for Mirai, and what do I do about it if I am infected?

Cheers.

Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#2 Post by greengeek »

I don't know how to answer the questionsyou have posed but I found one quote interesting from the link you gave:
The Department of Homeland Security said Monday that it's been working on security practices for internet-connected gadgets and will release them in the common weeks.
And also a quote from wikipedia:
Mirai is malware that turns computer systems running Linux into remotely controlled botnets that can be used in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers
If home routers are potentially involved I suspect this could give enormous power to "Homeland Security" and all the powers that be who like to exert control.

How long before Linux powered devices become illegal to use in certain jurisdictions? I think it's heading that way.

User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

#3 Post by Mike7 »

But are all of us Linux users infected by Mirai malware? I can't believe I'm the only one worried about it.
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#4 Post by greengeek »

Not all are infected. However, the Mirai malware apparently targets machines running busybox so that means Puppy is a potential host.

See this article:
http://securityaffairs.co/wordpress/509 ... i-elf.html It says: [quote]The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.

User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

#5 Post by Mike7 »

the Mirai malware apparently targets machines running busybox so that means Puppy is a potential host.
Do all Puppies, including Carolite, use Busybox?
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform,"
My computer uses a local wi-fi Internet connection. I don't know what the router is, but is it likely that it's using Linux software or another susceptible system?

A computer is not actually an IoT device, is it? Wouldn't the wi-fi router have to be infectable?
detection is difficult at this point in time.
Bad news.
This other article:
https://nakedsecurity.sophos.com/2016/1 ... en-source/
highlights the method Mirai uses to breach easy passwords to get control of the device and lists a bunch of username/password combos that are breachable. Sure enough root/root is one of them.
Wouldn't you know it. Is there any way around this problem? Can Puppy be re-worked so that root is no longer named root?
you should have your machine set up so that you can drop it's power immediately if you experience weird symptoms.
I'd have to remove the battery to do that, which presents other problems which may not be solvable (the EeePC was not designed to run without a battery). If you just mean powering off or shutting down, the usual Ctrl>Alt>Del works, but I still have to wait for the shutdown routine to finish.
this can have a bad effect on savefiles which is why I don't use them anymore.
How do you get around using save files? Don't you ever make changes to system files? How about bookmarks? Please explain.
Until the detection of Mirai improves I don't think there is much we can do.
Uy.

Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#6 Post by greengeek »

Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
I believe so. Hopefully someone else can chime in and confirm if thats true.
My computer uses a local wi-fi Internet connection. I don't know what the router is, but is it likely that it's using Linux software or another susceptible system?
Impossible to say without knowing the brand and model. How do you connect to the router if you don't know what/where it is? Is it using encryption?
A computer is not actually an IoT device, is it?
That depends on your definition - for example things like Raspberry Pi, Banana pi and Odroid etc are physically small enough to be installed inside a fridge, router or TV as an embedded Linux device yet they are really a PC. If a PC connects to the internet and runs busybox then it certainly qualifies as an IoT device potentially affected by the malware you have highlighted.
Wouldn't the wi-fi router have to be infectable?
Yes if you are talking about Mirai - but I was referring to the overall security weakness inherent in routers (which is where your passwords pass through). What stops your router responding to hacking attempts? What stops it transferring your passwords back to it's factory of origin (as some IP cameras do)? Some routers are able to be remotely reprogrammed and who knows what kind of person programmed the code in your router or where their loyalties lie? Who writes the code in any router? How secure is that code? The NSA grafted password traps into some laptops - I am sure they can graft backdoors into router code just the same way they require ISPs and companies like HP to install backdoors and monitoring software for the purposes of compliance.

But - if you do not know what your router is then the question is - how do you know that it is not just a wifi hotspot set up as a dupe ("evil twin AP")? It is easy for a hacker to set up a spoof hotspot and capture the data streams. And in any case even a home router is a common target for hackers to crack. See this:
http://null-byte.wonderhowto.com/how-to ... r-0165154/
(ok I'm sounding paranoid but all I'm saying is that there are many ways your online banking session can be compromised).
Can Puppy be re-worked so that root is no longer named root?
Sorry I really don't know easy or how big a job that might be. I'm sure I have seen some Puppians playing with the passwording. I know it is hard to set up a true non-root environment in Puppy but maybe changing the root pw might be easier than that.
I'd have to remove the battery to do that, which presents other problems which may not be solvable (the EeePC was not designed to run without a battery). If you just mean powering off or shutting down, the usual Ctrl>Alt>Del works, but I still have to wait for the shutdown routine to finish.
I found a script that shuts the machine down within a second or two. Doing this is risky if you have drives mounted or savefiles in use but you should not have those for an online banking session anyway. I have never had any problems as a result of the immediate powerdown. As an alternative method I press the powerbutton for about 8 seconds and just let the power drop. It is slower than the script method but I had to do it once when the website i was viewing locked my machine and told me it was encrypting my hard drive. Mouse and keyboard wouldnt work so the power button method was all I had. I was very glad I was not running a save file at that time.
EDIT : Despite the PC lockup and evil message on screen my hard drives were untouched - for which I credit the structure of Puppy and the use of RAMbased activity only, with no drives mounted. That and the hasty power down.
How do you get around using save files? Don't you ever make changes to system files? How about bookmarks? Please explain.
After I have set up my system the way I want it (including bookmarks and new software etc) I make a "personal sfs" which contains the updates the same way that a savefile normally would. Being an sfs the contents are not changeable while the system is running so the system boots with the same code each time. (whereas a savefile will contain whatever has changed during the last session - which could include malware). As an alternative method some people just remaster the main puppy.sfs and then turn off the savefile feature. That way their puppy contains their necessary changes but doesn't get progressively updated during each session.

Another method is to stick with the original main puppy.sfs (not remastered) and add scripts into /root/Startup which personalise the system straight after each boot.
.
Last edited by greengeek on Thu 27 Oct 2016, 19:13, edited 1 time in total.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#7 Post by belham2 »

Hi Greengeek,



Curious as to what your thoughts on practicing 'digital entropy' with the systems that you own (at least, all that are in your realm of ownership). The hardware side of this is still formidable (and expensive), but the software side is becoming increasingly within reach of all of us (the wild proliferation of puppies and pup-related distros being one example).

Reading about online hackers, even some of the notorious ones who've turned to lucrative bounty programs and white-hat hacking, one of the things they keep repeating (and what they say they themselves practice) is this 'entropy' (or randomness) along with that old adage: it is hard as he## to hit a moving target.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#8 Post by greengeek »

belham2 wrote:online hackers......keep repeating (and what they say they themselves practice) is this 'entropy' (or randomness) along with that old adage: it is hard as he## to hit a moving target.
I think there is probably some truth in that. In particular some of the malware utilities are marketed and sold as "ready made" turnkey attack vectors and I would guess that such things are more likely to be focused towards specific software profiles in the targeted devices.

If we run a system that is "unusual" in it's software construction we must surely be making it harder to hijack - especially if we don't retain cookies, browsing history, or any other data fragments from session to session. As far as I can tell some malware gets inserted in one session, reports back to its 'command and control' server next session, then potentially transmits data each session thereafter - or else can sit quietly for some future session where the cnc server wakes it up. If your software is "non-standard" it is harder for the attack vector to "stick" in the first place - and if the software is loaded into a pristine state each boot then anything that did "stick" in the first session is lost anyway.

However - lets assume that an online sesssion lasts long enough for a script kiddie working at your ISP to identify an attack vector suitable to infiltrate your system - and lets say they manage to set up an ssh link - they could take control of your system during that session - despite the fact that any code they add, modify or take control of will be returned to pristine at next boot.

During that session they could use your device/PC as a DDos vector against someone else - and you may not even know about it. On the other hand I suppose they could make alterations to things like bootloader config etc, or even destroy data on a drive if it is mounted. None of this is "likely" but we know it is "possible". We know some people get their hard drives encrypted, DDos attacks do occur etc etc.

One of the things we must remember though is that whatever version of Linux we run - there are multiple files that could harbour security holes. These include libs, browsers, wget and other download utilities, ssh, ssl, etc etc. So many code fragments that could have been insecure since they were first written. And what goes on inside the kernel? I think I read somewhere recently about a kernel security issue.

In light of that collection of potential security holes I do see some value in running a "mix 'n' match" system that has unusual combinations of utilities and code. Why not run a new glibc in an old system? Why use the latest syslinux if an old one works well in your system? etc. Maybe it will be harder to penetrate if it looks like a patchwork quilt :)

I like the term "digital entropy" - did you coin that yourself?
.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#9 Post by belham2 »

greengeek wrote:
I like the term "digital entropy" - did you coin that yourself?
.

Well, its hard to claim any fame with a phrase since both words are so pervasive in the world, in many languages (not just English). But, yes, I thought of the term about a year ago and have been thinking about it ever since. This was happening at the same time I have also been trying to dig into what the next logical direction for software AI(s) is. I honestly believe their (software AI) great awakening (or , I mean, awareness) for humans will be in this realm. I still don't consider Iphone/Android personal digital assistants as anything more than jelly without the toast. But if they (AIs) start following us across our device-ownership realm, then that is another thing entirely. AI is perfectly suited to perform 'digital entropy' on the fly, and with the widespread accepted of running things virtually (VMWare, VirtualBox, etc, etc) , the two together seem like they would be a natural fit.

But, alas, until then I pretty much tax my own over-matched, aging synapses with as much randomness as I can when it comes to having an online presence------even to the point I get lost in remembering what's what a few times....haha :D

Thanks for answering.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#10 Post by greengeek »

belham2 wrote: I have also been trying to dig into what the next logical direction for software AI(s) is. I honestly believe their (software AI) great awakening (or , I mean, awareness) for humans will be in this realm..
To be honest AI scares me. I guess it would potentially be a huge productivity boost - but only if it remains within the parameters we would set for our own behaviour. What use is AI without morality or ethics?
I pretty much tax my own over-matched, aging synapses with as much randomness as I can when it comes to having an online presence
Ha, me too. I sometimes wonder if my own 'analogue entropy' is actually the onset of dementia. :-)

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#11 Post by bark_bark_bark »

greengeek wrote:To be honest AI scares me. I guess it would potentially be a huge productivity boost - but only if it remains within the parameters we would set for our own behaviour. What use is AI without morality or ethics?
I can agree, but AI would make a great alternative to human companionship here in the dystopia created by feminists. An AI can't hit you and spew misandry.
....

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#12 Post by greengeek »

Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
As far as I can see busybox is a central part of all puppies. Here are some comments about modifying/replacing it:

http://www.murga-linux.com/puppy/viewtopic.php?t=76882

http://barryk.org/blog/?viewDetailed=01368

I will post more links if I find them but it doesn't look promising to try replace busybox. Seems to have been an integral part of puppy in an effort to save space.
bark_bark_bark wrote: An AI can't hit you and spew misandry.
Or can it? Imagine how bad we would feel if an AI judged we males even more harshly than our female counterparts already do...
:)

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#13 Post by bark_bark_bark »

greengeek wrote:
bark_bark_bark wrote: An AI can't hit you and spew misandry.
Or can it? Imagine how bad we would feel if an AI judged we males even more harshly than our female counterparts already do...
:)
:shock: shit man, I think you're on to something.
....

User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

#14 Post by Mike7 »

Greengeek-
Mike7 wrote:Do all Puppies, including Carolite, use Busybox?
I believe so.
I did a thorough check and, yes, Carolite is running Busybox. It boots with it and uses it continually. No way, really, to eliminate it.
How do you connect to the router if you don't know what/where it is? Is it using encryption?
I piggy-back on a non-encrypted strong local wi-fi signal.
If a PC connects to the internet and runs busybox then it certainly qualifies as an IoT device potentially affected by the malware you have highlighted.
That's what I was afraid of {sigh}.
Wouldn't the wi-fi router have to be infectable?
Yes if you are talking about Mirai
I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.

So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
What stops your router responding to hacking attempts? What stops it transferring your passwords back to it's factory of origin (as some IP cameras do)?
I am not running a router. As I said before, I am using a wi-fi signal.
if you do not know what your router is then the question is - how do you know that it is not just a wifi hotspot set up as a dupe ("evil twin AP")?
I don't. It could be anything. Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one).
It is easy for a hacker to set up a spoof hotspot and capture the data streams. And in any case even a home router is a common target for hackers to crack.
Using the Internet at all is a dangerous thing. But I am stuck with it, especially for online banking when I am away from the U.S. I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.
I'm sure I have seen some Puppians playing with the passwording. I know it is hard to set up a true non-root environment in Puppy but maybe changing the root pw might be easier than that.
Where in this forum can I get that information?
I found a script that shuts the machine down within a second or two. Doing this is risky if you have drives mounted or savefiles in use
I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.
As an alternative method I press the powerbutton for about 8 seconds
I have had to do that, too, when it seemed that there was some intrusion into my operating system. But there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.
After I have set up my system the way I want it (including bookmarks and new software etc) I make a "personal sfs" which contains the updates the same way that a savefile normally would. Being an sfs the contents are not changeable while the system is running so the system boots with the same code each time.
Sounds good, although kind of time-consuming if you are making changes every session. Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files. There's a lot I still need to do to increase security.
Another method is to stick with the original main puppy.sfs (not remastered) and add scripts into /root/Startup which personalise the system straight after each boot.
I've thought about that. There could be a startup script telling puppy where to look for certain files that get changed a lot, for example in another partition of the pendrive.

Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai. That situation could change, though, so if you happen to run across a way to detect this malware, I'd appreciate a heads up.

Thanks and cheers!

Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

#15 Post by Mike7 »

belham2 and bark_bark_bark-

It's very unfair to hijack someone's thread, don't you think, especially when the thread is about an urgent security issue?

Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

User avatar
rufwoof
Posts: 3690
Joined: Mon 24 Feb 2014, 17:47

#16 Post by rufwoof »

Just a point of note. If you run Debian you can install debsums

apt-get update
apt-get install debsums

and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/

I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.

If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#17 Post by greengeek »

Mike7 wrote:I piggy-back on a non-encrypted strong local wi-fi signal.
I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi.
I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.
I could be wrong but my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots. What should you do about it? - there is probably nothing you can do at present.
So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
Yes. In fact Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack. The risks to your data can occur anywhere along the data path between you and the bank. In my opinion an insecure wifi connection would be by far the weakest part of that chain.
I am not running a router. As I said before, I am using a wi-fi signal.
But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.
Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one)
To be honest I really feel that none of us really have as much security as we believe. I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.
I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.
I suppose the best advice comes back to regular changing of banking passwords in that case. At least any data that gets trapped on one day can be made irrelevant the next.
Where in this forum can I get that [puppy root password change] information?
I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.
I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.
Thats handy having the save option then. That lets you shutdown without saving. If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).
there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.
Agreed.
Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files.
Maybe you could look at using "portable" versions of your preferred browser. That way you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.
Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai.
I doubt you would notice it unless you were comparing router staistics between infected and non-infected session. And of course you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.
if you happen to run across a way to detect this malware, I'd appreciate a heads up.
Sure, I will post back if I see anything. I quite like the Sophos "Naked Security" website for that sort of info:
https://nakedsecurity.sophos.com/2016/1 ... ck-on-dyn/

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

#18 Post by greengeek »

I have not reviewed these threads properly but here are some links regarding the option of changing the root/root uname/password defaults in Puppy Linux:

http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769

EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....

EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:
Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS
It's an emotive discussion.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#19 Post by 8Geee »

Greengeek:

the 4th link is the one for the delta root pswd.

Regards
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

User avatar
Mike7
Posts: 400
Joined: Tue 19 Feb 2013, 00:31

#20 Post by Mike7 »

Hi, rufwoof.
If you run Debian you can install debsums. . .and then validate all installed programs
Coupla questions here:
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?

Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.

Post Reply