Raspberry Pi Malware uses IRC Remote Access Trojan (RAT)
jh.live/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ jh.live/snyk
🔥 KZread ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
Пікірлер: 110
I love how this script taught me how IRC client server actually talk to one another XD
im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).
Your explanations help me get better in Linux and malware analyses. Your videos are great value!
IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance. Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...
@NexuJin
Жыл бұрын
Infecting other raspberry pi on the LAN that infected pi is. Like a school.
I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌
What is this Overflow thumbnail :D Also Pi with IRC RAT, lets go baby. Nice find
Great video as always, John. Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly. IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell. Sorry any typo, I'm not a native english speaker.
great video! Running down the code was pretty interesting
looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)
Would have been great to validate the credentials in the hash and then join those channels to see how many infected machines are connected.
@TomTom-gx1sm
Жыл бұрын
And share the sample.
Haha we boomers used to run IRC with Telnet, so I recognize those responses immediately!
I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.
picked up a lot of background bash info thanks.
Now I feel very old. IRC as C2 was the default back in my days 😂
@twinklingwater
Жыл бұрын
A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected. And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.
@graog123
Жыл бұрын
@@twinklingwater Linux targets are just on average much harder targets and on average also provide a much lower return on time investment. Why bother
Ok I'll date myself a little bit here but this is not new. Sub7 server was using IRC for c2 like 25+ years ago.....lol
@PandaBero83
Жыл бұрын
Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)
@rpf222
Жыл бұрын
@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh
Could you please create some video about "Black Cat/AlphV ransomware" and how their tools work? Looks like a lot of big companies were hit recently
That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.
@NexuJin
Жыл бұрын
Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.
Top thanks very much
5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.
@taahaseois.8898
Жыл бұрын
Exactly. He should've just stayed quiet instead of butchering it and saying "Dutchland".
@Lampe2020
Жыл бұрын
@@taahaseois.8898 Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.
@taahaseois.8898
Жыл бұрын
@@Lampe2020 Yeah. I can see that causing some confusion.
Did you report this to the IRC provider? It would be fun to break their botnet.... :D
Thumbnail like liveoferflow😅
The IT guy at the school I go to had the exact same thing happen to him.
The thing that doesn't make sense is, it changing the password. This would make the user take the Pi offline and reflash it, killing the RAT, in most cases
Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.
Bro copied liveoverflow's thumbnail as revenge for the mockery in his last video 💀
what if that trojan is still active, and we access those IRC channels and type the commands which is read by those trojans and execute on the systems. Don't we have a umm sort of access to the infected computers? anyway Great video sir John !!
@tuomaskk
Жыл бұрын
You need the private key encrypt your commands. The script had the public key.
hello john, i was wondering if I could have this bash script. it will be really useful for my learning
12:26 That is the IRC server looking up your reverse
between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.
@NexuJin
Жыл бұрын
The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.
Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?
@user-lt2rw5nr9s
Жыл бұрын
17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.
@NexuJin
Жыл бұрын
Read up on portscanning with programs with nmap and zmap. IP ranges are constantly being portscanned by some scriptkiddie somewhere.
John john john, how do u not know undernet is a pretty well known public irc server?
Orange Pi 5 > Raspberry Pi 4 Hehe. Though, I'll be getting the Yoga 370 instead. ^_^
Thank you sir for keeping me up to date. I JUST started a career in Cybersecurity and I will really like to be mentee
Every time John does one of these files, I am blown away! Now I know where "john the ripper" came from... c'mon... you know you created this John!!!!
@griffon2-6
Жыл бұрын
wdym "john the ripper" came from? its an ancient program, it came from whoever wrote it in 1996, i don't get that comment
@ScottPlude
Жыл бұрын
@@griffon2-6 you don't have to get it.
Did you try watching that IRC channel?
This script is usefull!
Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends
Why didnt he join that irc channel so see how many hosts were on there?
@j_r_-
Жыл бұрын
Just joined it there are no people in it
@abdeabdc6964
Жыл бұрын
@@j_r_- I went there as well, let's register the channel and wait for the bots
YEah but you still need to give sudo credentials? am i right?
How young is John, not to know about IRC.
@abdeabdc6964
Жыл бұрын
exactly
@PandaBero83
Жыл бұрын
My first time joining a IRC server was in 1997 using a Beta version of BitchX😂
@NexuJin
Жыл бұрын
@@PandaBero83 mIRC was the first IRC client i used. But I also used BitchX and irssi, and nnscript for QuakeNet. I'm still using IRC on daily base.
clean, persist, backdoor, c2, rce, worm can't classify that as a single type malware
old heads in the comment section remember irc being the gold standard for bot c2's.. also back then it was called c&c. those were the days.
I thought you were older, John. 🤣 Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁 IRC is likely one of the oldest way to control zombies / bots. I remember hearing about this almost 25 years ago, and even then it wasn't new.
@NexuJin
Жыл бұрын
UnderNet should have given it away. One of the oldest of the irc networks around.
God i love watching your videos lol
Is the TLDR to change the default password?
@suchtberater
Жыл бұрын
you should already kinda know that...
@An.Individual
Жыл бұрын
@@suchtberater there hasn't been a default user/password on PI OS for years
@suchtberater
Жыл бұрын
@@An.Individual i wouldnt know, them mfs expensive asf.
Nobody hacked you if you exposed a service on the web with default credentials. You hacked yourself.
@MrEndzo
Жыл бұрын
ikr
@shroomer3867
Жыл бұрын
If you have default credentials and open SSH. Well let's say they were lucky they weren't hijacked before.
@TheScarvig
Жыл бұрын
@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next. the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times
@CZghost
Жыл бұрын
@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).
@IMBlakeley
Жыл бұрын
Exactly it is brain dead to do so.
I find that beautiful. Malicious, but beautiful ;)
the best 👏👏👏
IRC make us op
long time ago i found windows malware and it using facebook post comments as C2...
I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?
@Stockhlam
Жыл бұрын
Ok turns out the NOPASSWD is set in the default configuration of Raspberry Pi.
@NexuJin
Жыл бұрын
The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.
Why do you look like the main character from beholder 3
Ok that is cool
Don’t worry everyone, you can’t buy a pi anyway 😮💨
@thighdude7
Жыл бұрын
Underrated comment
@adminxds
Жыл бұрын
Why 🤔
@CartoonSlug
Жыл бұрын
LOL
@Lampe2020
Жыл бұрын
Yes, you can. In the Raspberry Pi shop in London. But only as a kit, not alone as far as I know.
@An.Individual
Жыл бұрын
I bought 2x PI4B 4gb in last 2 weeks & I don't even need them. However they are out of stock again
5:05 kaiten is another linux bot
Raspberry pi vs rog ally 😂
Man was clueless. Really never seen IRC before?
C nod is Driving other works also never to confirm Li esys👀 problem my work and drive Information please reply. How many parkview balancing files and sell to change binck change this work headel min change blinc files open
I got hacked with XMRig and LOLMiner on my Raspberry Pi after installing a package from either APT or NPM
It's not a good idea to leave negative comments or to give dislikes on this channel. You might get hacked if you do that... 🤣
Sweet
admit it john you never used an IRC network
This dude never used irc
I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.
ha..
Yes, I hand copied the entire script so I could dig in. Got the same 2.2k .7z file and can run it!! Guess I could have asked for the code, but… fun??
Early:3
🍔🫕🍫🍫🏔
Stop kids please commenting shit thinking u are HaCkErs
does no one use the UFW ??? sudo ufw deny 6667