Raspberry Pi Malware uses IRC Remote Access Trojan (RAT)

Рет қаралды 77,749

Күн бұрын

jh.live/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ jh.live/snyk
🔥 KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Пікірлер: 111

@ShayBlez Жыл бұрын

I love how this script taught me how IRC client server actually talk to one another XD

@irobot-kh9db Жыл бұрын

im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).

@mohamedabd_elkhalk4235 Жыл бұрын

I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌

@ivanmaglica264 Жыл бұрын

IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance. Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...

@NexuJin Жыл бұрын

Infecting other raspberry pi on the LAN that infected pi is. Like a school.

@TurboWindex Жыл бұрын

Nobody hacked you if you exposed a service on the web with default credentials. You hacked yourself.

@MrEndzo Жыл бұрын

ikr

@shroomer3867 Жыл бұрын

If you have default credentials and open SSH. Well let's say they were lucky they weren't hijacked before.

@TheScarvig Жыл бұрын

@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next. the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times

@CZghost Жыл бұрын

@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).

@IMBlakeley Жыл бұрын

Exactly it is brain dead to do so.

@PwnySlaystation01 Жыл бұрын

Haha we boomers used to run IRC with Telnet, so I recognize those responses immediately!

@SnakerDLK Жыл бұрын

Would have been great to validate the credentials in the hash and then join those channels to see how many infected machines are connected.

@TomTom-gx1sm Жыл бұрын

And share the sample.

@OverNine9ousend Жыл бұрын

What is this Overflow thumbnail :D Also Pi with IRC RAT, lets go baby. Nice find

@Bitsniper Жыл бұрын

Your explanations help me get better in Linux and malware analyses. Your videos are great value!

@dbdcheese Жыл бұрын

Bro copied liveoverflow's thumbnail as revenge for the mockery in his last video 💀

@nathanwolf7858 Жыл бұрын

Ok I'll date myself a little bit here but this is not new. Sub7 server was using IRC for c2 like 25+ years ago.....lol

@PandaBero83 Жыл бұрын

Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)

@rpf222 Жыл бұрын

@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh

@alcaeo Жыл бұрын

I thought you were older, John. 🤣 Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁 IRC is likely one of the oldest way to control zombies / bots. I remember hearing about this almost 25 years ago, and even then it wasn't new.

@NexuJin Жыл бұрын

UnderNet should have given it away. One of the oldest of the irc networks around.

@mikehensley78 Жыл бұрын

looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)

@OppieT30 Жыл бұрын

I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.

@Lampe2020 Жыл бұрын

5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.

@taahaseois.8898 Жыл бұрын

Exactly. He should've just stayed quiet instead of butchering it and saying "Dutchland".

@Lampe2020 Жыл бұрын

@@taahaseois.8898 Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.

@taahaseois.8898 Жыл бұрын

@@Lampe2020 Yeah. I can see that causing some confusion.

@jagdtigger Жыл бұрын

Did you report this to the IRC provider? It would be fun to break their botnet.... :D

@dguerri Жыл бұрын

Now I feel very old. IRC as C2 was the default back in my days 😂

@twinklingwater Жыл бұрын

A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected. And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.

@graog123 Жыл бұрын

@@twinklingwater Linux targets are just on average much harder targets and on average also provide a much lower return on time investment. Why bother

@x窓付 Жыл бұрын

Great video as always, John. Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly. IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell. Sorry any typo, I'm not a native english speaker.

@ScottPlude Жыл бұрын

Every time John does one of these files, I am blown away! Now I know where "john the ripper" came from... c'mon... you know you created this John!!!!

@griffon2-6 Жыл бұрын

wdym "john the ripper" came from? its an ancient program, it came from whoever wrote it in 1996, i don't get that comment

@ScottPlude Жыл бұрын

@@griffon2-6 you don't have to get it.

@user-zd7oo3vf5c Жыл бұрын

Could you please create some video about "Black Cat/AlphV ransomware" and how their tools work? Looks like a lot of big companies were hit recently

@GandhiTheDerg Жыл бұрын

The thing that doesn't make sense is, it changing the password. This would make the user take the Pi offline and reflash it, killing the RAT, in most cases

@mcmann7149 Жыл бұрын

Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.

@JosephHenryDrawing Жыл бұрын

great video! Running down the code was pretty interesting

@illusionsingh Жыл бұрын

Thumbnail like liveoferflow😅

@saltysailor537 Жыл бұрын

Don’t worry everyone, you can’t buy a pi anyway 😮‍💨

@thighdude7 Жыл бұрын

Underrated comment

@adminxds Жыл бұрын

Why 🤔

@CartoonSlug Жыл бұрын

LOL

@Lampe2020 Жыл бұрын

Yes, you can. In the Raspberry Pi shop in London. But only as a kit, not alone as far as I know.

@An.Individual Жыл бұрын

I bought 2x PI4B 4gb in last 2 weeks & I don't even need them. However they are out of stock again

@gooniesfan7911 Жыл бұрын

old heads in the comment section remember irc being the gold standard for bot c2's.. also back then it was called c&c. those were the days.

@your.statu_s Жыл бұрын

what if that trojan is still active, and we access those IRC channels and type the commands which is read by those trojans and execute on the systems. Don't we have a umm sort of access to the infected computers? anyway Great video sir John !!

@tuomaskk Жыл бұрын

You need the private key encrypt your commands. The script had the public key.

@jonnypeace2810 Жыл бұрын

That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.

@NexuJin Жыл бұрын

Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.

@ReligionAndMaterialismDebunked Жыл бұрын

Orange Pi 5 > Raspberry Pi 4 Hehe. Though, I'll be getting the Yoga 370 instead. ^_^

@timovc5340 Жыл бұрын

Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?

@user-lt2rw5nr9s Жыл бұрын

17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.

@NexuJin Жыл бұрын

Read up on portscanning with programs with nmap and zmap. IP ranges are constantly being portscanned by some scriptkiddie somewhere.

@j_r_- Жыл бұрын

Why didnt he join that irc channel so see how many hosts were on there?

@j_r_- Жыл бұрын

Just joined it there are no people in it

@abdeabdc6964 Жыл бұрын

@@j_r_- I went there as well, let's register the channel and wait for the bots

@MrEndzo Жыл бұрын

How young is John, not to know about IRC.

@abdeabdc6964 Жыл бұрын

exactly

@PandaBero83 Жыл бұрын

My first time joining a IRC server was in 1997 using a Beta version of BitchX😂

@NexuJin Жыл бұрын

@@PandaBero83 mIRC was the first IRC client i used. But I also used BitchX and irssi, and nnscript for QuakeNet. I'm still using IRC on daily base.

@randykitchleburger2780 Жыл бұрын

12:26 That is the IRC server looking up your reverse

@An.Individual Жыл бұрын

Is the TLDR to change the default password?

@suchtberater Жыл бұрын

you should already kinda know that...

@An.Individual Жыл бұрын

@@suchtberater there hasn't been a default user/password on PI OS for years

@suchtberater Жыл бұрын

@@An.Individual i wouldnt know, them mfs expensive asf.

@thejonte Жыл бұрын

The IT guy at the school I go to had the exact same thing happen to him.

@jimmlmao 21 күн бұрын

watching RAT deep dives is kinda creepy another reason i switched to linux (i had a cryptominer malware on my system) but this malware is linux and im s***ing bricks now im really scared to port forward. idk RATs in general are kinda creepy imagine having someone snooping around your system and watching your every move

@gauthamgamer1214 Жыл бұрын

hello john, i was wondering if I could have this bash script. it will be really useful for my learning

@TakorAgbor Жыл бұрын

Thank you sir for keeping me up to date. I JUST started a career in Cybersecurity and I will really like to be mentee

@Stockhlam Жыл бұрын

I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?

@Stockhlam Жыл бұрын

Ok turns out the NOPASSWD is set in the default configuration of Raspberry Pi.

@NexuJin Жыл бұрын

The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.

@philto9999 5 ай бұрын

Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends

@6pfk Жыл бұрын

picked up a lot of background bash info thanks.

@cadeathtv Жыл бұрын

clean, persist, backdoor, c2, rce, worm can't classify that as a single type malware

@JustMatt87 Жыл бұрын

John john john, how do u not know undernet is a pretty well known public irc server?

@6pfk Жыл бұрын

Did you try watching that IRC channel?

@iblackfeathers Жыл бұрын

between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.

@NexuJin Жыл бұрын

The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.

@mountp1391 Жыл бұрын

IRC make us op

@calypsocostelo2482 Жыл бұрын

It's not a good idea to leave negative comments or to give dislikes on this channel. You might get hacked if you do that... 🤣

@unoqualsiasi7341 Жыл бұрын

YEah but you still need to give sudo credentials? am i right?

@FinderTheIcewing Жыл бұрын

Why do you look like the main character from beholder 3

@Donder1337 Жыл бұрын

This script is usefull!

@randykitchleburger2780 Жыл бұрын

5:05 kaiten is another linux bot

@tubegcp0079 Жыл бұрын

Top thanks very much

@alexandrohdez3982 Жыл бұрын

the best 👏👏👏

@taahaseois.8898 Жыл бұрын

Man was clueless. Really never seen IRC before?

@salnaggar Жыл бұрын

long time ago i found windows malware and it using facebook post comments as C2...

@ChaseD2012 Жыл бұрын

Raspberry pi vs rog ally 😂

@SzymekCRX Жыл бұрын

I find that beautiful. Malicious, but beautiful ;)

@randykitchleburger2780 Жыл бұрын

God i love watching your videos lol

@abdeabdc6964 Жыл бұрын

admit it john you never used an IRC network

@acidlaek Жыл бұрын

Ok that is cool

@bosager7602 10 ай бұрын

This dude never used irc

@bhagyalakshmi1053 Жыл бұрын

C nod is Driving other works also never to confirm Li esys👀 problem my work and drive Information please reply. How many parkview balancing files and sell to change binck change this work headel min change blinc files open

@kraemrz Жыл бұрын

Sweet

@drac.96 Жыл бұрын

I got hacked with XMRig and LOLMiner on my Raspberry Pi after installing a package from either APT or NPM

@lanceromance6856 Жыл бұрын

I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.