Two weeks ago, a security researcher that goes by the name of MalwareMustDie had come across a new Linux trojan that according to him was the first ever Linux malware coded in the Lua language.
Reverse analysis of the code proved that the trojan targeted mainly IoT architectures and contained functionality to launch DDoS, and an unconfirmed function to bypass DDoS protection provided by Sucuri, a US web security vendor.
In LuaBot’s source code, the malware’s author had left a message that read “Hi. Happy reversing, you can mail me: [REDACTED .ru email address].”
LauBot coder answered a few questions
A French security researcher that goes by the name of x0rz had contacted the malware’s author and asked him a few questions. The answers have been published online.
According to this mini-interview, the crook says he doesn’t work in the infosec community, nor is he a cyber-criminal affiliated with any hacking crew.
He describes himself as a “nobody” and says his malware is “not harmful.” He bases this assessment on the fact that LuaBot, his malware, doesn’t steal router login credentials.
It’s not for DDoS, the LuaBot author says
The LuaBot author says he’s been working on the malware for years, and what initially started for fun, had now turned into profit.
He declined to name the type of activity he’s profiting from, but says he’s not running any DDoS stresser service like those “vDos kids.”
Further, he also states that he’s working with private individuals and that he’s not messing with banks or governments.
Further analysis reveals something interesting
The hacker also says he has his own zero-days which he uses to infect devices. A Brazilian security researcher that has also looked at the malware says the code seems to be targeting ARRIS routers.
This is the same researcher that last year has discovered three backdoors in ARRIS routers, affecting over 600,000 modems connected online.
“If we perform the same query nowadays (September/2016) we can see that the number of exposed devices was reduced to approximately 35.000,” Bernardo Rodrigues, the Brazilia research notes.
The researcher also claims that in its first stages of infection, LuaBot also uses firewall rules to block further access to the device from external connections, which is an obvious self-protection feature.
Nevertheless, the malware doesn’t include a boot persistence mechanism, and a router restart removes it from the device.
At the time of writing, there are no known reported attacks that fit LuaBot infections, and despite the presence of the HTTP flooding functions (for DDoS attacks), the malware and its purpose remain a mystery.