# A Wicked Family of Bots **[fortinet.com/blog/threat-research/a-wicked-family-of-bots.html](https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html)** May 17, 2018 As we continue to keep track of the latest IoT botnets, the FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago. Since then, threat actors have been adding their own flavours to the original recipe. Some made significant modifications, such as adding the capability to turn infected devices into swarms of [malware proxies and](https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers.html) [cryptominers. Others integrated Mirai code with multiple](https://www.fortinet.com/blog/threat-research/satori-adds-known-exploit-chain-to-slave-wireless-ip-cameras.html) [exploits targeting both known and unknown vulnerabilities, similar to a new variant recently](https://www.fortinet.com/blog/threat-research/rise-of-one-more-mirai-worm-variant.html) discovered by FortiGuard Labs, which we now call WICKED. This new variant has added at least three exploits to its arsenal to target unpatched IoT devices. In this article, we will take a look at how it works, the primary purpose of this bot, and how it relates to other known botnets. ## Inside the Bot ----- To provide an immediate overview on the differences between Mirai and this new variant, we need to take a look at its configuration table, which can be decrypted by XOR with the key 0x37. Some of the more interesting strings we noticed include /bin/busybox WICKED and _WICKED: applet not found, where we got the name for this variant. Moreover, the string_ _SoraLOADER might be taken as a clue that this bot functions as a downloader and spreader_ for the Sora botnet, a Mirai variant. However, as we went through our analysis, this was later contradicted, which then led us to a more interesting hypothesis. Fig 1. Decrypted configuration table Botnets based on Mirai usually contain three main modules: Attack, Killer, and Scanner. In this analysis, we will just focus on the Scanner module that includes the spreading mechanism of the botnet. The original Mirai used traditional brute force attempts to gain access to IOT devices. The WICKED bot, on the other hand, uses known and available exploits, with many of them already being quite old. Wicked bot scans port 8080, 8443, 80, and 81 by initiating a raw socket SYN connection. Fig 2. Socket file descriptor If a connection is established, it will attempt to exploit the device and download its payload. It does this by writing the exploit strings to the socket using the write() syscall. Write() syscall is the same as calling send() syscall with the flags argument set to zero (which means no extra behaviors.) Fig 3. Sending a request by writing to a socket ## Devices Targeted by Wicked The exploit to be used depends on the specific port the bot was able to connect to. Exploits and the corresponding target ports are listed below. _Port 8080:_ _[Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)](https://www.exploit-db.com/exploits/43055/)_ Fig 4. Netgear exploit _Port 81: CCTV-DVR_ _[Remote Code Execution](http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html)_ Fig 5. CCTV-DVR RCE exploit _[Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)](https://www.exploit-db.com/exploits/41598/)_ Fig 6. CVE-2016-6277 exploit ----- _Port 80: Invoker shell in compromised web servers_ The next item on the list does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed. Fig 7. Invoke shell After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185.246.152.173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot. However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot. Fig 8. Exploit repository of Omni botnet We double checked the history of the malicious website and confirmed that it had previously delivered the Owari botnet. Fuzzing the website’s /bins directory, we found other Omni samples in the directory, which [were reported to be delivered using the GPON vulnerability (CVE-2018-10561). Payloads](https://blog.newskysecurity.com/cve-2018-10561-dasan-gpon-exploit-weaponized-in-omni-and-muhstik-botnets-ad7b1f89cff3) are regularly updated, as shown by its timestamp. Fig 9. Bins repository of Omni botnet ## Connecting the Dots Finding the connection between the Wicked, Sora, Owari,and Omni botnets led us to an [interview last April with a security researcher who we believe to be the author of these botnet](https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863) variants. Basically, the author using pseudo name “Wicked” confirmed he is the author of both Sora and Owari. When asked about the future of Sora and Owari, Wicked’s response was “SORA is an abandoned project for now and I will continue to work on OWARI. You will _not see a third project from me anytime soon as I continue to expand my current ones.”_ _Apparently, as seen in the /bins repository, Sora and Owari botnet samples have now both_ _been abandoned and replaced with Omni._ ## Conclusion _Based on the author’s statements in the above-mentioned interview as to the different_ _botnets being hosted in the same host, we can essentially confirm that the author of the_ _botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the_ _conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was_ _later repurposed to serve the author’s succeeding projects._ ----- FortiGuard Labs will continue to monitor the latest developments in the IoT threat landscape, specifically following botnets as they add new exploits to their arsenal in order to infect IoT devices. _Many thanks to our colleagues David Maciejak, Joie Salvio, Jasper Manuel and Tony Loi for_ _the additional analyses/insights_ -= FortiGuard Lion Team = Attacks mentioned are covered by the following IPS signatures: NETGEAR.DGN1000.CGI.Unauthenticated.Remote.Code.Execution NETGEAR.DGN1000B.Setup.CGI.Remote.Command.Execution NETGEAR.WebServer.Module.Command.Injection Multiple.CCTV.DVR.Vendors.Remote.Code.Execution ## IOC **Sha256:** ELF/Mirai.AT!tr 57477e24a7e30d2863aca017afde50a2e2421ebb794dfe5335d93cfe2b5f7252 (Wicked) **Download Sites:** hxxp://185.246.152.173/bins/ hxxp://185.246.152.173/exploit/ _Check out our latest_ _[Quarterly Threat Landscape Report for more details about recent](http://go.fortinet.com/LP=4658?utm_source=social&utm_medium=blog&utm_campaign=GEN-WP-Q1-2018-Threat-Landscape-Report&elq_src=Social&elq_cid=70134000001StUhAAK&elq_staid=10&elq_eid=10258&elq_sid=11288)_ _threats._ _[Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence](https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html?utm_source=nreleaseblog&utm_campaign=2018-q2-fortiguardlabs-cta)_ _Service._ -----