Interview with the LuaBot malware author
Creating a botnet of thousands of routers for DDoS activities
The Linux/LuaBot malware has been very active in the last months and recently researchers thoroughly analyzed some samples (links at the bottom of the article). As the malware author seemed to be a nice guy (signing “happy reversing” in his binaries) I decided to contact him and ask a few questions, which he gladly and promptly answered for a few of them.
All replies are verbatim and not edited — so please don’t mind the typos.
Have you seen all those new articles about your bot recently?
I don’t like that attention, too much buzz about it, that’s bad, I tried to be quiet.
Also reversers usually get it wrong and say there’s some modules for my bot, but those actually are other bots, some routers are infected with several bots at once. My bot never had any binary modules and always is one big elf file and sometimes only small <1kb size dropper.
Reversers usually get it wrong and say there’s some modules for my bot […], some routers are infected with several bots at once
Who are you?
Just some guy who likes programming. I’m not known security researcher/programmer or member of any hack group, so probably best answer for this would be — nobody
I’m trying not to be harmful for router user so my bot doesn’t steal any passwords
Why are you doing this?
Started for fun, now for money too, so for both. I’m trying not to be harmful for router user so my bot doesn’t steal any passwords or spoof dns. Also I don’t run any booter services like vdos kids, working only in private personally with people and trying not to mess with gov/bank/othershit.
Also I don’t run any booter services like vdos kids, working only in private personally with people
How do you protect your operations?
VPN, Tor, only bitcoin for finances, never using real mail/nicknames for any blackhat activity. Switching nicknames, mails and other shit for different accounts.
Did you discover the router vulnerability yourself?
Most are public or half public (no poc, had to reverseengineer myself) but I also try not to be a stupid scriptkid copypasting from net so trying searching them myself, have some 0days.
How many days did it take to write the bot code?
Bot is several years old, don’t know how much time it took if count only coding hours, I can not make any changes for weeks or work on it for week if need new feature. Probably half of a year for a 8h/5days/week working programmer if he knows what he should write, but it’s hard to count anyway because it was long evolution of this project from very simple tool just little more complex than those lizard bots to programming framework like it is now.
Why did you choose Lua to write your bot?
Flexibility. I can and complex code from cnc or match some bugs in runtime from it. Also writing lot of code in C sucks, as you may see from reversing articles my bot is lot more complex than simple ddos tools used by lizards and other, writing so much code in C would be time consuming, so only io core and other libs requiring speed are written in C, while other code with all logic is in lua.
Why not other script lang? Small, plain C, easy to integrate with C code.
Any future plan coming up?
Don’t know. Maybe will make p2p c&c based on torrent’s DHT someday.
Also please mention that my bot never had and won’t have any binary modules as separate executables, all those are other bots and I don’t want people to think that I do what those bots do, because those may be heavily harmful to users or ddos banks/gov/big companies.
My bot is always single more than 700kb binary and it’s philosophy is to be self contained and depend only on linux kernel itself, not to download many binaries or other modules, all additional code is in lua and loaded using c&c protocol, if something can’t be done using lua only then whole binary is updated for new features, no additional binary modules are required.
— End of the interview —
What is sure is that DDoS as a Service and other booters are a rising business. The emergence of the “Internet of Things” and low-cost connected devices will continue to be exploited for such activities, ensuring low maintenance botnets with high bandwidth and low visibility: embedded devices aren’t monitored and antivirus solutions are not usually deployed on such systems. Plus, they are riddled with vulnerabilities making them an easy target for blackhats.
This is certainly something we ought to see more often in the near future.