Raspberry Pi Malware uses IRC Remote Access Trojan (RAT)
Рет қаралды 77,040
11 ай бұрынj-h.io/snyk || Try Snyk to find vulnerabilities in your own code and applications FOR FREE ➡ j-h.io/snyk
🔥 KZfaq ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
@ShayBlez 11 ай бұрын
I love how this script taught me how IRC client server actually talk to one another XD
@irobot-kh9db 11 ай бұрын
im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).
@mohamedabd_elkhalk4235 11 ай бұрын
I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌
@Bitsniper 11 ай бұрын
Your explanations help me get better in Linux and malware analyses. Your videos are great value!
@ivanmaglica264 11 ай бұрын
IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance. Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...
@NexuJin 11 ай бұрын
Infecting other raspberry pi on the LAN that infected pi is. Like a school.
@SnakerDLK 11 ай бұрын
Would have been great to validate the credentials in the hash and then join those channels to see how many infected machines are connected.
@TomTom-gx1sm 11 ай бұрын
And share the sample.
@user-tc8xp2so9l 9 ай бұрын
Great video as always, John. Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly. IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell. Sorry any typo, I'm not a native english speaker.
@OverNine9ousend 11 ай бұрын
What is this Overflow thumbnail :D Also Pi with IRC RAT, lets go baby. Nice find
@JosephHenryDrawing 11 ай бұрын
great video! Running down the code was pretty interesting
@mikehensley78 11 ай бұрын
looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)
@OppieT30 11 ай бұрын
I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.
@6pfk 11 ай бұрын
picked up a lot of background bash info thanks.
@dguerri 11 ай бұрын
Now I feel very old. IRC as C2 was the default back in my days 😂
@twinklingwater 11 ай бұрын
A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected. And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.
@graog123 11 ай бұрын
@@twinklingwater Linux targets are just on average much harder targets and on average also provide a much lower return on time investment. Why bother
@PwnySlaystation01 11 ай бұрын
Haha we boomers used to run IRC with Telnet, so I recognize those responses immediately!
@nathanwolf7858 11 ай бұрын
Ok I'll date myself a little bit here but this is not new. Sub7 server was using IRC for c2 like 25+ years ago.....lol
@PandaBero83 11 ай бұрын
Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)
@rpf222 11 ай бұрын
@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh
@tubegcp0079 9 ай бұрын
Top thanks very much
@jonnypeace2810 11 ай бұрын
That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.
@NexuJin 11 ай бұрын
Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.
@user-zd7oo3vf5c 11 ай бұрын
Could you please create some video about "Black Cat/AlphV ransomware" and how their tools work? Looks like a lot of big companies were hit recently
@GandhiTheDerg 11 ай бұрын
The thing that doesn't make sense is, it changing the password. This would make the user take the Pi offline and reflash it, killing the RAT, in most cases
@Lampe2020 11 ай бұрын
5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.
@taahaseois.8898 10 ай бұрын
Exactly. He should've just stayed quiet instead of butchering it and saying "Dutchland".
@Lampe2020 10 ай бұрын
@@taahaseois.8898 Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.
@taahaseois.8898 10 ай бұрын
@@Lampe2020 Yeah. I can see that causing some confusion.
@illusionsingh 11 ай бұрын
Thumbnail like liveoferflow😅
@ScottPlude 11 ай бұрын
Every time John does one of these files, I am blown away! Now I know where "john the ripper" came from... c'mon... you know you created this John!!!!
@griffon2-6 11 ай бұрын
wdym "john the ripper" came from? its an ancient program, it came from whoever wrote it in 1996, i don't get that comment
@ScottPlude 11 ай бұрын
@@griffon2-6 you don't have to get it.
@jagdtigger 11 ай бұрын
Did you report this to the IRC provider? It would be fun to break their botnet.... :D
@thejonte 11 ай бұрын
The IT guy at the school I go to had the exact same thing happen to him.
@alexandrohdez3982 11 ай бұрын
the best 👏👏👏
@dbdcheese 11 ай бұрын
Bro copied liveoverflow's thumbnail as revenge for the mockery in his last video 💀
@TakorAgbor 11 ай бұрын
Thank you sir for keeping me up to date. I JUST started a career in Cybersecurity and I will really like to be mentee
@rapid.reels0 11 ай бұрын
what if that trojan is still active, and we access those IRC channels and type the commands which is read by those trojans and execute on the systems. Don't we have a umm sort of access to the infected computers? anyway Great video sir John !!
@tuomaskk 11 ай бұрын
You need the private key encrypt your commands. The script had the public key.
@mcmann7149 11 ай бұрын
Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.
@iblackfeathers 11 ай бұрын
between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.
@NexuJin 11 ай бұрын
The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.
@JustMatt87 11 ай бұрын
John john john, how do u not know undernet is a pretty well known public irc server?
@alcaeo 11 ай бұрын
I thought you were older, John. 🤣 Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁 IRC is likely one of the oldest way to control zombies / bots. I remember hearing about this almost 25 years ago, and even then it wasn't new.
@NexuJin 11 ай бұрын
UnderNet should have given it away. One of the oldest of the irc networks around.
@infohazard 11 ай бұрын
absolutely, it got me right at ping/pong
@philto9999 Ай бұрын
Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends
@timovc5340 11 ай бұрын
Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?
@user-lt2rw5nr9s 11 ай бұрын
17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.
@NexuJin 11 ай бұрын
Read up on portscanning with programs with nmap and zmap. IP ranges are constantly being portscanned by some scriptkiddie somewhere.
@gauthamgamer1214 11 ай бұрын
hello john, i was wondering if I could have this bash script. it will be really useful for my learning
@randykitchleburger2780 11 ай бұрын
12:26 That is the IRC server looking up your reverse
@cadeathtv 10 ай бұрын
clean, persist, backdoor, c2, rce, worm can't classify that as a single type malware
@ReligionAndMaterialismDebunked 11 ай бұрын
Orange Pi 5 > Raspberry Pi 4 Hehe. Though, I'll be getting the Yoga 370 instead. ^_^
@gooniesfan7911 11 ай бұрын
old heads in the comment section remember irc being the gold standard for bot c2's.. also back then it was called c&c. those were the days.
@An.Individual 11 ай бұрын
Is the TLDR to change the default password?
@suchtberater 11 ай бұрын
you should already kinda know that...
@An.Individual 11 ай бұрын
@@suchtberater there hasn't been a default user/password on PI OS for years
@suchtberater 11 ай бұрын
@@An.Individual i wouldnt know, them mfs expensive asf.
@unoqualsiasi7341 11 ай бұрын
YEah but you still need to give sudo credentials? am i right?
@Donder1337 11 ай бұрын
This script is usefull!
@salnaggar 11 ай бұрын
long time ago i found windows malware and it using facebook post comments as C2...
@6pfk 11 ай бұрын
Did you try watching that IRC channel?
@saltysailor537 11 ай бұрын
Don’t worry everyone, you can’t buy a pi anyway 😮💨
@thighdude7 11 ай бұрын
Underrated comment
@adminxds 11 ай бұрын
Why 🤔
@CartoonSlug 11 ай бұрын
LOL
@Lampe2020 11 ай бұрын
Yes, you can. In the Raspberry Pi shop in London. But only as a kit, not alone as far as I know.
@An.Individual 11 ай бұрын
I bought 2x PI4B 4gb in last 2 weeks & I don't even need them. However they are out of stock again
@randykitchleburger2780 11 ай бұрын
God i love watching your videos lol
@Stockhlam 11 ай бұрын
I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?
@Stockhlam 11 ай бұрын
Ok turns out the NOPASSWD is set in the default configuration of Raspberry Pi.
@NexuJin 11 ай бұрын
The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.
@mountp1391 11 ай бұрын
IRC make us op
@TurboWindex 11 ай бұрын
Nobody hacked you if you exposed a service on the web with default credentials. You hacked yourself.
@MrEndzo 11 ай бұрын
ikr
@shroomer3867 11 ай бұрын
If you have default credentials and open SSH. Well let's say they were lucky they weren't hijacked before.
@TheScarvig 11 ай бұрын
@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next. the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times
@CZghost 11 ай бұрын
@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).
@IMBlakeley 11 ай бұрын
Exactly it is brain dead to do so.
@MrEndzo 11 ай бұрын
How young is John, not to know about IRC.
@abdeabdc6964 11 ай бұрын
exactly
@PandaBero83 11 ай бұрын
My first time joining a IRC server was in 1997 using a Beta version of BitchX😂
@NexuJin 11 ай бұрын
@@PandaBero83 mIRC was the first IRC client i used. But I also used BitchX and irssi, and nnscript for QuakeNet. I'm still using IRC on daily base.
@j_r_- 11 ай бұрын
Why didnt he join that irc channel so see how many hosts were on there?
@j_r_- 11 ай бұрын
Just joined it there are no people in it
@abdeabdc6964 11 ай бұрын
@@j_r_- I went there as well, let's register the channel and wait for the bots
@kraemrz 11 ай бұрын
Sweet
@randykitchleburger2780 11 ай бұрын
5:05 kaiten is another linux bot
@acidlaek 11 ай бұрын
Ok that is cool
@SzymekCRX 11 ай бұрын
I find that beautiful. Malicious, but beautiful ;)
@FinderTheIcewing 11 ай бұрын
Why do you look like the main character from beholder 3
@bhagyalakshmi1053 11 ай бұрын
C nod is Driving other works also never to confirm Li esys👀 problem my work and drive Information please reply. How many parkview balancing files and sell to change binck change this work headel min change blinc files open
@taahaseois.8898 11 ай бұрын
Man was clueless. Really never seen IRC before?
@ChaseD2012 11 ай бұрын
Raspberry pi vs rog ally 😂
@abdeabdc6964 11 ай бұрын
admit it john you never used an IRC network
@drac.96 11 ай бұрын
I got hacked with XMRig and LOLMiner on my Raspberry Pi after installing a package from either APT or NPM
@bosager7602 6 ай бұрын
This dude never used irc
@calypsocostelo2482 11 ай бұрын
It's not a good idea to leave negative comments or to give dislikes on this channel. You might get hacked if you do that... 🤣
@ReligionAndMaterialismDebunked 11 ай бұрын
Early:3
@ChiefYOUtuber 11 ай бұрын
ha..
@paullee107 11 ай бұрын
Yes, I hand copied the entire script so I could dig in. Got the same 2.2k .7z file and can run it!! Guess I could have asked for the code, but… fun??
@lanceromance6856 11 ай бұрын
I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.
@BALJIT147 11 ай бұрын
🍔🫕🍫🍫🏔
@theligtninginfinity1445 11 ай бұрын
Stop kids please commenting shit thinking u are HaCkErs
@LinuxJedi 10 ай бұрын
does no one use the UFW ??? sudo ufw deny 6667
Tips Workshop
Рет қаралды 27 МЛН
Low Level Learning
Рет қаралды 1,2 МЛН