The new developments Of the FBot

Declaration

It seems that the Fbot we captured this time is a variant targeting HiSilicon DVR/NVR Soc device. (Please bear in mind that IoT product has a long market chain and thing can go wrong at every possible downstream or upstream manufacturere, we list HiSilicon DVR/NVR Soc here as that is what is being shown on the bots themself, the root problem might be a specific OEM application running on top of the HiSilicon. Without a working exploit, this is a question yet to be answered.

Background introduction

Beginning on February 16, 2019, 360Netlab has discovered that a large number of HiSilicon DVR/NVR Soc devices have been exploited by attackers to load an updated Fbot botnet program. Fbot was originally discovered and disclosed by 36oNetlab [ 1] , it has been active and is constantly being upgraded. The Fbot we captured this time is a variant targeting HiSilicon DVR/NVR Soc device.

Fbot infection target

By probing the IP banner information of the infected devices, we get a list of infected device models and all banner messages suggest that the bots have HiSilicon DVR/NVR Soc device family CPU running . We see a few different camera brands as a number of camera manufacturers oem HiSilicon DVR/NVR Soc device.

All together, we have 24528 infected IPs

fbot — Figure 1: Infected camera IP country/region distribution

The following is a country breakdown of infected camera IPs

VN 6760 TW 2110 TH 1459 BR 1276 TR 1137 IN 942 IR 892 RU 862 ID 609 RO 579 MY 553 IT 489 CO 363 EG 362 LK 360 US 328 AR 310 MX 293 FR 255 PK 237 UY 185 PL 184 GB 184 VE 183 CL 177 MA 176 UA 166 BG 147 GR 142 HU 141 SG 130 IL 123 DE 109 BD 106 ES 103

The following is a list of infected camera’s CPU models

   8262 bigfish    3534 hi3520d     383 godarm     302 godnet      78 hi3535       8 Hisilicon Hi3536DV100 (Flattened Device Tree)

Fbot infection process

The Fbot infection is a multiple steps process, and we successfully captured Fbot samples and some Paylods through our Anglerfish honeypot and some Fuzz Testing tricks. We have not yet captured the key Exploit Payload though and would be interested if anyone has more detail on that.

The following is overall infection process.

First, the device that is infected with Fbot scans TCP: 80, 81, 88, 8000, 8080 ports by issuing basic HTTP requests. When a target device returns the matching characteristics, Fbot will report the IP and port to its Reporter (185.61. 138.13:6565).

After that, Fbot Loader (185.61.138.13) logs in to the target device web port through the device default password “admin/empty password”. If the target device responses, Fbot Loader uses the device default password “admin/tlJwpbo6” to log in to the dvrip port. (TCP: 34567).

Since our Anglerfish honeypot has not emulated the dvrip protocol yet, we have no visibility on how the exploit works, is it by normal dvr protocol or some new exploit? We have no answer at this point.

Fuzz Fbot Loader

Nevertheless, we still successfully bypassed the Fbot Loader’s Exploit logic by performing Fuzz Testing on the dvrip protocol to see the rest actions of this botnet. It appears that the Fbot Loader then populates the Fbot downloader to our TCP: 9000 port via the Shell command. With this, we got the Fbot Downloader sample, and then through the Downloader sample we got the Fbot download URL.

http://185.61.138.13:8080/fbot.arm5.u http://185.61.138.13:8080/fbot.arm7.u

Sample analysis

Downloader

MD5：3b7f5be1c1ed582042f783ffcb23b754
This sample is delivered on the 9000 port through command line (echo -ne XXXXXX > downloader). It has only one mission, to download the Fbot and execute it through the HTTP protocol. The figure below shows the a snip of the sample. You can see the relevant code to download Fbot:

fbot.arm5.u

The fbot sample, MD5: 43A7D9956720B86330D4985C773E76C1

Encryption

Two different layers of encryption and decryption codes are used in the sample to protect the static resources in the sample from being analyzed.

The first part uses a single-byte XOR algorithm (exclusive OR 0x31), the relevant code is shown below (Python 2.7):

After the above code is run, we get two code tables, which are ciphertext table/clear text table. By replacing the characters with the above two code tables, the static strings in the sample can be decrypted. The relevant code is shown below (Python):

After the first line of output is truncated, the Fbot’s C2 address (xabolfpzbz.ukrainianhorseriding.com) can be obtained.

Then you can see some instructions (PING/PONG/LOLNOGTFO) and resource control related strings.

It is worth noting that the last two lines of strings are the strings related to the ongoing scan event. Where “GET / HTTP/1.0” is used for scanning, and “uc-httpd 1.0.0” is the target feature. With the support of MIRAI-SYN-SCAN, once a qualified target is found, the target address information (IP:PORT) will be reported to the core Loader (185.61.138.13:6565). The relevant code and protocol format are as follows:

DDOS attacks

There are five attack vectors of this Fbot varaint, all of which are DDOS related. The relevant initialization code is as follows:

Summary

Relevant security and law enforcement agencies are welcomed to contact netlab[at]360.cn for a list of infected IP addresses.

Contact Us