Agile QBot Variant Adds NbotLoader Netgear Bug in Its New Update

Introduction

QBot, also known as Bashlite, is one of the most widely known IoT Botnet frameworks, and is often stated as a precursor of Mirai. The IoT security landscape has changed a bit since the Mirai outbreak, and the awareness for improved security among IoT users has increased. Hence to remain relevant, QBot must evolve, and we are observing the same in a one of the latest binary samples of QBot.

Update 1 to QBot: NbotLoader module added

We recently observed that Bug 60281 (or the NbotLoader bug) is weaponized and freely being shared in hacking forums, and we predicted that with the simplicity and effectiveness of the bug, it can easily be adopted in other botnets. Here is a section of publicly available source of Qbot in hacking forums where the malware author had added a small and incomplete block saying “Note: not finished will do later” and has given a commented out incomplete block as seen below.

While reversing a “fresh” Qbot binary, we observed that this code is now completed. In the decompiled code, we can see the exact implementation of NbotLoader to get credentials and run its payload via arbitrary code execution. A section of decompiled completed Netgear function is shown below:

Update 2 to QBot: Botkiller list increased

One interesting module in Qbot is its Botkiller functionality. Through the coder’s logic, QBot doesn’t like other botnets running and its Botkiller terminates “BusyBox” if another bot trace is found. The list in the leaked QBot source code contained 36 names. However, in the this sample we see that the list has increased more than five times, and 215 indicators of other botnets are added. Since the list is huge, we are only providing a section of the list for readability purposes as shown below:

This list looks to be copied from one post by a user known as “SynthMesc” who compiled it and made it public on pastebin:

Botkiller functionality

While reversing the Qbot Botkiller module, we confirmed our assumption about the actions taken by this function (if a known competing bot is detected). We can see that a system call is done with address 0x402225 and 0x40223f. These addresses contain the instructions “kill -9 pidof busybox” (to kill BusyBox) and “history -c” (for trace deletion from the affected system) respectively.

Malware Author Marker and Possible Link

Besides these updates, Qbot also retains its older functionality such as ICMP flooding, weak passwords attack, and etc. For this specific Qbot strain, the malware authors used a strange programming practice in their randomization function. Rather than implementing a proper random() for strings, the author lazily added many hard-coded strings into an array, and the random function access them. This trait is present in both older Qbot source code as well the updated binary we analyzed.

The malware author has often been pointed out in hacking forums for this unusual programming practice. It seems that despite the criticism, he is not in any mood to change it in updated versions as we see it persisting. In the following screenshot, we see people in hack forums singling out this programming practice (profanity obfuscated in the screenshot):

Also in the strings, we can see mention of “Radiation” which makes us speculate that this may be linked to the Radiation/Radioactive botnet group which has previously been linked to the Amnesia IoT botnet (the first well known botnet which has virtualization checks):

Conclusion

A common methodology in Cybersecurity by researchers is to group threats by family. However, the malware authors continue to make their code agile by freely borrowing other modules. The lines are blurred even more when it comes to IoT security, with more code and module sharing in various forums. Keeping your IoT environment patched and free from the vulnerability of weak passwords can go a long way in securing the devices. NewSky Security IoT Halo detects and blocks these threats with detection modules for both telnet default passwords approach, as well as for the Netgear exploit.

Ankit Anubhav

Principal Researcher, NewSky Security