im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).
IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance. Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...
I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌
looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)
I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.
5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.
@@taahaseois.8898 Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.
Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)
@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh
A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected. And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.
Great video as always, John. Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly. IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell. Sorry any typo, I'm not a native english speaker.
between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.
The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.
@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next. the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times
@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).
I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?
The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.
Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?
17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.
Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.
The thing that doesn't make sense is, it changing the password. This would make the user take the Pi offline and reflash it, killing the RAT, in most cases
what if that trojan is still active, and we access those IRC channels and type the commands which is read by those trojans and execute on the systems. Don't we have a umm sort of access to the infected computers? anyway Great video sir John !!
That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.
Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.
I thought you were older, John. 🤣 Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁 IRC is likely one of the oldest way to control zombies / bots. I remember hearing about this almost 25 years ago, and even then it wasn't new.
watching RAT deep dives is kinda creepy another reason i switched to linux (i had a cryptominer malware on my system) but this malware is linux and im s***ing bricks now im really scared to port forward. idk RATs in general are kinda creepy imagine having someone snooping around your system and watching your every move
Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends
C nod is Driving other works also never to confirm Li esys👀 problem my work and drive Information please reply. How many parkview balancing files and sell to change binck change this work headel min change blinc files open
I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.
I love how this script taught me how IRC client server actually talk to one another XD
im pretty sure when elliot connected the pi to the Steel canyon thermostat i think it was also a Raspberry Pi Malware uses IRC Remote Access Trojan (RAT).
IRC as a command&control is not unheard of. Used to be common back in the early 2000s when first botnets came to existance.
Question: who port-forwards ssh to raspberry pi with default user/pass to internet? Like putting keys into a car with windows open...
Infecting other raspberry pi on the LAN that infected pi is. Like a school.
What is this Overflow thumbnail :D Also Pi with IRC RAT, lets go baby. Nice find
I am not an expert in the field of cyber security, but I intend to learn, and every time I lose passion in learning and watch your videos, I just go back and continue again. Thank you for everything😊😉 I feel that you are my guide in this field😌
Your explanations help me get better in Linux and malware analyses. Your videos are great value!
looks like an RX Bot my brother used to play with back in the day... it comes to an IRC channel and you command it with commands beginning with a special character. i used to love IRC. :)
Would have been great to validate the credentials in the hash and then join those channels to see how many infected machines are connected.
And share the sample.
I got hacked once when I had my linux box on the net, they installed an IRC bot in my home directory. I looked at what it did and logged into the channel they were using. And seen everything. Pretty interesting.
Haha we boomers used to run IRC with Telnet, so I recognize those responses immediately!
5:20 If you want to pronounce "Deutschland" as a German would pronounce it ("Deutschland" is German for "Germany"), think of it as if it was written "Doytshlund" and pronounce that the English way.
Exactly. He should've just stayed quiet instead of butchering it and saying "Dutchland".
@@taahaseois.8898
Especially since "Dutch" is the english word for "something from the Netherlands", which isn't exactly German, even though it's geographically close.
@@Lampe2020 Yeah. I can see that causing some confusion.
Ok I'll date myself a little bit here but this is not new. Sub7 server was using IRC for c2 like 25+ years ago.....lol
Good old days.. turning 40 in a few weeks and can remember sub7 but also B.O van 'the Cult of the dead cow' or the Melissa virus (still have the source code somewhere printed out)
@@lumikarhu they pwn3d my port 31337! master's paradise was another fun one when it didn't crash. opening someone's cd-rom drive was always good for a laugh
Now I feel very old. IRC as C2 was the default back in my days 😂
A few years back I was called to analyze a hacked linux box. Turns out the malware used IRC as well to talk to the C2 infrastructure. In the windows-attacks-universe we find all kinds of crazy stuff to make sure C2 communication works and is not immediately detected.
And then over on linux, where everyone's nice and peaceful, we find malware that's 20 years behind current developments. I found that cute.
@@twinklingwater Linux targets are just on average much harder targets and on average also provide a much lower return on time investment. Why bother
Great video as always, John.
Just wanted to say that I've noticed that very same malware being dropped in my SSH honeypot a couple of times some months ago, but I've got 3 different samples of it if I remember correctly.
IDK if I should send you those samples because they're almost the same IRC worm written in plain bash... And I find them funny as hell.
Sorry any typo, I'm not a native english speaker.
Could you please create some video about "Black Cat/AlphV ransomware" and how their tools work? Looks like a lot of big companies were hit recently
between lines 9 and 10 i fail to see how the directory was created before they issued the copy command. does cp make the directory for you if it does not exist? if not, they missed a step after creating the variable on line 9.
The directory /opt is by default present on Raspbian install, and with most modern Linux distributions. They didn't miss a step. Step 9 was only to create an unique string, which is used as name for $NEWMYSELF. Line 11 to 13 could have been done in just 1 line in fact.
great video! Running down the code was pretty interesting
Every time John does one of these files, I am blown away!
Now I know where "john the ripper" came from... c'mon... you know you created this John!!!!
wdym "john the ripper" came from? its an ancient program, it came from whoever wrote it in 1996, i don't get that comment
@@griffon2-6 you don't have to get it.
John john john, how do u not know undernet is a pretty well known public irc server?
Nobody hacked you if you exposed a service on the web with default credentials. You hacked yourself.
ikr
If you have default credentials and open SSH. Well let's say they were lucky they weren't hijacked before.
@@shroomer3867 well they said it themselves: they usually have no port forwarding for 22 (ssh) in their router settings. so using defaults on a pi is "kinda" fine. the problem is that they forgot that they have an "unsecure" pi on their network before opening the port for mere 30 min for letting someone else access their pi. the second they thought of forwarding the port to their pi they should have thought "WAIT that thing is still on default credentials!" next.
the scary thing is the auto propagation of this worm. this shows that even a second of open ports with default credentials is too much because there are potentially thousands of infected pis out there scanning for these vulnerable devices at all times
@@TheScarvig That's the issue. It takes not a long time to scan the entire Internet. 30 minutes or less is probably what it takes to find your device exposed online. When you acquire such a device, even if you don't plan to open it over Internet, ALWAYS change the default credentials. Because you might get your own machine in the network infected and it may try to hijack into the Pi server from your own machine, in other words from the inside of the network. If you are handling a Raspberry Pi server in your network, don't ever leave it on default credentials. The first thing you need to do is to change the default username and password and restrict (deny) root login over SSH (that's highly insecure). Also, you have to disable password login, because password isn't encrypted while logging in (it is used to establish a secured encrypted connection, but the password itself is sent in clear). If a friend needs to momentarily access the Raspberry Pi over SSH, maybe ask them to come to your home, which may be much easier. Anyway, ask them to send you their public SSH key, so you can add it to the authorized keys manually, and if they for some reason need the access remotely, then port forward the SSH port at the ISP level (because you need to expose the port to your router, that's actually pretty easy to do, but you don't manage the ISP's router, so you have to ask them to port forward the SSH port 22 to your plug, which may cost you additional money).
Exactly it is brain dead to do so.
Is the TLDR to change the default password?
you should already kinda know that...
@@suchtberater there hasn't been a default user/password on PI OS for years
@@An.Individual i wouldnt know, them mfs expensive asf.
Did you report this to the IRC provider? It would be fun to break their botnet.... :D
I don't really understand how the code between lines 9..15 is able to work. sudo usually asks for password before granting root privileges. Or is this script just hoping for empty password or for NOPASSWD sudo configuration?
Ok turns out the NOPASSWD is set in the default configuration of Raspberry Pi.
The script is abusing people running their Raspberry Pi with default configuration. That's why we generally call people running these scripts "scriptkiddies". The people that wrote it are the actual hackers. This script is somewhat nice, the author certainly put value in readability of it's code with proper indentation. But there are place for improvements, example line 11 - 13 could have been done with 1 sudo command and with cat to write the new /etc/rc.local file. Even better would be to only do the /etc/rc.local update if the cp of $NEWMYSELF was complete successfully.
Awesome video but I've got one question.. How do hackers always find these servers like basic raspberry pi servers or webservices with bad configs? Is there a way to just use google dorks and find them or what?
17:33 Infected machines are used to scan the Internet for port 22 with zmap and then login with pi raspberry, then copy and execute itself upon successful login. To get started the threat actors probably used a VPS or hacked server to do the initial infection.
Read up on portscanning with programs with nmap and zmap. IP ranges are constantly being portscanned by some scriptkiddie somewhere.
Late to the video, Kaiten was a suicide craft made by the Japanese at the end of WW2. I'm guessing by that name, it's some type of script that kills itself after it completes whatever the creator or actor wanted it to do.
The thing that doesn't make sense is, it changing the password.
This would make the user take the Pi offline and reflash it, killing the RAT, in most cases
Bro copied liveoverflow's thumbnail as revenge for the mockery in his last video 💀
hello john, i was wondering if I could have this bash script. it will be really useful for my learning
12:26 That is the IRC server looking up your reverse
what if that trojan is still active,
and we access those IRC channels and type the commands which is read by those trojans
and execute on the systems.
Don't we have a umm sort of access to the infected computers?
anyway
Great video sir John !!
You need the private key encrypt your commands. The script had the public key.
The IT guy at the school I go to had the exact same thing happen to him.
Thank you sir for keeping me up to date. I JUST started a career in Cybersecurity and I will really like to be mentee
picked up a lot of background bash info thanks.
That is wild. I don't often read malicious bash scripts, interesting, enjoyed seeing how that works. I am thinking the double ampersand is only there to run if the ssh pass connection occurs, i.e. The commands after && only execute if the previous commands execute successfully (exit 0). So it's a method of skipping the rest of the commands if it fails.
Yes, that's exactly what it's for. It requires the command to complete without STD_ERR before going to the next sequence. There is also an opposite of it with ||, where it only execute the next sequence if the previous command exit with a STD_ERR.
Thumbnail like liveoferflow😅
the best 👏👏👏
Did you try watching that IRC channel?
clean, persist, backdoor, c2, rce, worm
can't classify that as a single type malware
YEah but you still need to give sudo credentials? am i right?
I thought you were older, John. 🤣
Not recognizing an IRC server, network and the default IRC port 6667... You know so much, but just this one time, I instantly knew something you didn't, even way before the connect message when you nc'ed the hostnames. 😁
IRC is likely one of the oldest way to control zombies / bots.
I remember hearing about this almost 25 years ago, and even then it wasn't new.
UnderNet should have given it away. One of the oldest of the irc networks around.
Why didnt he join that irc channel so see how many hosts were on there?
Just joined it there are no people in it
@@j_r_- I went there as well, let's register the channel and wait for the bots
watching RAT deep dives is kinda creepy another reason i switched to linux (i had a cryptominer malware on my system) but this malware is linux and im s***ing bricks now im really scared to port forward. idk RATs in general are kinda creepy imagine having someone snooping around your system and watching your every move
Orange Pi 5 > Raspberry Pi 4
Hehe. Though, I'll be getting the Yoga 370 instead. ^_^
Like 10years ago i remember a friend sending me a IRC script that was kinda malware but really weak. I had to go chat with someone, make them add a script to their Irc program (there was a button on my end that was sending an explanation on how to "update" your irc with this script) and then i could open 100 calculator or make their pc make the error sound for no reason :p
It was hard to get people to accept adding those into their irc scripts but i had fun spamming calculator on some friends
How young is John, not to know about IRC.
exactly
My first time joining a IRC server was in 1997 using a Beta version of BitchX😂
@@CarKeyGuyNL mIRC was the first IRC client i used. But I also used BitchX and irssi, and nnscript for QuakeNet. I'm still using IRC on daily base.
Why do you look like the main character from beholder 3
Top thanks very much
IRC make us op
This script is usefull!
long time ago i found windows malware and it using facebook post comments as C2...
C nod is
Driving other works also never to confirm Li esys👀 problem my work and drive
Information please reply.
How many parkview balancing files and sell to change binck change this work headel min change blinc files open
Raspberry pi vs rog ally 😂
Don’t worry everyone, you can’t buy a pi anyway 😮💨
Underrated comment
Why 🤔
LOL
Yes, you can. In the Raspberry Pi shop in London. But only as a kit, not alone as far as I know.
I bought 2x PI4B 4gb in last 2 weeks & I don't even need them. However they are out of stock again
God i love watching your videos lol
5:05 kaiten is another linux bot
I'm 67 and played on lucipher chat, and other chats back in the 80' and 90's. The whole P/H/A & \/\/ arez and all the LOD MOD CCC DPAC 4/F and all the euro virus scenes. This is the stupidest video I never paid attention to. Just typed a msg. Let me see if I can recall any of my sign-offs umm. The Cleveland PHranster! Lance Romance. Oficically recognized slayer of LOD and Chaos Computer Club.
Man was clueless. Really never seen IRC before?
I find that beautiful. Malicious, but beautiful ;)
It's not a good idea to leave negative comments or to give dislikes on this channel.
You might get hacked if you do that... 🤣
I got hacked with XMRig and LOLMiner on my Raspberry Pi after installing a package from either APT or NPM
admit it john you never used an IRC network
Ok that is cool
Sweet
Yes, I hand copied the entire script so I could dig in. Got the same 2.2k .7z file and can run it!! Guess I could have asked for the code, but… fun??
Stop kids please commenting shit thinking u are HaCkErs
🍔🫕🍫🍫🏔
ha..
Early:3
does no one use the UFW ??? sudo ufw deny 6667