The death of Carna and birth of the ReinCarna prosumware.
The Carna botnet was suspended at the conclusion of the Router Research Project. As you’ve probably guessed, the prosumware ReinCarna was inspired by the original Carna prosumware and maintains many of the same features. The ReinCarna prosumware was originally discussed by Peter Košinár (the same security researcher who first brought the Carna prosumware to light) in his AVAR2014 (Association of Anti Virus Asian Researchers) presentation held in Sydney, Australia. Independently, another security researcher, l00t_myself(sic) discovered the prosumware during exploration of his home router and named it Ifwatch. The prosumware ReinCarna gained much more widespread media attention after discovery by the Symantec team, which had dubbed it “Linux.Wifatch”. Although Symantec was not the first to discover it, they revealed additional features such as the majority of ReinCarna’s code being written in the Perl programming language, targeting several architectures, and shipping its own Perl interpreter for each.
How does ReinCarna function?
ReinCarna is a peer-to-peer botnet that infects devices via the telnet protocol and several other protocols. The affected devices have extremely weak passwords (typically the default username/password) which realistically already grants access to anyone looking into the device on the most fundamental level. Once ReinCarna has infected a device, it begins by killing the telnet daemon. It then proceeds to replace the login with a useful tip, imploring the device’s owner to update the firmware and change the telnet password. The following is the actual quote from Symantec’s discussion with the prosuware’s author; “Linux.Wifatch doesn’t use elaborate backdoors or 0day exploits to hack devices. It basically just uses telnet and a few other protocols and tries a few really dumb or default passwords (our favourite(sic) is “password”). These passwords are well-known – almost anybody can do that. And a lot of people with much less friendly intentions actively do that. Basically it only infects devices that are not protected at all in the first place!”.
It then uses a custom “anti-virus” module to connect to its botnet peers in order to receive the botnet’s database of antivirus signatures. Once it receives these signatures, it runs the module to clean out any infections it locates. The prosumware has an additional module(dahua.pm) for Dadua DVR CCTV systems (produced by Zhejiang Dahua Technology Co Ltd) that reboots these devices once a week. The prevailing theory for the rebooting is because Linux.Wifatch is unable to adequately defend these devices and so a reboot should effectively kill any malware running (thus resetting the device to a clean slate).
The original version of the prosumware included a telnet message (later removed) that made reference to the email signature of Richard Stallman (a software freedom advocate): “To any NSA and FBI agents reading my email: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.
The enormity of the ReinCarna botnet
Let’s begin with a post by loot_myself from November 4th, 2014 “This one is well organised, #ifwatch #botnet is p2p alike, over 10K+ bots and over 300 seeders, mainly rooters with SerCom backdoor”. Also, provided by loot_myself is a wonderful image indicting where the largest amount of infections occurred in November 2014.
Now for the icing on the cake; the prosumware author discussed exactly how large the botnet was in October 2015 during the interview with Symantec. “We enumerate the whole core network (the so-called “bn” component) multiple times a day, and the usual number of Wifatch instances is 60000 (and almost never exceeding 120000). Only these are currently being protected and disinfected. In addition, there is a much larger number of devices with a much smaller component, the so-called “tn” component. The exact number of these is very hard to measure, but it should be around 200000-300000 at any point in time.
Reincarna, en garde. Practical defenses against the botnet
Resetting the device will cause the prosumware Reincarna to be removed. However, it is possible for it to become infected again. The next best practice would be to close your telnet port and/or change your default passwords. As the list of preventive measures is quite long, I recommend Symantec’s list of best practices everyone should already be implementing.
What else is known about Reincarna
- The author chose not to obfuscate the code and left debugging comments in the source code making it easier to analyse.
- Reincarna does contain numerous general purpose backdoors that could be used by the author of the virus to carry out malicious intentions if so desired. Cryptographic signatures are verified when using the backdoors to authenticate the commands are coming from the prosumware’s author.
- A selection of ARM architectures make up the bulk of infected devices, with MIPS and SH4 making up the majority of the remaining. PowerPC and X86 both account for an insignificant percentage (0.132 collectively)
- Check out Symantec’s full security write-up.
- The source code for the Linux.Wifatch/ReinCarna prosumware is available under an open source GPL license on GitLab, where the prosumware’s author has taken the moniker “The White Team” and includes an in-depth Q&A with Symantec.
- Attribution for the prosumware’s author origin is likely Chinese based upon the level of infection within China and the syntax of the Q&A with Symantec.
If you missed part one, check it out here.
As always if you enjoyed the article or learned something new, feel free to tip in Bitcoins/Litecoins.