[HN Gopher] T95 Allwinner T616 Malware Analysis
___________________________________________________________________
T95 Allwinner T616 Malware Analysis
Author : DesktopECHO
Score : 127 points
Date : 2023-01-11 18:22 UTC (4 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| throwawayapples wrote:
| ycxrl.com (registered at godaddy with privacy) is the command-
| and-control domain mentioned in the article, which currently
| resolves to 192.53.113.52 (Linode). DNS is run through
| DOMAINCONTROL.COM, which seems to be a nextcloud instance?
| perryh2 wrote:
| The domaincontrol.com nameservers are operated by GoDaddy.
| mrtweetyhack wrote:
| [dead]
| srhngpr wrote:
| What does this have to do with Amazon specifically, especially
| when you mention that the same units can be purchased on
| AliExpress?
|
| "Otherwise please use the original title, unless it is misleading
| or linkbait; don't editorialize."
| jacquesm wrote:
| As the author they could make the article title match the HN
| one!
| DesktopECHO wrote:
| Fair point, thanks. Added AliExpress.
| srhngpr wrote:
| Cheers, thank you!
| tyingq wrote:
| It's fairly unrelated to Allwinner also.
| [deleted]
| verytrivial wrote:
| I would be super interested to see what the command and control
| channel would actually try to do (in a virtual network/honey pot
| of course).
| neilv wrote:
| Nice properties of the Raspberry Pi SoC devices include that
| there are brands involved that aren't going to fly-by-night, and
| the brands and the people behind them could be reached by civil
| and criminal action.
|
| Of course, that doesn't fully prevent malware, but it's a more
| reassuring than buying something that fell off the back of a
| truck, in a dark alley(baba).
| DesktopECHO wrote:
| Follow-up to my earlier report about the _stock_ firmware on
| these Android TV devices, with a script to de-fang Stage 0 by
| preventing the payload from downloading (chattr +i FTW!)
| LinuxBender wrote:
| For what it's worth that domain in your repo is also listed in
| the 1Hosts block-list [1] but only in the Xtra category, not
| sure why. It seems that is a known malware site. Oddly enough
| it is not listed in the PiHoleBlocklist [2]
|
| [1] - https://github.com/badmojr/1Hosts [listed but only in
| Xtra]
|
| [2] - https://github.com/Perflyst/PiHoleBlocklist.git [not
| listed]
| DesktopECHO wrote:
| Yeah only the primary server seems to be on blocklists. The
| malware uses 3 DNS addresses, all on Linode.
|
| Not that it matters, as the malware uses 8.8.8.8 if it
| doesn't like the DNS reply -- Then it tries a DNS server on
| port 5353!
| LinuxBender wrote:
| Another thing to look at if you have time is packet
| characteristics. I have found that many malware and bot
| installations appear to use really odd network libraries.
| Just do a tcpdump for a while and see what sticks out, such
| as missing MSS, really high TTL, missing SackOK, timestamps
| enabled _this seems to be default on Android_. Also look at
| the TCP header sizes vs. the normal TCP header sizes from
| legit devices on your network. tcpdump -i
| any -p -NNnnt -s0 -c512 proto 6 and 'tcp[13] == 2' # get
| syn packets, use "-i any" to see direction
|
| I'm not sure where malware authors find their libraries but
| they do not try at all to look like normal traffic [Edit]
| or perhaps their government is telling them to add/remove
| specific options.
| DesktopECHO wrote:
| Thanks for the guidance here. Where I'm really stuck is
| when tcpdump tells me about the presence of the offending
| traffic and correlating process. In this case, it's the
| Android "system_server" process and I'm not sure how to
| find the hook into it that downloads the malware.
|
| In hindsight I should have made this an Ask HN post...
| dylan604 wrote:
| just reading you comment about differing packets, I was
| already thinking that seems like a dumb thing to have
| look different. Then you end with exactly that. Just goes
| to so that the world is so insecure that even minimal
| effort will get quite a return in this world. If it gets
| a big enough return so that even those that do stop it
| still makes it worth while, then why spend energy trying
| to do more. Hell, even Bill Gates is attributed to saying
| something about why should he pay for optimizing when
| disk space and cpu is always increasing faster than any
| optimizations could.
| ignoramous wrote:
| Wow, yes, only _1Hosts (Xtra)_ includes 2 of the 3 command &
| control domains: https://archive.is/drYgk
|
| I am surprised that none of the usual threats lists have
| picked these domains up.
|
| Edit: https://github.com/badmojr/1Hosts/issues/964
| DesktopECHO wrote:
| I'm not too surprised, as the malware goes out of its way
| to use _ycxrl.com_ -- Going to extents like using 8.8.8.8
| instead of the default DNS server, and trying a DNS server
| on port 5353.
|
| Using those techniques, nobody would get a chance to see
| this second fall-back.
|
| EDIT to clarify: Thanks for listing this, it's definately
| good to list these addresses as 'bad' for others to be
| aware, but DNS blocking won't slow down this malware, not
| even a bit.
|
| Here's what it took for me to see _cbpheback.com_ --
| Install Pi-hole on the Android device and add these rules
| to iptables: adb shell iptables -t nat -A
| OUTPUT -p udp --dport 53 -j DNAT --to 127.0.0.1:53
| adb shell iptables -t nat -A OUTPUT -p tcp --dport 53 -j
| DNAT --to 127.0.0.1:53 adb shell iptables -t nat -A
| OUTPUT -p tcp --dport 5353 -j DNAT --to 127.0.0.1:53
| adb shell iptables -t nat -A OUTPUT -p udp --dport 5353 -j
| DNAT --to 127.0.0.1:53
| ignoramous wrote:
| > _..but DNS blocking won 't slow down this malware, not
| even a bit._
|
| Yep, in a world of encrypted DNS transports, it is a
| folly to believe that DNS-based blocks would be affective
| at thwarting any sort of malware. That said, some IoC
| (indicators of compromise) setups do rely on it
| nevertheless.
| dylan604 wrote:
| just because something new comes along doesn't mean you
| stop doing the thing that worked for all of the
| older/existing things. otherwise, the existing things
| start working.
|
| you make it sound like people dumb for relying on
| something that works in certain situations. that's just
| hubris on your part if that's what you actually feel.
| ignoramous wrote:
| You make it sound like I compared DNS-based security to
| snake oil. That's just futuristic thinking on your part
| (:
| [deleted]
| 0x0 wrote:
| I remember looking at a few of these cheapo "androidtv" boxes. My
| instant reaction was that the entire build seemed super shady and
| I wouldn't be surprised if they were full of keyloggers and
| malware. Fortunately I never signed in with a real google
| account. Some aren't even real AndroidTV, they identify as an
| Android (not AndroidTV) device in several spots, probably to
| allow installation of google play applications that aren't
| designed for androidtv. They often come with multiple app stores,
| in addition to Google Play (which seems like an unlicensed hack,
| I would have thought Google would require a minimum of quality
| for approving a device to carry Google Play, especially for
| AndroidTV - heck, even uploading a closed alpha testing
| application that is AndroidTV enabled to google play requires a
| lot more reviews than regular android apps). All kinds of super
| weird processes running, some with bundle ids such as just "a" or
| "com.example.a" (instead of
| "com.example.realcompanyname.whatever"). If I remember correctly
| they also came pre-rooted with su/sudo setuid root. The CPU was
| _super weak_ but they seem to have some sort of hardware
| accelerated H.264 decoding, that 's probably why they can stream
| and play online HD video, but the minute you try to do anything
| outside of regular streaming, it is painfully obvious that the
| chip is weaker than a raspberry pi 1.
|
| To be honest I'm surprised Google is not cracking down hard on
| this, because it absolutely tarnishes the Android brand. They
| really feel like a "warez" version of AOSP plus cracked Google
| Play. I half expected "Google Play Protect" to throw up warnings
| about the device being non-genuine, but I actually never saw
| anything of the sorts.
| suprjami wrote:
| > I would have thought Google would require a minimum of
| quality for approving a device to carry Google Play
|
| iiic they require a license to redistribute their binaries,
| including Google Play. Obviously these boxes running a stolen
| phone ROM have not paid the licence fee.
|
| As for the rest, these Allwinner chips are actually pretty
| good, but they're crippled by proprietary drivers and closed
| device tree. With open drivers and proper software support,
| they'd probably be equivalent to a Raspberry Pi 3 or better.
|
| I love Android but the ecosystem is already ruined, both by
| vendor cruft like Samsung's sluggish UI, and by Google Play
| store being filled with microtransaction cancer. Google Play
| was good maybe 8 years ago but the lure of Google getting a cut
| of everyone's IAP destroyed it long ago.
|
| Some obscure cheapo unenforceable Chinese copyright violation
| has almost no effect in comparison.
| [deleted]
| DesktopECHO wrote:
| These boxes identify themselves as a Google Pixel 2 (walleye)
| because, reasons!
| pifm_guy wrote:
| Which probably means they can upload unlimited photos to
| Google photos without it counting against the users quota ...
| chasil wrote:
| It sounds similar to Barnes and Noble shipping ADUPS on their
| Nook tablets.
|
| https://www.engadget.com/2016-12-22-barnes-and-noble-nook-sp...
| DesktopECHO wrote:
| Funny you mention it, as it _also_ had ADUPS. By itself, I can
| deal with that.
|
| Actually it more resembles the CopyCat malware. My challenge is
| finding the hook in system_server that downloads the payload
| from C2.
|
| * https://www.checkpoint.com/downloads/resources/copycat-
| resea...
| aritmo wrote:
| It's an "Android TV Box", model name "T95". Where is that
| information in the title?
| DesktopECHO wrote:
| Title was changed by the mods so that's how it stays! :)
| [deleted]
| pvg wrote:
| https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
| pifm_guy wrote:
| I'd like to see what this malware actually _does_.
|
| I don't really care if there is malware running in my living
| room. Makes no difference to me if it runs there or at the north
| pole. It isn't exactly wasting much of my power or network with a
| tiny allwinner CPU and probably only 54Mbit WiFi.
|
| And as long as this thing keeps steaming TV, I'm quite happy for
| it to be full of malware.
| nine_k wrote:
| Such malware may sit dormant until ordered to be a small part
| of a DDoS attack. It will continue stream your TV in the
| meantime.
|
| Harboring such a pest, typically used in extortion, is just not
| nice, even if you personally do not directly feel any ill
| effects.
| [deleted]
___________________________________________________________________
(page generated 2023-01-11 23:00 UTC)