This weekend, me and my girlfriend visited her parents, and at the same time, I
got to do the usual IT admin work on the Raspberry Pi 3 I set up for her father.
Interestingly, there was a pi-specific trojan installed on his system. I’ll walk
you through it!
Some notes before we start
This script is raspberry pi specific, and relies on that the raspberry pi has a
default password (which is “raspberry”) and that sudo is set up so that no
password is needed (which is also the default in raspbian).
If the script isn’t running as root, then it creates a copy of itself in /opt
and tells rc.local to run the script during boot. Then it reboots the pi,
causing it to execute the script as root on boot.
In case the computer was already compromised as a miner or some other nasty
programs, let’s turn them off. But before that it echoes some data to $DEBUG,
which is set to /dev/null. Presumably, this was only used while developing the
Next comes the more nasty parts.
Ok, host aliasing and removing any shell definitions. I assume, to avoid
problems in the future with other aliases etc etc.
Changes the password of the pi user to something else (this is not the actual
password, this is the encrypted password
Allow root to log in using an ssh key
Adds another name server, removes some directories if they were there, and
stores a public key as /tmp/public.pem. You will soon see why.
Well, what do you know - an IRC bot? It creates a nick using uname -a | md5sum
(which is stupid, there are probably lots of pi users that would get the same
output from uname -a), then tries to connect to a random undernet server,
talks IRC properly setting NAME and USER and so on. Once connected, it responds
to PING if needed, and then joins #biret, where it listens for commands to
When it gets a command, it makes sure the command is signed using the public key
we saw earlier, and in case of a match, it executes whatever command was sent in
the message. Being that this would run as root, it means unrestricted access to
the compromised system.
The last parts of this snippet is just making the bot script runnable, starting
it (with logging, nice!), letting it run for three seconds, then deleting it
(while it runs, leaving no traces except the log, it seems).
The final touches, install sshpass and zmap. zmap is apparently like nmap, but
targeted for scanning the whole internet. sshpass is used to be able to use
password authentication over ssh in a non-interactive way.
It then runs zmap and saves its results to a file. It goes through the file, and
for each entry, tries to log in with pi:raspberry as credentials (assuming it
is a raspberry pi), and effectively copies itself to the new host.
How to get rid of it
This is a tricky one, given that the IRC bot might have accepted any commands.
What I did was simply to remove the script and any files it had touched,
restoring rc.local, the root user’s ssh directory and so on. Some reboots and
there were no apparent traces of it left on the system.
What any reasonable person SHOULD do is: wipe the pi and reinstall. I would have
done that if I had an sd card reader with me. I might do it on next visit. But
for now, this seemed enough.