Two weeks ago, a security researcher named MalwareMustDie was faced with a new Linux trojan (LuaBot), which, according to him, was the first malicious Linux software written in Lua.
Η reverse analysis of the code showed that the trojan was primarily targeting IoT architectures and featured functionality to perform DDoS attacks and an unverified operation to bypass the DDoS protection provided by Sucuri, a US online security provider.
In his source code LuaBot, the author of the malware had also left a message that wrote: “Hi. Happy reversing, you can send me a message: [REDACTED .ru email address]."
A French security researcher, named after him x0rz, contacted the malware writer and asked him some questions. The answers have been published online.
In this mini-interview, the crook says he does not work in the infosec community, nor is he a cyber-criminal associated with any hacking team.
He describes himself as "nobody" and says his malware is "not harmful." He backs that assessment by saying that LuaBot, its malware, is not stealing sign-in credentials router.
The LuaBot author says he has been working on malware for years and that what he originally started for fun has now turned into a profit.
He declined to name the type of activity he benefits from, but says he does not run any DDoS Stresser service like those "vDos kids".
Moreover, he states that he works with individuals and that he does not get involved with banks or governments.
The hacker also says he uses his own zero-days to infect the devices. A security researcher from Brazil, who also looked at malicious software, says the code seems to target ARRIS routers.
This is the same researcher who last year discovered three backdoors on ARRIS routers, which affected more than 600.000 modems connected to the Internet.
"If we can run the same query today (September / 2016) we can see that the number of exposed devices has dropped to around 35.000," notes Bernardo Rodrigues, a researcher from Brazil.
In addition, the investigator argues that, during the first stage of infection, LuaBot uses firewall rules to prevent further access to the device by external connections, which is an obvious self-protection feature.
However, malware does not include a boot persistence mechanism and a router restart removes it from the device.
At the time of writing, there are no known attacks that match LuaBot infections and despite the presence of HTTP flooding functions (for DDoS attacks), malicious software and its purpose remain a mystery.