Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Beyond Sandboxes. How to Execute IoT Malware and Analyze its
Evolution
María José Erquiaga - Sebastián García
@MaryJo_E - @eldracote
www.stratosphereips.org
Stratosphere Laboratory in CVUT, Praguewww.stratosphereips.org
● Malware capture projects:○ Malware Capture Facility Project
■ Windows○ Nomad project
■ Windows + TLS + mitm○ Aposemat
■ IoT + Hardware Honeypots2
Why to Execute Malware?● Is it Legal?
○ Depends on each country and action done (scanning, bruteforce, etc.)○ To attack may be illegal on the receiving hosts○ Being the attacking host is usually not illegal in the origin country○ You need authorizations
● Is it ethical?○ You need to see the attacks to detect these attacks○ It does less attacks that the amount we can stop
3
Why to Execute Malware?
● Behavior of human attackers. Not only technical attacks● Behavior of malware in time. Who to attack and when● Improve detection features. Observe what is going on● Better understand what malware does, learn, try,
experiment● Fun!
4
Why to Execute when it can be Reversed?
● What could be done vs. what is really done● Hardcoded network IoC vs. evolution of
behavior in the network ● Malware updates, new samples● New IoCs from the behaviors● New malware can be seen
5
Design of a Malware Laboratory
● Questions to guide you○ Why are you doing it? ○ What do you want to capture? Type of malware? ○ Devices? (Computers, IoT devices: IP cameras, RaspBerries, DVR,
etc)○ What do we need?○ How to configure it?
6
It’s not just about executing malware. It's about executing malware professionally, for research purposes.
Recipe For Making an IoT Lab
● 1 or more public IPs● 1 good FW● 1 switch● At least 1 IoT device● 1 Raspberry Pi● A lot of malware samples● 1 Monitoring methodology● Shake until having fun
7
Stratosphere Lab IoT Infrastructure
8Thanks Simona Musilova for her work on the lab.
9
IoT Camera Airport Simulation. v.0.0.1
10
IoT Infrastructure Configuration
11
● Good router/FW to manage all the things!○ Multiple public IPs○ Multiple NATs○ Redirections○ Bandwidths○ Not attacking your country
● Protected capturing device● Secret Remote administration● Switch to divide networks
● Raspberry Pi○ Hypriot OS with Docker!
● Fixed IPs/Gateway/DNS● Remote connection by SSH● Continuous capture per device. Rotation every day.
Automatic Backup● After infection, reflash SD cards. We have a pool of them.● Infections are at least 1 week, so no need to automatic
cleaning
IoT Infection Design and Configuration
12
Capture Storage
● 1 to 50GB per device per day● Long term can use some TBs easily● Files generated from pcap use space!
○ Bro, Argus● Access for others should be fast if your captures are
huge.
13
Simple Monitoring● Pcap → Argus flow● From Argus, script to update an RRD
file● CACTI reads RRD● From Argus → scripts to real time
monitoring● Small mem consumption
14
Complex Monitoring
15
IoT Malware Capture Methodology 1/31. Find malware you want to focus and download it
a. Identify the sample by using the SHA256b. Add it to a spreadsheet
2. Create the log file explaining the sample, times, etc.3. Copy the binary in the Rpi with SSH4. Capture the traffic from the Raspberry in the capture
server5. Log the start time
16
IoT Malware Capture Methodology 2/36. Only now you can Infect!7. Execute the sample, log out of SSH (min amount packets)8. Monitor the traffic while the malware is running, verify it’s
doing somethinga. Observe what is going on on the RPi consoleb. Observe the network traffic in the capture devicec. Wait at least 5/10 minutes
17
IoT Malware Capture Methodology 3/3
9. Wait until it is time to stop the capture10. Log the stop date11. Stop the capture, generate output files publish
the capture12. Restore the clean SD13. Analyze the capture
18
Output Files
To analyze what happened
● Zeek○ Scripts to extract files, label and
long conn● dnstop● passive dns● Miro analysis● Captipper
19
Stratosphere Lab Datasets
20
Not-IoT Malware DatasetMalware in Windows VMs
● ~370 captures of real selected malware. ~1.5 TB.● Long term (1 week-8 weeks). Full attacks allowed.● HTTPs Interception: ~110 captures● CTU-13
Mixed
● Real normal humans, being really infected.● ~10 captures. ~47 GB. Midterm (1h-1w)
Normal
● 38 captures. ~19GB. Midterm (1 day-1 week) 21
IoT Malware Dataset
Malware IoT
● ~720 captures. ~1 TB in 1 year. Short term captures (1 day)
IoT Honeypots
● ~900 captures. ~2TB. Cameras/Alexa/NAS/etc.● Cowrie, Dionaea, Tpot, etc.● 70 new unseen malware. >12,000,000 successful logins every 12hs
https://www.stratosphereips.org/datasets-iot22
Example Analysis of IoT Malware Captures
23
Tsunami-Based IRC Botnet (1/3)https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet
Activities:Successful connection to C&C using IRC:
IP 185.244.25.235, port 6667
Communication between the botmasters and the botReal instructions: TCP flood attacks
Order from the botmaster: AmpAttacks :TCP Packeting 66.67.61.168!IRC Packet reporting TCP Flood Against 66.67.61.168
SHA256: 49fd1cb22e0325c1f9038160da534fc23672e5509e903a94ce5bcddc893eb2c0 24
Tsunami-Based IRC Botnet (2/3)
25
Tsunami-Based IRC Botnet (3/3)
26
Hajime BotnetCTU-IoT-Malware-Capture-Botnet-9-1
Activities:
● Scans 81/TCP, 23/TCP● It uses BitTorrent protocol
○ T-DHT protocol used to discover peers and nodes
○ uTP - for config and modules downloads● Port 81/tcp are mostly cameras. Hajime did not try
to login or attack
27
SHA256: af629ae5a79f715cdbcf9e1faf389a39bd96b887b019984e50798d013f38a466
Hide and Seek BotnetCTU-IoT-Malware-Capture-Botnet-1-1
MD5: 239ef88fd187919b86ac245043bbf41a
Activities:
● Scans port 23/TCP. ● Successful login in some devices (routers
mostly)● Consumes a LOT of CPU
28
Example Analysis of Non-IoT Malware Captures
29
WannaCry Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-252-1/ (16 pcaps)
SHA256: 38c6efb48b32a3f22cc4c307e9043d59aedb0e008300663f83803819e5f260b3
Activities:
● 1 Normal user infected by us● Other computers being infected from the
network.● Wannacry scanning patterns in local nets● With and without killswitch domain● Real scans/infections in the Internet● Duration: >45 days 30
Trickbot MalwareCTU-Malware-Capture-Botnet-239-1
SHA256: 03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461
Activities:Successful connection to C&C using HTTPs (intercepted and opened)Successful connections to port 447/tcpEncrypted real instructionsFive updates of binary files. 4 still not in VirusTotalDuration: 22 days
31
Sality Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-66-1/
SHA256: 6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e
Activities:
● Alive since 2003. Probably the oldest active botnet in history● After 4 years, 6 binaries not in VT until today● Web login bruteforce to get new servers● SPAM sending and resilient P2P● 160,900 unique hosts contacted● Duration: 45 days
32
Htbot Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-348-1/
SHA256: 3e52a79b753682de4dd7a4b041a83158fa29b36f3edfafa923b6e61f90ab3192
Activities:
● Turns your computer into a malicious socks proxy service and sells it● Very complex infrastructure of 4 levels of C&C. More than 30 C&C servers● Downloads a PE. Sends SPAM. Sends ~10,000 web requests. Web SPAM● Duration: 19 days
33
Issues? We may had some
● Being blocked by the univ 4 times
● Being blocked by the ISP 1 time● Being called by the police 1 time● Malware infecting other VMs● Broadcasting/multicasting
infections!
34
● Lost captures● Mitmdump lost● Storage issues● Malware DDoSing others● Google blocking our IPs
Conclusions● Very helpful but it should be done correctly to have a scientific impact.● Executing malware is the best way to understand behavior● If you want to detect malware in the net you need to see it● Plan carefully● Best way to learn● Good Datasets are very very rare● Analyzing the behavior of malware in the network shows very unique
features, like the social analysis of the IRC bot.● Opens new doors: Machine Learning?
35
Questions? And Thanks!
Specially to Avast for the support and funding
Maria Jose Erquiaga @MaryJo_E [email protected]
Sebastian Garcia @[email protected] 36