Beyond Sandboxes. How to Execute IoT Malware and Analyze its

Evolution

María José Erquiaga - Sebastián García

@MaryJo_E - @eldracote

www.stratosphereips.org

Stratosphere Laboratory in CVUT, Praguewww.stratosphereips.org

● Malware capture projects:○ Malware Capture Facility Project

■ Windows○ Nomad project

■ Windows + TLS + mitm○ Aposemat

■ IoT + Hardware Honeypots2

Why to Execute Malware?● Is it Legal?

○ Depends on each country and action done (scanning, bruteforce, etc.)○ To attack may be illegal on the receiving hosts○ Being the attacking host is usually not illegal in the origin country○ You need authorizations

● Is it ethical?○ You need to see the attacks to detect these attacks○ It does less attacks that the amount we can stop

3

Why to Execute Malware?

● Behavior of human attackers. Not only technical attacks● Behavior of malware in time. Who to attack and when● Improve detection features. Observe what is going on● Better understand what malware does, learn, try,

experiment● Fun!

4

Why to Execute when it can be Reversed?

● What could be done vs. what is really done● Hardcoded network IoC vs. evolution of

behavior in the network ● Malware updates, new samples● New IoCs from the behaviors● New malware can be seen

5

Design of a Malware Laboratory

● Questions to guide you○ Why are you doing it? ○ What do you want to capture? Type of malware? ○ Devices? (Computers, IoT devices: IP cameras, RaspBerries, DVR,

etc)○ What do we need?○ How to configure it?

6

It’s not just about executing malware. It's about executing malware professionally, for research purposes.

Recipe For Making an IoT Lab

● 1 or more public IPs● 1 good FW● 1 switch● At least 1 IoT device● 1 Raspberry Pi● A lot of malware samples● 1 Monitoring methodology● Shake until having fun

7

Stratosphere Lab IoT Infrastructure

8Thanks Simona Musilova for her work on the lab.

9

IoT Camera Airport Simulation. v.0.0.1

10

IoT Infrastructure Configuration

11

● Good router/FW to manage all the things!○ Multiple public IPs○ Multiple NATs○ Redirections○ Bandwidths○ Not attacking your country

● Protected capturing device● Secret Remote administration● Switch to divide networks

● Raspberry Pi○ Hypriot OS with Docker!

● Fixed IPs/Gateway/DNS● Remote connection by SSH● Continuous capture per device. Rotation every day.

Automatic Backup● After infection, reflash SD cards. We have a pool of them.● Infections are at least 1 week, so no need to automatic

cleaning

IoT Infection Design and Configuration

12

Capture Storage

● 1 to 50GB per device per day● Long term can use some TBs easily● Files generated from pcap use space!

○ Bro, Argus● Access for others should be fast if your captures are

huge.

13

Simple Monitoring● Pcap → Argus flow● From Argus, script to update an RRD

file● CACTI reads RRD● From Argus → scripts to real time

monitoring● Small mem consumption

14

Complex Monitoring

15

IoT Malware Capture Methodology 1/31. Find malware you want to focus and download it

a. Identify the sample by using the SHA256b. Add it to a spreadsheet

2. Create the log file explaining the sample, times, etc.3. Copy the binary in the Rpi with SSH4. Capture the traffic from the Raspberry in the capture

server5. Log the start time

16

IoT Malware Capture Methodology 2/36. Only now you can Infect!7. Execute the sample, log out of SSH (min amount packets)8. Monitor the traffic while the malware is running, verify it’s

doing somethinga. Observe what is going on on the RPi consoleb. Observe the network traffic in the capture devicec. Wait at least 5/10 minutes

17

IoT Malware Capture Methodology 3/3

9. Wait until it is time to stop the capture10. Log the stop date11. Stop the capture, generate output files publish

the capture12. Restore the clean SD13. Analyze the capture

18

Output Files

To analyze what happened

● Zeek○ Scripts to extract files, label and

long conn● dnstop● passive dns● Miro analysis● Captipper

19

Stratosphere Lab Datasets

20

Not-IoT Malware DatasetMalware in Windows VMs

● ~370 captures of real selected malware. ~1.5 TB.● Long term (1 week-8 weeks). Full attacks allowed.● HTTPs Interception: ~110 captures● CTU-13

Mixed

● Real normal humans, being really infected.● ~10 captures. ~47 GB. Midterm (1h-1w)

Normal

● 38 captures. ~19GB. Midterm (1 day-1 week) 21

IoT Malware Dataset

Malware IoT

● ~720 captures. ~1 TB in 1 year. Short term captures (1 day)

IoT Honeypots

● ~900 captures. ~2TB. Cameras/Alexa/NAS/etc.● Cowrie, Dionaea, Tpot, etc.● 70 new unseen malware. >12,000,000 successful logins every 12hs

https://www.stratosphereips.org/datasets-iot22

Example Analysis of IoT Malware Captures

23

Tsunami-Based IRC Botnet (1/3)https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet

Activities:Successful connection to C&C using IRC:

IP 185.244.25.235, port 6667

Communication between the botmasters and the botReal instructions: TCP flood attacks

Order from the botmaster: AmpAttacks :TCP Packeting 66.67.61.168!IRC Packet reporting TCP Flood Against 66.67.61.168

SHA256: 49fd1cb22e0325c1f9038160da534fc23672e5509e903a94ce5bcddc893eb2c0 24

Tsunami-Based IRC Botnet (2/3)

25

Tsunami-Based IRC Botnet (3/3)

26

Hajime BotnetCTU-IoT-Malware-Capture-Botnet-9-1

Activities:

● Scans 81/TCP, 23/TCP● It uses BitTorrent protocol

○ T-DHT protocol used to discover peers and nodes

○ uTP - for config and modules downloads● Port 81/tcp are mostly cameras. Hajime did not try

to login or attack

27

SHA256: af629ae5a79f715cdbcf9e1faf389a39bd96b887b019984e50798d013f38a466

Hide and Seek BotnetCTU-IoT-Malware-Capture-Botnet-1-1

MD5: 239ef88fd187919b86ac245043bbf41a

Activities:

● Scans port 23/TCP. ● Successful login in some devices (routers

mostly)● Consumes a LOT of CPU

28

Example Analysis of Non-IoT Malware Captures

29

WannaCry Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-252-1/ (16 pcaps)

SHA256: 38c6efb48b32a3f22cc4c307e9043d59aedb0e008300663f83803819e5f260b3

Activities:

● 1 Normal user infected by us● Other computers being infected from the

network.● Wannacry scanning patterns in local nets● With and without killswitch domain● Real scans/infections in the Internet● Duration: >45 days 30

Trickbot MalwareCTU-Malware-Capture-Botnet-239-1

SHA256: 03f75c3d5cddbf39f6a9cad72ccc6649cec8959dd3bca87b2de80e036d054461

Activities:Successful connection to C&C using HTTPs (intercepted and opened)Successful connections to port 447/tcpEncrypted real instructionsFive updates of binary files. 4 still not in VirusTotalDuration: 22 days

31

Sality Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-66-1/

SHA256: 6fb2f335669405e9c3b7582b524dac22ebff7e5fe1258f25914d7e0e750ca62e

Activities:

● Alive since 2003. Probably the oldest active botnet in history● After 4 years, 6 binaries not in VT until today● Web login bruteforce to get new servers● SPAM sending and resilient P2P● 160,900 unique hosts contacted● Duration: 45 days

32

Htbot Malwarehttps://mcfp.felk.cvut.cz/publicDatasets/CTU-Malware-Capture-Botnet-348-1/

SHA256: 3e52a79b753682de4dd7a4b041a83158fa29b36f3edfafa923b6e61f90ab3192

Activities:

● Turns your computer into a malicious socks proxy service and sells it● Very complex infrastructure of 4 levels of C&C. More than 30 C&C servers● Downloads a PE. Sends SPAM. Sends ~10,000 web requests. Web SPAM● Duration: 19 days

33

Issues? We may had some

● Being blocked by the univ 4 times

● Being blocked by the ISP 1 time● Being called by the police 1 time● Malware infecting other VMs● Broadcasting/multicasting

infections!

34

● Lost captures● Mitmdump lost● Storage issues● Malware DDoSing others● Google blocking our IPs

Conclusions● Very helpful but it should be done correctly to have a scientific impact.● Executing malware is the best way to understand behavior● If you want to detect malware in the net you need to see it● Plan carefully● Best way to learn● Good Datasets are very very rare● Analyzing the behavior of malware in the network shows very unique

features, like the social analysis of the IRC bot.● Opens new doors: Machine Learning?

35

Questions? And Thanks!

Specially to Avast for the support and funding

Maria Jose Erquiaga @MaryJo_E mariajoseerquiaga@gmail.com

Sebastian Garcia @eldracotesebastian.garcia@agents.fel.cvut.cz 36