Upload
cyphort
View
154
Download
0
Embed Size (px)
Citation preview
EXOTIC CREATURESInternet of Things and Linux Malware
Your speakers today
Marion MarschalekSecurity Research Expert
Shel SharmaProduct Marketing Director
Agenda
o Linux & IoT in the spotlighto Cyphort Lab’s in-the-wild spottingso Status of Linux & IoT malware
Cyph
ort L
abs
T-sh
irt
Threat Monitoring & Research team
________
24X7 monitoring for malware events
________
Assist customers with their Forensics and Incident Response
We enhance malware detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the security ecosystem
________
Contribute to and learn from malware KB
________
Best of 3rd Party threat data
THE INTERNET
http://greendisc.dacya.ucm.es/wp-content/uploads/2014/10/Internet_of_Things.jpg
might be bigger than you thought
By broadening the internet surface...
http://datasciencebe.com/category/data-science-2/iot-analytics/
... we broaden our attack surface.
Internettechnology in everyday life
WEAK DEFAULT SECURITY
LINUX & IoT MALWARE
ESPIONAGE GOES LINUX
o Suspected to be Russian government malware
o Active since 2008
o Linux component uncovered 2014
o Backdoor capabilities & stealthy C&C
communication
Turla‘s Linux component
LINUX MARKET SHARES
o Linux on desktop systems under 5%
o Public servers ~36%
o Mainframes >96%
o Embedded systems ~30%
INDUSTRIAL CONTROL SYSTEMS UNDER ATTACK
o Enumerates network resources through Windows API
o OPC – OLE process controlo ICS spy:
o Network entities UNC pathso Thereof OPC serverso Server versiono OPC version supporto etc.
Havex on industrial espionage
BROADENING THE ATTACK SURFACE
More devices more attack vectors
IoT compromises
Hacked baby monitors and CCTV cameras in UK
Smart meters vulnerable to attacks, could harm national power network
‚Spike‘ botnet runs DoS attacks from IoT devices
Linux risks
Servers and critical infrastructure based on Unix distributions
Webservers as entry point to corporate network
Major flaws in legacy open source software show vulnerability of Linux systems
EXOTIC CREATURESin the wild
CYPHORT LAB‘S IN-THE-WILD ENCOUNTERS
o Mayday | 10:2014o Sotdas | 10:2014o Snessik | 10:2014o Ganiw | 10:2014
o SSHb |11:2014
o Darlloz |12:2014
o Zendran|12:2014
LINUX.MAYDAY
o DDoS bot with task schedulero Comes packed with UPXo C++ binary including object
informationo Contains a logger class for
categories:INFO, DEBUG, FATAL and WARNING
LINUX.GANIWo Backdoor / DDoS boto Exfiltrates the following
information:o OS name and versiono System’s MAC addresso Amount of RAMo Number of network interfaceso CPU usage and frequency
o Calculates stats on the attacks it performs
o Kills instances of malware already present
LINUX.SOTDASo DDoS bot, no binary protectiono Target URL downloaded from C&Co The following methods are supported:
o UDP floodo TCP floodo Syn floodo DNS floodo DIY with custom built
TCP and HTTP packetso Shuts down iptables,
SuSEfirewall2 or ebtables services
LINUX.SNESSIK
o Backdoor / DDoS boto Spawns shells to execute commands from its botmastero Uses curl for file up-/downloado Data exchanged with C&C is BASE64 & XOR encodedo The binary contains HTTP headers for US English and
Chinese
LINUX.SSHB
o Simple backdooro Enabling access to the machine through SSHo Implementing source from OpenSSH
IoT WORM DARLLOZ
o Targets Linux distributions on routers, security cameras & gaming systems
o Spreads by bruteforcing telnet logins or by exploiting PHP vulnerability CVE-2012-1823
o Cross compiled for:o armo ppco mipselo mipso x86
o DDoS bot based on IRC based scannerLightaidra
o Cross-compiled for x86, x64, PPC, MIPS, MIPSEL, ARM and SuperH
o Comes packed with UPXo Communicates to C&C via IRCo 2 stages:
o Downloader scripto Platform specific binary
IoT BOT ZENDRAN
WHERE ARE WE NOW
and what does the future hold
EXOTIC CREATURE‘S FEATURES
Unprotected binariesLow evasivenessLack of stealthBinaries coming with symbolsA lot of source code re-use
Low AV detectionConsistently low default security for Linux & IoTEasy prey for attackersRising number of infections
REMEDIES
1. Network focussed security
2. Reviewing security settings of devices / machines
3. Regular updates and patches, where applicable
4. Network segmentation to counter lateral movement
Q and A
o Information sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for identifying malware
Thank You!
FURTHER READINGo Havex attacks Industrial Control Systems
http://www.cyphort.com/windows-meets-industrial-control-systems-ics-havex-rat-spells-security-risks-2/
o Baby monitors hacken in UK homeshttp://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-webcams-from-uk-homes-and-businesses-hacked-and-uploaded-onto-russian-website-9871830.html
o Smart meters vulnerable to attackhttp://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html
o Spike botnet runs DoS attacks from IoT deviceshttp://securityaffairs.co/wordpress/28642/cyber-crime/spike-botnet-runs-ddos.html