EXOTIC CREATURESInternet of Things and Linux Malware

Your speakers today

Marion MarschalekSecurity Research Expert

Shel SharmaProduct Marketing Director

Agenda

o Linux & IoT in the spotlighto Cyphort Lab’s in-the-wild spottingso Status of Linux & IoT malware

Cyph

ort L

abs

T-sh

irt

Threat Monitoring & Research team

________

24X7 monitoring for malware events

________

Assist customers with their Forensics and Incident Response

We enhance malware detection accuracy

________

False positives/negatives

________

Deep-dive research

We work with the security ecosystem

________

Contribute to and learn from malware KB

________

Best of 3rd Party threat data

THE INTERNET

http://greendisc.dacya.ucm.es/wp-content/uploads/2014/10/Internet_of_Things.jpg

might be bigger than you thought

By broadening the internet surface...

http://datasciencebe.com/category/data-science-2/iot-analytics/

... we broaden our attack surface.

Internettechnology in everyday life

WEAK DEFAULT SECURITY

LINUX & IoT MALWARE

ESPIONAGE GOES LINUX

o Suspected to be Russian government malware

o Active since 2008

o Linux component uncovered 2014

o Backdoor capabilities & stealthy C&C

communication

Turla‘s Linux component

LINUX MARKET SHARES

o Linux on desktop systems under 5%

o Public servers ~36%

o Mainframes >96%

o Embedded systems ~30%

INDUSTRIAL CONTROL SYSTEMS UNDER ATTACK

o Enumerates network resources through Windows API

o OPC – OLE process controlo ICS spy:

o Network entities UNC pathso Thereof OPC serverso Server versiono OPC version supporto etc.

Havex on industrial espionage

BROADENING THE ATTACK SURFACE

More devices more attack vectors

IoT compromises

Hacked baby monitors and CCTV cameras in UK

Smart meters vulnerable to attacks, could harm national power network

‚Spike‘ botnet runs DoS attacks from IoT devices

Linux risks

Servers and critical infrastructure based on Unix distributions

Webservers as entry point to corporate network

Major flaws in legacy open source software show vulnerability of Linux systems

EXOTIC CREATURESin the wild

CYPHORT LAB‘S IN-THE-WILD ENCOUNTERS

o Mayday | 10:2014o Sotdas | 10:2014o Snessik | 10:2014o Ganiw | 10:2014

o SSHb |11:2014

o Darlloz |12:2014

o Zendran|12:2014

LINUX.MAYDAY

o DDoS bot with task schedulero Comes packed with UPXo C++ binary including object

informationo Contains a logger class for

categories:INFO, DEBUG, FATAL and WARNING

LINUX.GANIWo Backdoor / DDoS boto Exfiltrates the following

information:o OS name and versiono System’s MAC addresso Amount of RAMo Number of network interfaceso CPU usage and frequency

o Calculates stats on the attacks it performs

o Kills instances of malware already present

LINUX.SOTDASo DDoS bot, no binary protectiono Target URL downloaded from C&Co The following methods are supported:

o UDP floodo TCP floodo Syn floodo DNS floodo DIY with custom built

TCP and HTTP packetso Shuts down iptables,

SuSEfirewall2 or ebtables services

LINUX.SNESSIK

o Backdoor / DDoS boto Spawns shells to execute commands from its botmastero Uses curl for file up-/downloado Data exchanged with C&C is BASE64 & XOR encodedo The binary contains HTTP headers for US English and

Chinese

LINUX.SSHB

o Simple backdooro Enabling access to the machine through SSHo Implementing source from OpenSSH

IoT WORM DARLLOZ

o Targets Linux distributions on routers, security cameras & gaming systems

o Spreads by bruteforcing telnet logins or by exploiting PHP vulnerability CVE-2012-1823

o Cross compiled for:o armo ppco mipselo mipso x86

o DDoS bot based on IRC based scannerLightaidra

o Cross-compiled for x86, x64, PPC, MIPS, MIPSEL, ARM and SuperH

o Comes packed with UPXo Communicates to C&C via IRCo 2 stages:

o Downloader scripto Platform specific binary

IoT BOT ZENDRAN

WHERE ARE WE NOW

and what does the future hold

EXOTIC CREATURE‘S FEATURES

Unprotected binariesLow evasivenessLack of stealthBinaries coming with symbolsA lot of source code re-use

Low AV detectionConsistently low default security for Linux & IoTEasy prey for attackersRising number of infections

REMEDIES

1. Network focussed security

2. Reviewing security settings of devices / machines

3. Regular updates and patches, where applicable

4. Network segmentation to counter lateral movement

Q and A

o Information sharing and advanced threats resources

o Blogs on latest threats and findings

o Tools for identifying malware

Thank You!

FURTHER READINGo Havex attacks Industrial Control Systems

http://www.cyphort.com/windows-meets-industrial-control-systems-ics-havex-rat-spells-security-risks-2/

o Baby monitors hacken in UK homeshttp://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-webcams-from-uk-homes-and-businesses-hacked-and-uploaded-onto-russian-website-9871830.html

o Smart meters vulnerable to attackhttp://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html

o Spike botnet runs DoS attacks from IoT deviceshttp://securityaffairs.co/wordpress/28642/cyber-crime/spike-botnet-runs-ddos.html