Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
.
Linux/Moose	endangered
or	extinct?
An	update	on	this	atypical	embedded	Linux	botnet
by	Olivier	Bilodeau
$	apropos
Statically	linked	stripped	ELF	challenges
Moose	DNA	(description)
Moose	Herding	(the	Operation)
A	Strange	Animal...
$	whoami
Malware	Researcher	at	ESET
Infosec	lecturer	at	ETS	University	in	Montreal
Previously
infosec	developer,	network	a...
Static/stripped	ELF	primer
No	imports	(library	calls)	present
All	the	code	bundled	together	down	to	kernel	syscall
Disasse...
Linux/Moose	binary	in	IDA
printf	family
Ecosystem	makes	it	worst
[for	reversers]
GCC	and	GNU	libc	is	always	changing	so	compiled
binaries	always	change
Little	IDA...
A	Failed	Attempt
Map	syscalls	with	IDA	script
But	libc	is	too	big	it	is	still	too	much
Better	Solution
Reproduce	environment	(arch,	libc/compiler
versions)
Build	libraries	w/	symbols	under	same	conditions
Use	...
Moose	DNA
aka	Malware	description
Hang	tight,	this	is	a	recap
Linux/Moose…
Named	after	the	string	"elan"	present	in	the	malware
executable
Elan	is	French	for
The	Lotus	Elan
Elán
The	Slovak	rock	band	(from	1969	and	still	active)
Network	capabilities
Pivot	through	firewalls
Home-made	NAT	traversal
Custom-made	Proxy	service
only	available	to	a	set	of	...
Worm-like	behavior
Tries	to	replicate	via	aggressive	scanning
Will	dedicate	more	resources	to	scan	near	current
external	I...
Compromise	Protocol
Anti-Analysis
Statically	linked	binary	stripped	of	its	debugging
symbols
Hard	to	reproduce	environment	required	for
malwar...
Moose	Herding
The	Malware	Operation
Via	C&C	Configuration
Network	sniffer	was	used	to	steal	HTTP	Cookies
Twitter:	twll,	twid
Facebook:	c_user
Instagram:	ds_us...
Via	Proxy	Usage	Analysis
Nature	of	traffic
Protocol
Targeted	social	networks
75%+	HTTPS	but…
An	Example
An	Example	(cont.)
An	Example	(cont.)
An	Example	(cont.)
Anti-Tracking
Whitelist	means	we	can’t	use	the	proxy	service	to
evaluate	malware	population
Blind	because	of	HTTPS	enforce...
A	Strange	Animal
Different	focus
not	in	the	DDoS	or	bitcoin	mining	business
no	x86	variant	found
controlled	by	a	single	group	of	actors
Missing	"features"
No	persistence	mechanism
No	shell	access	for	operators
Thought	big,	realized
little?
In	social	network	fraud,	network	sniffer	irrelevant
DNS	Hijacking	possible	but	only	for	few	...
Latest	Developments
Whitepaper	Impact
Few	weeks	after	the	publication	the	C&C	servers
went	dark
After	a	reboot,	all	affected	devices	should	be...
Alive	or	dead?
Alive	or	dead?	(cont.)
On	the	lookout	for	Moose	v2
Looked	at	over	150	new	samples	targeting	embedded
Linux	platforms
Linux...
Yay!	except…
Moose	level-up
Update
New	sample	this	Saturday
New	proxy	service	port	(20012)
New	C&C	selection	algorithm
Lots	of	differences
Still	under...
Conclusion
Embedded	malware
Not	yet	complex
Tools	and	processes	need	to	catch	up
a	low	hanging	fruit
Prevention	simple
Questions?
Thank	you!
@obilodeau
and	special	thanks	to	Thomas	Dupuy	(@nyx__o)
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Is Linux/Moose endangered or extinct?
Upcoming SlideShare
Loading in …5
×

Is Linux/Moose endangered or extinct?

6,414 views

Published on

Presentation of ESET researcher Olivier Bilodeau from Virus Bulletin Conference 2015.

Embedded Linux platforms have been increasingly targeted by malware authors over the past few years. The targeted devices, labelled under the umbrella term 'Internet of Things', are generally consumer routers, gateways or modems. They are compromised remotely via brute-forcing of their credentials or being victim of an unpatched vulnerability, such as the infamous Shellshock. Most of these compromises result in the targeted system being assimilated into a botnet.

Read more about Linux/Moose here: http://www.welivesecurity.com/2015/05/26/dissecting-linuxmoose/

Published in: Software
  • Be the first to comment

  • Be the first to like this

Is Linux/Moose endangered or extinct?

  1. 1. .
  2. 2. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau
  3. 3. $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest Developments
  4. 4. $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux system admin Co-founder Montrehack (hands-on security workshops) Founder NorthSec Hacker Jeopardy
  5. 5. Static/stripped ELF primer No imports (library calls) present All the code bundled together down to kernel syscall Disassembler (if available for arch) doesn’t help much
  6. 6. Linux/Moose binary in IDA
  7. 7. printf family
  8. 8. Ecosystem makes it worst [for reversers] GCC and GNU libc is always changing so compiled binaries always change Little IDA FLIRT signatures available (if any) µClibc, eglibc, glibc, musl, …
  9. 9. A Failed Attempt Map syscalls with IDA script But libc is too big it is still too much
  10. 10. Better Solution Reproduce environment (arch, libc/compiler versions) Build libraries w/ symbols under same conditions Use bindiff to map library functions Focus on malware code
  11. 11. Moose DNA aka Malware description Hang tight, this is a recap
  12. 12. Linux/Moose… Named after the string "elan" present in the malware executable
  13. 13. Elan is French for
  14. 14. The Lotus Elan
  15. 15. Elán The Slovak rock band (from 1969 and still active)
  16. 16. Network capabilities Pivot through firewalls Home-made NAT traversal Custom-made Proxy service only available to a set of whitelisted IP addresses Remotely configured generic network sniffer DNS Hijacking
  17. 17. Worm-like behavior Tries to replicate via aggressive scanning Will dedicate more resources to scan near current external IP Will also scan on LAN interfaces Will not reinfect an infected device Can replicate across architectures C&C is made aware of new compromises
  18. 18. Compromise Protocol
  19. 19. Anti-Analysis Statically linked binary stripped of its debugging symbols Hard to reproduce environment required for malware to operate Misleading strings (getcool.com)
  20. 20. Moose Herding The Malware Operation
  21. 21. Via C&C Configuration Network sniffer was used to steal HTTP Cookies Twitter: twll, twid Facebook: c_user Instagram: ds_user_id Google: SAPISID, APISID Google Play / Android: LAY_ACTIVE_ACCOUNT Youtube: LOGIN_INFO
  22. 22. Via Proxy Usage Analysis Nature of traffic Protocol Targeted social networks
  23. 23. 75%+ HTTPS but…
  24. 24. An Example
  25. 25. An Example (cont.)
  26. 26. An Example (cont.)
  27. 27. An Example (cont.)
  28. 28. Anti-Tracking Whitelist means we can’t use the proxy service to evaluate malware population Blind because of HTTPS enforced on social networks DNS Hijacking’s Rogue DNS servers never revealed
  29. 29. A Strange Animal
  30. 30. Different focus not in the DDoS or bitcoin mining business no x86 variant found controlled by a single group of actors
  31. 31. Missing "features" No persistence mechanism No shell access for operators
  32. 32. Thought big, realized little? In social network fraud, network sniffer irrelevant DNS Hijacking possible but only for few devices No ad fraud, spam, DDoS, etc.
  33. 33. Latest Developments
  34. 34. Whitepaper Impact Few weeks after the publication the C&C servers went dark After a reboot, all affected devices should be cleaned But victims compromised via weak credentials, so they can always reinfect
  35. 35. Alive or dead?
  36. 36. Alive or dead? (cont.) On the lookout for Moose v2 Looked at over 150 new samples targeting embedded Linux platforms Linux/Aidra, Linux/Dofloo (AES.DDoS), Linux/DNSAmp (Mr.Black), Linux.Gafgyt and Linux/Tsunami Still no Moose update…
  37. 37. Yay! except…
  38. 38. Moose level-up
  39. 39. Update New sample this Saturday New proxy service port (20012) New C&C selection algorithm Lots of differences Still under scrutiny
  40. 40. Conclusion Embedded malware Not yet complex Tools and processes need to catch up a low hanging fruit Prevention simple
  41. 41. Questions? Thank you! @obilodeau and special thanks to Thomas Dupuy (@nyx__o)

×