Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Meet Remaiten : Malware Builds Botnet on Linux
based routers and potentially other (IoT) devices
-A path from default to d...
Malware and BOTNET
• A piece of software that is designed to
disrupt operation, gather information,
gain unauthorized acce...
C & C Architecture
botmaster
C & C C & C
bot bot
bot
Meet Remaiten, a new piece of malware
Targets Routers and Other Embedded (IoT)
Devices
The malware is popular as „Remaiten...
How does “Remaiten” work?
• One of the capabilities “Remaiten” borrows from “Gafgyt” is telnet
scanning
• “Gafgyt” attempt...
How does “Remaiten” work?
• Using the “create_daemon” function, the bot creates the file name
“.kpid” in one of the predef...
Improved Spreading Mechanism
o Remaiten improves in spreading mechanism by carrying downloader
executables for CPU archite...
Downloader Technical Analysis
• When a downloader is executed on victim‟s device, it determines the
device‟s architecture ...
BOT Analysis
• When executed the BOT runs in the background
• The process changes its name to something legitimate
BOT sta...
Connecting to C&C
• There is a list of C&C server hardcoded in bot binaries. One is chosen
at random and the bot connects ...
Connecting to C&C
• If it successfully reaches the C&C server, the bot then checks-in on the
IRC channel
• The C&C should ...
IRC command handling
• The bot can respond to various general IRC commands
• The command “PRIVMSG” is one of them that is ...
IRC command handling
Flooding capabilities Telnet Scanning
Embedded downloader
• Remaiten is unique in that it carries multiple small downloaders and can
upload them to the victim d...
Embedded downloader
• The architecture is discovered by executing the command “cat $shell”
in victim device
Discover victi...
Telnet Scanner
• Remaiten‟s telnet scanner starts when the C&C server issues the
command “QTELNET”
• It is indeed an impro...
Send status to C&C
• Before resuming the telnet scanning, the bot informs the C&C server its
progress
• It sends the new v...
“Gafgyt” is known for telnet scanning
“Tsunami” is mainly used for DDoS attack
“Remainten” carries a downloader that tries...
Attack Reasons!
• Weak default passwords / no password change enforcement
• Firmware vulnerabilities and service implement...
Why malware for network devices a
major issue?
• Installing malware on a router instead of on a PC or Mac means
that it wi...
Malware “Remaiten” has not noticeable affect and run on
routers undetected and as legitimate process
How does malware trea...
A device being part of a botnet!
• A devices part of botnet are no longer under the legitimate user‟s control
• Attacker e...
What can be done!
Malware targets usually the improperly secured devices
• Ensure using strong passwords
• Check security ...
What can be done!
• Disable hidden admin account from vendor
• Not to expose blacklisted ports from outside
• Not to rely ...
What does future hold?
All malware evolves and multiplies. Here are
some predictions made by security experts
Attacks on p...
What does future hold?
Malware re-infects
PCs :
Hijacking software
update services :
malware containing code for
different...
Conclusion
• We do not need technology always to secure our network
• We have to learn to use our background knowledge
• I...
Thank You
Upcoming SlideShare
Loading in …5
×

Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices

296 views

Published on

Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.

A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices

  1. 1. Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices -A path from default to damage Afifa Abbas Security and Governance Specialist Engineer Banglalink Digital Communications Limited
  2. 2. Malware and BOTNET • A piece of software that is designed to disrupt operation, gather information, gain unauthorized access to system resources for exploitation purpose • A botnet is an interconnected network of computers infected with malware without the user‟s knowledge and controlled by cybercriminals
  3. 3. C & C Architecture botmaster C & C C & C bot bot bot
  4. 4. Meet Remaiten, a new piece of malware Targets Routers and Other Embedded (IoT) Devices The malware is popular as „Remaiten‟ that has the capabilities of previously spotted „Tsunami‟ and Gafgyt malware and also brought series of improvements and new features. ESET researchers have discovered a new piece of malware is targeting embedded systems with the mission to compromise and make them a part of a botnet
  5. 5. How does “Remaiten” work? • One of the capabilities “Remaiten” borrows from “Gafgyt” is telnet scanning • “Gafgyt” attempts to connect to random routers via 23 port • It issues a shell command to download bot executables for multiple architectures and tries to run them • “Remainten” carries downloaders and tries to trigger the device‟s platform to drop only the appropriate downloader • When executed, the bot runs in the background and changes its process name to look legitimate
  6. 6. How does “Remaiten” work? • Using the “create_daemon” function, the bot creates the file name “.kpid” in one of the predefined daemon directories and writes its PID to the file • The bot binaries include a hardcoded list of C&C server IP addresses, malware chooses one randomly and connects to it on a hardcoded port • After connecting successfully with C&C server the bot check-in on the IRC channel and the server replies with the welcome message and further instruction • One IRC command “PRIVMSG” that instruct the bot to perform nefarious operations such as flooding, downloading files etc.
  7. 7. Improved Spreading Mechanism o Remaiten improves in spreading mechanism by carrying downloader executables for CPU architectures such ARM and MIPS o A downloader‟s purpose is to download additional (usually malicious) software in an infected system and execute it. o The downloader‟s job is to request the artitechture-appropriate bot binary from bot‟s C&C server
  8. 8. Downloader Technical Analysis • When a downloader is executed on victim‟s device, it determines the device‟s architecture and connect to the bot‟s C&C server and send commands based on the architecture • The C&C will respond with a bot binary for the requested architecture. Downloader requesting a bot binary from the C&C Downloader connecting to C&C
  9. 9. BOT Analysis • When executed the BOT runs in the background • The process changes its name to something legitimate BOT startup
  10. 10. Connecting to C&C • There is a list of C&C server hardcoded in bot binaries. One is chosen at random and the bot connects to it on a hardcoded port. BOT connecting to C&C server
  11. 11. Connecting to C&C • If it successfully reaches the C&C server, the bot then checks-in on the IRC channel • The C&C should reply with a welcome message and further instructions that will be executed by the bot on the infected device C&C Bot welcome message
  12. 12. IRC command handling • The bot can respond to various general IRC commands • The command “PRIVMSG” is one of them that is used to instruct the bot to perform its various malicious actions such as flooding, downloading files, telnet scanning etc IRC commands Available BOT commands
  13. 13. IRC command handling Flooding capabilities Telnet Scanning
  14. 14. Embedded downloader • Remaiten is unique in that it carries multiple small downloaders and can upload them to the victim device if its architecture matches with one of the available downloaders • When executed the downloader will request a bot binary from C&C server Embedded payload
  15. 15. Embedded downloader • The architecture is discovered by executing the command “cat $shell” in victim device Discover victim‟s platform List of directories where the downloader might be saved
  16. 16. Telnet Scanner • Remaiten‟s telnet scanner starts when the C&C server issues the command “QTELNET” • It is indeed an improved version of Gafgyt‟s telnet scanner • The architecture is discovered by executing “ cat $shell” on the victim‟s device Guessing telnet login credentials
  17. 17. Send status to C&C • Before resuming the telnet scanning, the bot informs the C&C server its progress • It sends the new victim device‟s IP address, the successful username and password pair Inform C&C about bot deployment status
  18. 18. “Gafgyt” is known for telnet scanning “Tsunami” is mainly used for DDoS attack “Remainten” carries a downloader that tries to trigger the device‟s platform to drop only the appropriate downloader “Remaiten” is the combination of previously spotted malware Tsunami and Gafgyt The downloader executes the appropriate bot binary on the victim device and make it a part of botnet “Remainten” enjoys new features
  19. 19. Attack Reasons! • Weak default passwords / no password change enforcement • Firmware vulnerabilities and service implementation errors • Insecure default configuration • Lack of user and vendor awareness • Administrative service exposed in internet There are specific issues concerning network devices
  20. 20. Why malware for network devices a major issue? • Installing malware on a router instead of on a PC or Mac means that it will not be detected by contemporary desktop antivirus solutions Stealth • with lots of vulnerabilities and a lack of awareness among most users, network devices are just what the cybercriminals have been looking forEasy Access • routers usually run all the time and are rarely rebooted or powered downConstant Access • an attacker can transparently monitor all the traffic on a network and search for packets containing sensitive information Constant Control
  21. 21. Malware “Remaiten” has not noticeable affect and run on routers undetected and as legitimate process How does malware treat routers? 1 • It compromises the router and make it a part of botnet 2 • They do not advertise their presence in the system 3 • They can surreptitiously infiltrate the system keep the operation intact 4 • They can hide themselves in the system and secretly do their thing
  22. 22. A device being part of a botnet! • A devices part of botnet are no longer under the legitimate user‟s control • Attacker easily gets login credentials of the device along with configuration • Attackers can use all machines in a botnet to launch DDoS to targeted victim • Attackers can change the DNS settings redirecting users to malicious sites to get personal information • Bot herders can also sell the use of „their' botnets to others who want to perform these activities
  23. 23. What can be done! Malware targets usually the improperly secured devices • Ensure using strong passwords • Check security settings and update firmware regularly • Implement randomly generated default passwords by vendors • Place emphasize on firmware vulnerabilities • Disable administrative ports like telnet, ssh in internet
  24. 24. What can be done! • Disable hidden admin account from vendor • Not to expose blacklisted ports from outside • Not to rely on device‟s default settings • Awareness among users and vendors • Perform quarterly security audit • Impose installing security updates • R&D team for malware analysis • Schedules back up and save data
  25. 25. What does future hold? All malware evolves and multiplies. Here are some predictions made by security experts Attacks on proprietary operating systems from major vendors : Constantly updated malware : as not every device runs a Linux based OS as cybercriminals may create malware that doesn‟t disappear after a reboot
  26. 26. What does future hold? Malware re-infects PCs : Hijacking software update services : malware containing code for different router platforms or code that re-infects PCs connected to a router so that instead of security patches and software updates, malware is downloaded and installed
  27. 27. Conclusion • We do not need technology always to secure our network • We have to learn to use our background knowledge • Information Security awareness is a necessity • Trust your own people • Do not expect the usual always • Expect the unexpected • Stay safe and stay updated
  28. 28. Thank You

×