Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Вивисекция: анатомия ботнета из маршрутизаторов

296 views

Published on

Заполучить интернет-трафик, подготовить инфраструктуру для эксплойтов и dropzone, арендовать «пуленепробиваемый» хостинг, зашифровать вредоносный бинарный файл, чтобы его не смогло обнаружить большинство антивирусов, построить продвинутые протоколы управления, запустить C2 и постоянно прятаться за несколькими комбинированными слоями VPN, SSH и прокси, — и все ради того, чтобы обеспечить свою безопасность. Куча забот! Если вы хотите создать собственный ботнет, вам рано или поздно придется столкнуться со всем этим. Но что, если есть более простой способ?..

Published in: Technology
  • Be the first to comment

Вивисекция: анатомия ботнета из маршрутизаторов

  1. 1. Live dissection 
 anatomy of router based botnet Ilya Nesterov
 Maxim Goncharov
  2. 2. Ilya Nesterov Maxim Goncharov (c) 2017 Who we are? Ilya Nesterov Max Goncharov
  3. 3. Ilya Nesterov Maxim Goncharov (c) 2017 We have presented on PHDays ‘13
  4. 4. Ilya Nesterov Maxim Goncharov (c) 2017 What do you need to build a botnet?
  5. 5. Ilya Nesterov Maxim Goncharov (c) 2017 What if?
  6. 6. Ilya Nesterov Maxim Goncharov (c) 2017 What if...
 you know weak point?
  7. 7. Ilya Nesterov Maxim Goncharov (c) 2017 Billions of http requests
  8. 8. Ilya Nesterov Maxim Goncharov (c) 2017 Looking into the traffic
  9. 9. Ilya Nesterov Maxim Goncharov (c) 2017
  10. 10. Ilya Nesterov Maxim Goncharov (c) 2017 ВТФ? All the same SSH keys?
  11. 11. Ilya Nesterov Maxim Goncharov (c) 2017 Apricot Botnet 37.252.[ ].[ ]
  12. 12. Ilya Nesterov Maxim Goncharov (c) 2017 Honey Pot The need of Honeypot! Use the same key pair Use similar geolocation Find cheap VPS
  13. 13. Ilya Nesterov Maxim Goncharov (c) 2017 The device
  14. 14. Ilya Nesterov Maxim Goncharov (c) 2017 The device
  15. 15. Ilya Nesterov Maxim Goncharov (c) 2017 The device
  16. 16. Ilya Nesterov Maxim Goncharov (c) 2017 Honey Pot: traffic source
  17. 17. Ilya Nesterov Maxim Goncharov (c) 2017 Honey Pot: traffic destination
  18. 18. Ilya Nesterov Maxim Goncharov (c) 2017 Honey Pot: traget IPs and ports
  19. 19. Ilya Nesterov Maxim Goncharov (c) 2017 Honey Pot
  20. 20. Ilya Nesterov Maxim Goncharov (c) 2017 Connections from MIRAI infrastructure
  21. 21. Ilya Nesterov Maxim Goncharov (c) 2017 How about more fun?
  22. 22. Ilya Nesterov Maxim Goncharov (c) 2017 More attacks
  23. 23. Ilya Nesterov Maxim Goncharov (c) 2017 Let’s find out something PSV-2016-0256: Command Injection in WNR2000v5 - N300 WiFi Router.
  24. 24. Ilya Nesterov Maxim Goncharov (c) 2017 Wait! But how did we missed this? CVE-2016-10174, CVE-2016-10175, and CVE-2016-10176 Affect: WNR2000v5, WNR2000v4, WNR2000v3
  25. 25. Ilya Nesterov Maxim Goncharov (c) 2017 Wait! But how did we missed this? Affect: R6250, R6400, R6700, R6900, R7000, R7100LG, R7300DST, R7900, R8000, D6220, D6400
  26. 26. Ilya Nesterov Maxim Goncharov (c) 2017 So what? This vulnerability occurs when an attacker has access to the internal network or when remote management is enabled on the router. Remote management is turned off by default, so a user must have affirmatively turned on remote management through advanced settings for the router to be vulnerable in this manner.
  27. 27. Ilya Nesterov Maxim Goncharov (c) 2017 Just go to Shodan
  28. 28. Ilya Nesterov Maxim Goncharov (c) 2017 Netgear results
  29. 29. Ilya Nesterov Maxim Goncharov (c) 2017 Netgear results
  30. 30. Ilya Nesterov Maxim Goncharov (c) 2017 Netgear results
  31. 31. Ilya Nesterov Maxim Goncharov (c) 2017 Netgear results 131 uses (1.7%) latest FW, but default credentials
  32. 32. Ilya Nesterov Maxim Goncharov (c) 2017 MikroTik
  33. 33. Ilya Nesterov Maxim Goncharov (c) 2017 Vault 7: CIA Hacking Tools Revealed March 7th, 2017
  34. 34. Ilya Nesterov Maxim Goncharov (c) 2017 MikroTik UPDATE 2: v6.38.5 and 6.39rc49 has been released, this version fixes the vulnerabilities outlined in the above documents, and cleans any files installed by the tools described. Statement on Vault 7 document release
  35. 35. Ilya Nesterov Maxim Goncharov (c) 2017 MikroTik
  36. 36. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR R8XXX
  37. 37. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R8XXX
  38. 38. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R8XXX
  39. 39. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R7XXXNETGEAR R8XXX
  40. 40. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R7XXXNETGEAR R8XXX MikroTik
  41. 41. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R7XXXNETGEAR R8XXX MikroTik HACKED-ROUTER-HELP-SOS- HAD-DUPE-PASSWORD
  42. 42. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R7XXXNETGEAR R8XXX MikroTik HACKED-ROUTER-HELP-SOS- HAD-DUPE-PASSWORD Basic realm=" Default Name:admin Password:1234 "
  43. 43. Ilya Nesterov Maxim Goncharov (c) 2017 Why this is a problem? NETGEAR WRN2000 NETGEAR R6XXX NETGEAR R7XXXNETGEAR R8XXX MikroTik HACKED-ROUTER-HELP-SOS- HAD-DUPE-PASSWORD Basic realm=" Default Name:admin Password:1234 "
  44. 44. Ilya Nesterov Maxim Goncharov (c) 2017 an Apricot device 37.252.[ ].[ ]
  45. 45. Ilya Nesterov Maxim Goncharov (c) 2017 See! They are on a market!
  46. 46. Ilya Nesterov Maxim Goncharov (c) 2017 See! They are on a market!
  47. 47. Ilya Nesterov Maxim Goncharov (c) 2017 See! They are on a market!
  48. 48. Ilya Nesterov Maxim Goncharov (c) 2017 What can we do about it? - Educate - Make noise - Find more vulnerabilities - Make a map
  49. 49. Ilya Nesterov Maxim Goncharov (c) 2017 Questions?
  50. 50. Ilya Nesterov Maxim Goncharov (c) 2017 Thanks!

×