The document discusses security threats to IoT devices that use embedded Linux operating systems. It provides background on IoT and common embedded Linux systems like home routers and NAS devices. It then analyzes specific malware strains like Aidra, Darlloz, Psybot, and Gafgyt that have targeted vulnerabilities in these systems to carry out DDoS attacks, mine cryptocurrencies, and compromise users' privacy. Key exploitation methods and impacted device models are mentioned.

1. 임베디드 리눅스 악성코드로 본
사물인터넷 보안
2015.04.08
안랩 시큐리티대응센터(ASEC) 분석팀
차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임 연구원

2. © AhnLab, Inc. All rights reserved. 2
:~$apropos
• IoT
• EmbeddedLinux
• Home Network Devices
• 주요 EmbeddedLinux악성코드

3. © AhnLab, Inc. All rights reserved. 3
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Antivirus Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석 및 연구 중
- 민간합동 조사단, 사이버보안 전문단
- AVED, AMTSO, vforum 멤버
- Wildlist Reporter

4. Contents
01
02
03
04
05
IoT 그리고 Embedded Linux
Home Network
Threat
주요 악성코드
맺음말

5. 01
IoT 그리고 Embedded Linux

6. © AhnLab, Inc. All rights reserved. 6
IoT (Internet of Things)
• IoT
- 사람과사물,사물과사물간정보를상호소통하는지능형기술및서비스
* Source:http://en.wikipedia.org/wiki/Internet_of_Things

7. © AhnLab, Inc. All rights reserved. 7
IoT (Internet of Things)
• 활용 분야
-
* Source:http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners

8. © AhnLab, Inc. All rights reserved.
IoT (Internet of Things)
OS
Embedded
Linux
Windows
Android iOS
Contiki
Tizen
Riot
mbed

9. © AhnLab, Inc. All rights reserved. 9
IoT (Internet of Things)
• EmbeddedLinux
-
* Source:http://en.wikipedia.org/wiki/Linux_on_embedded_systems

10. © AhnLab, Inc. All rights reserved. 10
IoT (Internet of Things)
• EmbeddedLinux
- settopbox,Homerouter,NAS등
* Source:https://www.synology.com/ko-kr/products/

11. 02
Home Network

12. © AhnLab, Inc. All rights reserved. 12
Home Network
• Home Router
- 인터넷공유기,Wi-FiRouter,WirelessRouter
* Source:http://en.wikipedia.org/wiki/Wireless_router

13. © AhnLab, Inc. All rights reserved. 13
Home Network
Home Router
• Specification
- MIPS
-EmbeddedLinux
* Source:http://www.iptime.co.kr&http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf

14. © AhnLab, Inc. All rights reserved. 14
Home Network
Network Attached Storage (NAS)
• Specification
- ARM,Intel등
-EmbeddedLinux
* Source:https://www.qnap.com/i/en/product/model.php?II=122&event=2

15. © AhnLab, Inc. All rights reserved. 15
Home Network
Embedded Linux
• Busybox
- 주요Linux명령어를하나의파일에담음
* Source:http://www.busybox.net/

16. © AhnLab, Inc. All rights reserved. 16
Home Network
Home Router
• Login
- 공장출시기본Login/password

17. © AhnLab, Inc. All rights reserved. 17
Home Network
Home Router
• BusyBox
-

18. © AhnLab, Inc. All rights reserved. 18
Home Network
Home Router
• cpuinfo
-

19. © AhnLab, Inc. All rights reserved. 19
Home Network
•
* Source:

20. 03
Threat

21. © AhnLab, Inc. All rights reserved. 21
Threat
TV 드라마
• 해킹을 통한 살인
- 말기암환자가 자동차,POS,엘리베이터를해킹해살해시도
* Source:CSI NewyorkSeason6Episode2(2009)

22. © AhnLab, Inc. All rights reserved. 22
Threat
TV 드라마
• CSI Cyber
-
* Source:CSI CyberSeason1Episode1(2015)

23. © AhnLab, Inc. All rights reserved. 23
Threat
사생활 침해 및 정보 유출
훔쳐 보기
개인 정보 유출
설정 변경/데이터 조작
광고 노출
내부/통신 데이터 조작
의료 기기는 큰 문제
Backdoor
주로 디버깅 목적
의도적으로 포함한다면 ?
악성코드
DDoS 공격
광고 노출/변경, 피싱 사이트 유도
Bitcoin 채굴 등
보안 위협

24. © AhnLab, Inc. All rights reserved. 24
Threat
사생활 침해 및 정보 유출
• 사생활 침해
- 도둑질에도악용가능
* Sourcehttp://abcnews.go.com/blogs/headlines/2013/08/baby-monitor-hacking-alarms-houston-parents/

25. © AhnLab, Inc. All rights reserved. 25
Threat
사생활 침해 및 정보 유출
• 사생활 침해
-도둑질에도이용가능
* Source:https://blogs.rsa.com/wp-content/uploads/2014/12/point-of-sale-malware-backoff.pdf

26. © AhnLab, Inc. All rights reserved. 26
Threat
사생활 침해 및 정보 유출
• 사생활 침해
-Babymonitors,CCTVcameras,webcams
* Source:http://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-webcams-from-uk-homes-and-businesses-
hacked-and-uploaded-onto-russian-website-9871830.htmlparents/

27. © AhnLab, Inc. All rights reserved. 27
Threat
설정 변경 및 데이터 조작
• 인터넷 공유기 DNS 주소 변경
- 인터넷공유기보안취약점이용해DNS주소변경해유명사이트접속할때가짜웹사이트유도

28. © AhnLab, Inc. All rights reserved. 28
Threat
설정 변경 및 데이터 조작
• 인터넷 공유기 DNS 주소 변경
- 인터넷공유기허점이용해악성코드감염시도
* source:http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950

29. © AhnLab, Inc. All rights reserved. 29
Threat
설정 변경 및 데이터 조작
• Sality
- Salityvirus가primaryDNS변경하는Rbrute설치
* Source:http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29

30. © AhnLab, Inc. All rights reserved. 30
Threat
설정 변경 및 데이터 조작
• Ad-Fraud
- DNS설정변경해다른광고보여줌
* Source:http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/

31. © AhnLab, Inc. All rights reserved. 31
Threat
설정 변경 및 데이터 조작
• sinology사의 NAS취약점 공격
- DSM4.3-3810orearlier취약점이용해내부보관파일암호화후돈요구ransomware등장
* source:http://www.synology.com/en-us/company/news/article/470

32. © AhnLab, Inc. All rights reserved. 32
Threat
악성코드
• Home Router이용한 DDoS공격
-2014년11월과12월LizardSquad의Microsoft’sXboxlive,SonyPlayStationNetwork공격
* Source:http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers

33. © AhnLab, Inc. All rights reserved. 33
Threat
악성코드
• LizardStresser
-HomeRouter를악성코드감염시켜DDoS공격에활용
-49.99$,299.99$,1139.99$
* Source:http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/

34. © AhnLab, Inc. All rights reserved. 34
Threat
Vulnerability
• MisfortuneCookie (CVE-2014-9222)
- SOHOrouter취약점
* Source:http://mis.fortunecook.ie/

35. 04
주요 악성코드

36. © AhnLab, Inc. All rights reserved.
Timeline
2009
Aidra
Gafgyt
(Fgt)
Uteltend(Knb,
Chuck Norris)
2010 20122008 2013 2014 2015
Darlloz
Uteltend(Knb,
Chuck Norris 2)Psybot Themoon Moose
Baswool
2011
Hydra
Shellshock
QnapNAS
worm

37. © AhnLab, Inc. All rights reserved. 37
Hydra
• Hydra
-2011년4월공개된IRCbot
-2008년부터undergroundforums에서존재
-D-Link장비취약점이용
* Source:http://baume.id.au/psyb0t/PSYB0T.pdf

38. © AhnLab, Inc. All rights reserved. 38
Psybot
• Psybot
- 2009년1월TerryBaume발견
* Source:http://baume.id.au/psyb0t/PSYB0T.pdf

39. © AhnLab, Inc. All rights reserved. 39
Psybot
• Psybot
- 첫inthewild.DDoS공격에이용
* Source:http://www.dronebl.org/blog/8

40. © AhnLab, Inc. All rights reserved. 40
Uteltend (Chuck Norris, Knb)
• ChuckNorrisBotnet
-2009년말CzechMasaryk대학에서발견
-MIPSLinuxIRCbot
-TELNETbruteforceattack
* Source:http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet

41. © AhnLab, Inc. All rights reserved. 41
Uteltend (Chuck Norris, Knb)
• ChuckNorrisBotnet
-Sourcecode내이탈리아어‘[R]angerKillato:innomediChuckNorris!’존재
-knb-mipsUPX해제하면‘KnbKeepnickbot0.2.2’문자열존재

42. © AhnLab, Inc. All rights reserved. 42
Uteltend (Chuck Norris, Knb)
• 파일 구성
- 설정파일
- IRCBot+DDoS공격도구
-password

43. © AhnLab, Inc. All rights reserved. 43
Aidra (Lightaidra)
• 악성 IRCbot
- 2012년2월발견.국내에도감염보고
-DDoS공격
* Source:http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/

44. © AhnLab, Inc. All rights reserved. 44
Aidra (Lightaidra)
getbinaries.sh /
gb.sh
ARM MIPS MIPSEL
Power
PC
SuperH script

45. © AhnLab, Inc. All rights reserved. 45
Aidra (Lightaidra)
• Aidravs Darlloz
- 경쟁관계인Darlloz제거기능 추가
* Source:http://now.avg.com/war-of-the-worms/

46. © AhnLab, Inc. All rights reserved. 46
Darlloz (Zollard)
• Darlloz
-2013년10월발견된InternetofThings감염worm
-x86,MIPS,ARM,PowerPC감염
-가상화폐채굴기능추가
* source:http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency

47. © AhnLab, Inc. All rights reserved. 47
Darlloz (Zollard)
• 감염
-전세계31,000대시스템감염추정
-국내시스템이전체감염중17%차지
* source:http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency

48. © AhnLab, Inc. All rights reserved.
Darlloz (Zollard)
script
armeabi
arm
Power PC
MIPS
mipsel
x86

49. © AhnLab, Inc. All rights reserved. 49
Darlloz (Zollard)
• Darlloz
-PHP취약점php-cgiInformationDisclosureVulnerability(CVE-2012-1823)이용
-router,set-topboxes암호추측:dreambox,vizxv,stemroot,sysadmin,superuser,1234,12345,1111,smcadmin

50. © AhnLab, Inc. All rights reserved. 50
Darlloz (Zollard)
• Darlloz
- 시스템에맞는cpuminer 다운로드후설치해Mincoins,Dogecoins,Bitcoins등가상화폐채굴

51. © AhnLab, Inc. All rights reserved. 51
Themoon
• Themoon
- 2014년2월13일발견
-LinksysHomerouter취약점이용해감염
* Source:https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633

52. © AhnLab, Inc. All rights reserved. 52
Themoon
• Themoon
- Strings

53. © AhnLab, Inc. All rights reserved. 53
Themoon
• Themoon
- 포함된PNG이미지

54. © AhnLab, Inc. All rights reserved. 54
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB,Fgt)
-최소2014년8월부터존재
-2014년9월Shellshock(CVE-2014-6271)취약점이용해퍼지기도함
-HomeRouter,NAS등감염
-2014년말LizardSquad에서XboxLive와PlayStationNetworkDDoS공격에이용해유명해짐
-2015년1월Sourcecode공개되어변종발생중

55. © AhnLab, Inc. All rights reserved. 55
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB,Fgt)
- TrendMicro에서BusyBox이용한Bashlite로소개
* Source:http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox&
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987

56. © AhnLab, Inc. All rights reserved. 56
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB,Fgt)
- Dr.Web정보공개
* Source:https://news.drweb.com/show/?i=7092&lng=en

57. © AhnLab, Inc. All rights reserved. 57
Gafgyt (Bashlite.SMB, Fgt)
• SourceCode 공개
-server,client모두공개

58. © AhnLab, Inc. All rights reserved. 58
Gafgyt (Bashlite.SMB, Fgt)
• 기능
* Source:http://vms.drweb.com/virus/?i=4242198

59. © AhnLab, Inc. All rights reserved. 59
Gafgyt (Bashlite.SMB, Fgt)
• bin.sh
* Source:http://vms.drweb.com/virus/?i=4242198

60. © AhnLab, Inc. All rights reserved. 60
Moose
• Moose
- 최소2014년10월부터활동시작한BitCoin채굴
-ARM,MIPS버전존재
-국내HomeRouter에서도발견

61. © AhnLab, Inc. All rights reserved. 61
Baswool
• Baswool
- 2014년11월국내발견확인
-Bashwoop(Powbot)과유사

62. © AhnLab, Inc. All rights reserved. 62
Baswool
• 변형
- Virustotal에2014년12월9일최초접수
-주요문자열암호화
* md5:331596b415ce2228e596cda400d8bfd2

63. 05
맺음말

64. © AhnLab, Inc. All rights reserved. 64
Wrap up
• 악성코드
- 2008년이전부터공격이진행중이었지만우리는너무몰랐네…
-유명악성코드의SourceCode공개로다양한변종출현예상
-EmbeddedLinux외다른OS에도악성코드등장예상
-사물인터넷시대에는컴퓨터악성코드보다더문제될수있음
• Challenge!
- ARM,MIPS…
-EmbeddedLinux
-기기특성
-Hardwaredebugging등

65. © AhnLab, Inc. All rights reserved.
현재 문제점
Antivirus 부재
• Antivirus를 포함한 별다른
보안 프로그램 없음
• 특성상 백신 및 전용 백신
배포 어려움
• 현재 사용자가 직접 설치해
야 함
악성코드 제거
• 재부팅(하지만 재감염) 혹은
수동 제거
• 가정 방문해 제거 ?!
Firmware Update
• 사용자가 직접 업데이트
• 얼마나 많은 사람이
Firmware Update 를 ?
• 자동 firmware update ?
• 제조 업체의 보안 ?

66. © AhnLab, Inc. All rights reserved.
예방
예방
Loinpassword
변경
최신
Firmware
Update
설정 변경
(외부 접근 금지
등)

67. © AhnLab, Inc. All rights reserved. 67
정부 대책
• 미래부 인터넷 공유기 보안 강화 발표
-2015년6월:인터넷공유기의실시간모니터링시스템구축
-2015년7월:공유기보안업데이트체계구축·운영
* Source:http://www.ddaily.co.kr/news/article.html?no=127945

68. © AhnLab, Inc. All rights reserved. 68
현실
• Smart Home 분석
-온도조절장치,스마트잠금장치,스마트전구,스마트연기감지기,스마트에너지관리기기,스마트허브등50가
지분석
* Source:http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom

69. © AhnLab, Inc. All rights reserved. 69
현실
• 계속 발견되는 취약점
-
* Source:https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2

70. © AhnLab, Inc. All rights reserved. 70
현실
• 계속 발견되는 취약점
-
* Source:https://beyondbinary.io/advisory/seagate-nas-rce

71. © AhnLab, Inc. All rights reserved. 71
현실
• 편리하면 좋지 그런데 보안은 ?!
-
* Source:http://www.fnnews.com/news/201503271743343137

72. © AhnLab, Inc. All rights reserved. 72
현실
• 다가오는 IoT시대 편리하면 좋지 그런데 보안은 ?!
-
* Source:google
Security

73. © AhnLab, Inc. All rights reserved. 73
현재의 보안 문제
• Not reallya fair fight
* source:http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png

74. © AhnLab, Inc. All rights reserved. 74
현재의 보안 문제
• 모두가 함께 해야 하는 보안
* source:http://www.security-marathon.be/?p=1786

75. © AhnLab, Inc. All rights reserved. 75
Q&A
email : minseok.cha@ahnlab.com / mstoned7@gmail.com
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7

76. © AhnLab, Inc. All rights reserved. 76
Reference
• Marta Janus/Kaspersky,‘Headsof the Hydra. Malwarefor Network Devices’, 2011
(http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network-
devices/?replyto=15081&tree=0)
• Marta Janus/Kaspersky,‘Stateof play: network devicesfacingbulls-eye’,2014
(http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye)
• 손기종/공유기 공격 사례를 통한 사물인터넷 기기 보안 위협, 2015
• 장영준/Samsung(Personal Communication)
• 류소준 (Ryu Sojun)/KISA(Personal Communication)
• 신동은 (ShinDongeun)/KISA(PersonalCommunication)
• 조인중 (Cho Injoong)/SKBroadband(PersonalCommunication)
• ganachoco(PersonalCommunication)

77. D E S I G N Y O U R S E C U R I T Y