IoDDoS The Internet of Distributed Denial of Service Attacks A - - PowerPoint PPT Presentation

DISTRIBUTION STATEMENT

SPAWAR SYSTEMS CENTER PACIFIC

IoDDoS – The Internet of Distributed Denial of Service Attacks

A Case Study of the Mirai Malware and IoT-Based Botnets

24-26 April, 2017

Presented at the 2nd International Conference

• n Internet of Things, Big Data and Security

(IoTBDS 2017) in Porto, Portugal Presented by Roger Hallman, Cybersecurity Research Scientist Cybersecurity Science & Technology Branch Email: roger.hallman@navy.mil

A: Distribution Unlimited

SPAWAR Systems Center Pacific

 Point Loma, San Diego, California, USA  The Department of the Navy’s premier

laboratories for Command, Control, Communication, Cyber, Intelligence, Surveillance, and Reconnaissance (C4ISR)

– 4,840 Personnel | 2254 Scientists and Engineers

• 187 PhDs | 1,322 Masters

– ~3.2% Hire Rate in 2016

• ~2,700 Applicants for 86 Positions

 SPAWAR has a rich technical history

– ARPAnet node 3 – Supported DARPA’s ‘Personalized Assistant that Learns’ (PAL) Program that developed many of the AI technologies that are on mobile phones and tablets – A top generator of patents and license agreements

• 131 Invention Disclosures and 62 Patents Issued in 2016

– Prolific Publishers

• 176 Journal Articles and 232 Conference Papers in 2016

Record Breaking DDoS Attacks in 2016

 18 September – OVH | French Webhost – Spikes of 1.1 TBps  20 September – Krebs on Security | Cybersecurity Blog – 620 GBps  21 October – Dyn | Domain Name System (DNS) Provider – 1.2 TBps  2 November – Liberian Internet Infrastructure – 500 GBps

The Internet of Things (IoT) Ecosystem

 Internet of Things (IoT) is a platform and a phenomenon that allows everything to process

information, communicate data, analyze context collaboratively in the service of individuals, other

• rganizations, or businesses:

– Sensors embedded in Internet-connected ‘things’ (physical or virtual) distributed throughout an environment that provide real-world data for processing.  Environments: – The Smart Home – Industrial Internet  Explosive Growth: – >40 Billion IoT Devices in use by 2019. – Rush to Market to Satisfy Demand Leads to Security Concerns.

IoT Vulnerabilities and Attack Vectors

Vulnerabilities Attack Vectors

Insecure Interfaces

Weak credentials, capture of plain-text credentials, insecure password recovery systems, or enumerated accounts, and lack of transport encryption may be used to access data or controls.

Insufficient Authentication and Authorization

Weak passwords, insecure password recovery mechanisms, poorly protected credentials, and lack of granular access control may enable an attacker to access a particular interface.

Insecure Network Services

Vulnerable networks services may be used to attack a device or bounce an attack off of a device.

Lack of Transport Encryption/ Integrity Verification

The lack of transport encryption allows an attacker to view data being passed over the network.

Privacy Concerns

Insecure interfaces, insufficient authentication, lack of transport encryption, and insecure network services all allow an attacker to access data which is improperly protected and may have been collected unnecessarily.

Insufficient Security Configurability

A lack of granular permissions, lack of encryption or password options may allow an attacker to access device data and controls. An attack (malicious or inadvertent but benign) could come from any device in an IoT system.

Insecure Software/Firmware

Update files captured through unencrypted connections may be corrupted, or an attacker may distribute a malicious update by hijacking a DNS server.

Poor Physical Security

USB ports, SD cards, and other storage means allow attackers access to device data and operating systems.

Botnets

 An organized collection of malware-infected ‘zombie machines’ – distributed computing (e.g., mining bitcoins) – spam and malware distribution – cyber warfare – click-fraud scams – steal private information – DDoS attacks & DDoS-for-hire  Typically target Information Technology (IT)

but more are targeting Operational Technology (OT)

Distributed Denial of Service (DDoS) Attacks

DDoS Attack Taxonomy

 Bandwidth Depletion Attacks

– Flood the victim network with IP traffic to saturate it

• Seeks to exhaust resources

– Flood Attacks

• UDP Flood
• Ping-of-Death Attacks

– Amplification Attacks

• Smurf Attacks
• Fraggle Attacks

 Resource Depletion Attacks

– Use network resources so that none are left for legitimate use

• Seeks to deny critical services
• Can cause excess energy use, thus affecting physical

IoT components

– Protocol Exploit/Misuse Attacks

• TCP SYN Flood
• PUSH + ACK Attacks

– Malformed Packet Attacks

• IP Address Attacks
• IP Packet Options Attacks

Botnets Used in Larger Attacks

 BlackEnergy – First describes in 2007

• Main victims were distributed systems
• Used for DDoS attacks

– Allegedly used during 2008 Russia-Georgia Conflict – NATO Headquarters was the victim of a BlackEnergy attack in 2013 – Integral to the 2015 attack on Ukraine’s power grid

• New BlackEnergy variant used to illegally enter IT and OT systems
• KillDisk function – erased processes and corrupted master boot records
• Not used for DDoS attack

– Demonstrates the dangers of botnet malware used in a coordinated attack

IoT-Based Botnets

 At least eight families of IoT botnet

malware in 2015:

– Zollard Worm – exploits a previously ‘patched’ vulnerability – Linux.Aidra – exploits weak username/password combinations – XOR.DDoS – opens a back door and uses COR encryption in both code and C&C communication – Bashlite – bruteforces routers with common username/password combinations, steals private information – LizardStresser – scans public IP addresses for Telnet port 23 and exploits common username/password combinations – AES.DDoS – uses AES for C&C communication, steals private information – PNScan – scans networks for open port 22 and exploits common username/password combinations, downloads other malware – Tsunami Trojan – modifies files so that it gets run each time a device boots up, can download

• ther files, kill processes, and spoof IP

addresses

The Mirai Malware Family

 First discovered in May 2016.  Mirai Family Tree: Two ancestor variants – Linux.DDoS.87

• First discovered in May 2016
• uClibc C Library for Embedded Systems
• Territorial behavior – runkiller function
• Maximum uptime of one week
• Capable of launching:

– HTTP Flood – UDP Flood – TCP Flood – DNS Flood – TSource Flood

– Linux.DDoS.89

• Discovered in early August, 2016
• Connects to the Internet via a Google DNS server
• runkiller terminates processes with different PIDs
• Scanner similar to Linux.BackDoor.Fgt Trojan
• Capable of launching:

– UDP Flood – TSource Flood – DNS Flood – TCP Flood – UDP over GRE – TEB over GRE

An Overview of the Mirai Malware

 Used to launch high profile DDoS attacks

in September and October 2016

 Wide-ranging scans of IP addresses  62 common username/password

combinations

 >500,000 devices infected worldwide  C&C module coded in Go, bots coded in

C

– C&C module has 8 program files – Bot code 13 .c files, 10 .h files

 Specifically hunts for Anime malware  Capable of the following attacks:

– GRE IP Flood – GRE ETH Flood – SYN Flood – ACK Flood – STOMP Flood – DNS Flood – UDP Flood – HTTP Flood

 Ranges of IP addresses whitelisted:

– US Department of Defense

Mirai’s Workflow

Mirai Command & Control (C&C)

 Opens listening ports

– port 23 – telnet – port 101 – remote API calls on IPv4 addresses

 Creates a lightweight thread for API

connections on port 101

 Infinite loop waiting for telnet connections  Botmaster alerted if C&C server fails  Some interesting Mirai C&C functions and

files:

– apiHandler (main.go)

• Check user keys
• Create and queue attacks

– newAttack (attack.go)

• Set attack type, duration, and target

– admin.go

• Manages authentication
• Welcomes the user to the administrative

console

• Russian strings within management

interface

Mirai C&C Administration Console

 admin.go: Russian Strings for Authentication, Error Alerts, Commands and Translations prompt.txt Line 1 я люблю куриные наггетсы I love chicken nuggets

admin.go Line 38 пользователь user Line 46 пароль password Line 56 проверив счета checking account Line 63 произошла неизвестная ошибка An unknown error occurred Line 64 нажмите любую клавишу для выхода. Press any key to exit.

Mirai Botnet Behavior

 The Trojan removes its executables and

blocks SIGINT signals

 Attempts to open and then disable watchdog

processes

– /dev/watchdog – /dev/misc/watchdog  Obtains IP address by sending a request to

Google’s public DNS server at 8.8.8.8 on port 53

 Opens local socket on device  Renames itself to a random string and

executes child finctions

 Mirai bot child functions – attack_init (attack.c)

• Contains attack handlers

– killer_init (killer.c)

• Terminates and prevents restart of SSH, HTTP, and telnet
• memory_scan_match function searches for other malware on

the infected device

– scanner_init (scanner.c)

• Initializes a scanner which generates random IP

addresses to search out vulnerable devices

• Username/password combinations examples:

– (admin,admin) – (admin, password) – (root, user) – (admin, pass) – (tech, tech)

Defense Against Mirai Malware Infection

 To remove the Mirai Malware from infected

devices:

1. Disconnect device from network 2. Reboot while disconnected to clear dynamic memory 3. Change password from the factory default 4. Reconnect to the network ONLY after rebooting and ensuring that the logon credentials have been changed.  Without clearing the dynamic memory and

changing logon credentials, the likelihood of reinfection is nearly certain

 Tips to avoid IoT devices becoming infected by

the Mirai Malware

– Change device passwords prior to deployment on a live network – Update IoT devices with security patches as they become available – Disable Universal Plug and Play on routers unless necessary – Monitor ports 2323/TCP and 23/TCP for attempts to gain unauthorized control of devices – Monitor port 48101 for suspicious traffic

Mirai Malware for Windows

 Trojan.Mirai.1 – Trojan for Microsoft Windows PCs – Written in C++ – Scans network for evidence of vulnerable Linux-based

devices – Inter-process communication to launch remote machine commands – If MS SQL is available:

• Creates – User: Mssqla, Password: Bus3456#qwein with sysadmin

privileges

– Connecting to remote MySQL server:

• Creates – User: phpminds, Password: phpgod with sysadmin

privileges

– Executes or deletes files, plants icons for automatic launch  Hashes – 9575d5edb955e8e57d5886e1cf93f54f52912238 – f97e8145e1e818f17779a8b136370c24da67a6a5 – 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e – 938715263e1e24f3e3d82d72b4e1d2b60ab187b8  Many AV programs can detect  28 February DDoS attack on an American

University

– Ran for 54 hours – Application layer attack – average 30K RPS – More than half of all IPs came from one manufacturer’s DVRs

Conclusions and Future Work

 Ongoing work includes: – Further investigating the extent of the Mirai C&C vulnerability to SQL injection attacks.

• Lack of input validation in C&C code could allow a specially crafted

API call to be used to leak information or gain control of the botnet

– Botnet detection and classification in IoT environments

• Developing techniques that can be supported in resource-

constrained environments

 Acknowledgement – This work was funded under the Office of Naval Research, Code 33 Energy System Technology Evaluation Program (ESTEP)

References



SPAWAR Systems Center Pacific: http://www.spawar.navy.mil/pacific



DARPA PAL Concept Video: https://youtu.be/BF-KNFlOocQ



Furnace Accelerator: http://usafurnace.com



DrWeb Profile of Trojan.Mirai.1: https://vms.drweb.com/virus/?i=14934685&lng=en



Incapsula Blog Post: https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html