linux moose endangered or extinct
play

. Linux/Moose endangered or extinct? An update on this atypical - PowerPoint PPT Presentation

Mar 26, 2024 •172 likes •727 views

. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest

  1. .

  2. Linux/Moose endangered or extinct? An update on this atypical embedded Linux botnet by Olivier Bilodeau

  3. $ apropos Statically linked stripped ELF challenges Moose DNA (description) Moose Herding (the Operation) A Strange Animal Latest Developments

  4. $ whoami Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec developer, network admin, linux system admin Co-founder Montrehack (hands-on security workshops) Founder NorthSec Hacker Jeopardy

  5. Static/stripped ELF primer No imports (library calls) present All the code bundled together down to kernel syscall Disassembler (if available for arch) doesn’t help much

  6. Linux/Moose binary in IDA

  7. printf family

  11. Ecosystem makes it worst [for reversers] GCC and GNU libc is always changing so compiled binaries always change Little IDA FLIRT signatures available (if any) µClibc, eglibc, glibc, musl, …

  12. A Failed Attempt Map syscalls with IDA script But libc is too big it is still too much

  13. Better Solution Reproduce environment (arch, libc/compiler versions) Build libraries w/ symbols under same conditions Use bindiff to map library functions Focus on malware code

  15. Moose DNA aka Malware description Hang tight, this is a recap

  16. Linux/Moose… Named after the string "elan" present in the malware executable

  17. Elan is French for

  18. The Lotus Elan

  19. Elán The Slovak rock band (from 1969 and still active)

  21. Network capabilities Pivot through firewalls Home-made NAT traversal Custom-made Proxy service only available to a set of whitelisted IP addresses Remotely configured generic network sniffer DNS Hijacking

  22. Worm-like behavior Tries to replicate via aggressive scanning Will dedicate more resources to scan near current external IP Will also scan on LAN interfaces Will not reinfect an infected device Can replicate across architectures C&C is made aware of new compromises

  24. Compromise Protocol

  25. Anti-Analysis Statically linked binary stripped of its debugging symbols Hard to reproduce environment required for malware to operate Misleading strings (getcool.com)

  27. Moose Herding The Malware Operation

  28. Via C&C Configuration Network sniffer was used to steal HTTP Cookies Twitter: twll , twid Facebook: c_user Instagram: ds_user_id Google: SAPISID , APISID Google Play / Android: LAY_ACTIVE_ACCOUNT Youtube: LOGIN_INFO

  29. Via Proxy Usage Analysis Nature of traffic Protocol Targeted social networks

  33. 75%+ HTTPS but…

  35. An Example

  36. An Example (cont.)

  37. An Example (cont.)

  38. An Example (cont.)

  39. Anti-Tracking Whitelist means we can’t use the proxy service to evaluate malware population Blind because of HTTPS enforced on social networks DNS Hijacking’s Rogue DNS servers never revealed

  41. A Strange Animal

  42. Different focus not in the DDoS or bitcoin mining business no x86 variant found controlled by a single group of actors

  43. Missing "features" No persistence mechanism No shell access for operators

  44. Thought big, realized little? In social network fraud, network sniffer irrelevant DNS Hijacking possible but only for few devices No ad fraud, spam, DDoS, etc.

  45. Latest Developments

  46. Whitepaper Impact Few weeks after the publication the C&C servers went dark After a reboot, all affected devices should be cleaned But victims compromised via weak credentials, so they can always reinfect

  47. Alive or dead?

  48. Alive or dead? (cont.) On the lookout for Moose v2 Looked at over 150 new samples targeting embedded Linux platforms Linux/Aidra, Linux/Dofloo (AES.DDoS), Linux/DNSAmp (Mr.Black), Linux.Gafgyt and Linux/Tsunami Still no Moose update…

  49. Yay! except…

  50. Moose level-up

  51. Update New sample this Saturday New proxy service port (20012) New C&C selection algorithm Lots of differences Still under scrutiny

  54. Conclusion Embedded malware Not yet complex Tools and processes need to catch up a low hanging fruit Prevention simple

  55. Questions? Thank you! @obilodeau and special thanks to Thomas Dupuy (@nyx__o)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau (

A Moose Once Bit My Honeypot A Story of an Embedded Linux Botnet by Olivier Bilodeau ( @obilodeau ) $ apropos Embedded Linux Malware Moose DNA (description) Moose Herding (the Operation) Whats New? Take Aways $ whoami Malware

1.19k views • 97 slides
What Is an Endangered Species? An endangered species is a group (population) of plants, animals

What Is an Endangered Species? An endangered species is a group (population) of plants, animals

What Is an Endangered Species? An endangered species is a group (population) of plants, animals or other organisms that is in danger of becoming extinct. Today we will be specifically looking at endangered animals. What Is an Endangered

502 views • 11 slides
Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct

Carolina Parakeet Panthera leo barbaricus Barbary Lion extinct around 1935? (1918?) Extinct 1922 Tasmanian Tiger Gastric brooding frog Extinct ? Extinct 1936 Not found since 1985 Table 2.2. A sample of species once thought extinct,

301 views • 7 slides
MOOSE to PyMOOSE: Interfacing MOOSE with Python Subhasis Ray National Centre for Biological

MOOSE to PyMOOSE: Interfacing MOOSE with Python Subhasis Ray National Centre for Biological

MOOSE to PyMOOSE: Interfacing MOOSE with Python Subhasis Ray National Centre for Biological Sciences Tata Institute of Fundamental Research Bangalore, Karnataka, India The People Upi Niraj Raamesh Genesis of MOOSE GEneral NEural

1.01k views • 46 slides
Endangered Means Theres Still Time Endangered Mean Theres Still Time Endangered species

Endangered Means Theres Still Time Endangered Mean Theres Still Time Endangered species

Endangered Means Theres Still Time Endangered Mean Theres Still Time Endangered species are like fire alarms. They tell us about problems in our home we call Earth. If we listen to their alarm calls, they could help us improve our

454 views • 42 slides
UNBC Terrace 19 October 2016 Ted Binnema The Moose Enigma Moose swept the province in the

UNBC Terrace 19 October 2016 Ted Binnema The Moose Enigma Moose swept the province in the

UNBC Terrace 19 October 2016 Ted Binnema The Moose Enigma Moose swept the province in the past century and a half and yet were unknown in historic times throughout the interior. Valerius Geist, 2011. Why have moose increased

685 views • 33 slides
MOOSE Multi level Origin Organised Scalable Ethernet draft malc armd moose

MOOSE Multi level Origin Organised Scalable Ethernet draft malc armd moose

MOOSE Multi level Origin Organised Scalable Ethernet draft malc armd moose 00 Malcolm Scott University of Cambridge Computer Laboratory Malcolm Scott draft-malc-armd-moose-00 1 Aim: Hierarchical MAC address space

111 views • 9 slides
Moose Lake Utilities Repair P r e p a r e - D e p l o y - E n a b l e 1 Overview Project

Moose Lake Utilities Repair P r e p a r e - D e p l o y - E n a b l e 1 Overview Project

Eielson Air Force Base R e a d y T o G o A t 5 0 B e l o w Moose Lake Utilities Repair P r e p a r e - D e p l o y - E n a b l e 1 Overview Project Duration: late February 30 September Cost: $31.4M for the Entire Moose

513 views • 17 slides
ENDANGERED SPECIES | An Online Lesson for EFL/ESL Students Handout #2: THE TOP TEN ENDANGERED

ENDANGERED SPECIES | An Online Lesson for EFL/ESL Students Handout #2: THE TOP TEN ENDANGERED

ENDANGERED SPECIES | An Online Lesson for EFL/ESL Students Handout #2: THE TOP TEN ENDANGERED SPECIES IN THE WORLD 1. The Black Rhino The most endangered species in the world Numbers have increased 96% since 1970 due to poaching Only

425 views • 3 slides
Endangered Species Trading Cards A fun way to raise student awareness toward Endangered Species.

Endangered Species Trading Cards A fun way to raise student awareness toward Endangered Species.

Endangered Species Trading Cards A fun way to raise student awareness toward Endangered Species. Academic Standards ENV. 5.5 - Identify the indirect and direct threats to biodiversity (e.g. habitat loss and destruction, invasion by exotic

570 views • 10 slides
Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client

Linux Kung Fu Introduction What is Linux? Why Linux? What is the difference between a client and a server? What is Linux? Linux generally refers to a group of Unix-like free and open-source operating system distributions that use the Linux

562 views • 53 slides
MOOSE JAW, SASKAT CHE WAN HOME T O T HE SNOWBIRDS!! Not these kind of Snowbirds.

MOOSE JAW, SASKAT CHE WAN HOME T O T HE SNOWBIRDS!! Not these kind of Snowbirds.

MOOSE JAW, SASKAT CHE WAN HOME T O T HE SNOWBIRDS!! Not these kind of Snowbirds. Although we have lots of these too! SNOWBIRDS!! SE HE T Saskatc he wan Wate r she ds Moose Jaw River Watershed Watershed stewardship is not

532 views • 21 slides
Moose Management Review Listening Sessions May 2019 Big Game Management Advisory Committee 1

Moose Management Review Listening Sessions May 2019 Big Game Management Advisory Committee 1

Moose Management Review Listening Sessions May 2019 Big Game Management Advisory Committee 1 Mo Moose Ma Management R Review Why are we here? The Ministry of Natural Resources and Forestry (MNRF) has made a number of changes in

1.07k views • 88 slides
The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago.

The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago.

The Recent Resurgence of the Electric Car The zero-emissions e-car went extinct a century ago. Now it is back in a big way, thanks to a complete redesign of the usual sedan's innards. Theres nothing under the hood. Or trunk. You have to

1.25k views • 70 slides
Under the Endangered Species Act Sandra A. Snodgrass Holland & Hart LLP ESA Overview

Under the Endangered Species Act Sandra A. Snodgrass Holland & Hart LLP ESA Overview

Recent Developments Under the Endangered Species Act Sandra A. Snodgrass Holland & Hart LLP ESA Overview Purpose of ESA: To conserve threatened and endangered species and the ecosystems on which they depend Administered by U.S.

545 views • 27 slides
Unheard of! part 4 The Himalayas Mustang, Sherpa & Tibetan Endangered Language Alliance

Unheard of! part 4 The Himalayas Mustang, Sherpa & Tibetan Endangered Language Alliance

Unheard of! part 4 The Himalayas Mustang, Sherpa & Tibetan Endangered Language Alliance A non-profit organization dedicated to the documentation, conservation and continuation of endangered languages throughout the world. Based in

580 views • 42 slides
The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background

The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background

The raise of Social Assistance in sub-Saharan Africa Miguel Nio-Zaraza, UNU-WIDER Background Over the past two decades, social assistance has emerged as a new welfare paradigm in the fight against poverty and vulnerability in the

280 views • 24 slides
Sequence Labeling & Syntax CMSC 470 Marine Carpuat Recap: We know how to perform POS

Sequence Labeling & Syntax CMSC 470 Marine Carpuat Recap: We know how to perform POS

Sequence Labeling & Syntax CMSC 470 Marine Carpuat Recap: We know how to perform POS tagging with structured perceptron An example of sequence labeling tasks Requires a predefined set of POS tags Penn Treebank commonly used for

931 views • 32 slides
Call-in to listen: (877) 369-6670 Or listen via web Follow us on Twitter for live updates:

Call-in to listen: (877) 369-6670 Or listen via web Follow us on Twitter for live updates:

Call-in to listen: (877) 369-6670 Or listen via web Follow us on Twitter for live updates: @statereforum #CHWs Call-in #: (877) 369-6670 Integrating Community Health Worker Models Follow us on Twitter for into Evolving State Health Care

652 views • 41 slides
MASA Understand Prove CONFIDENTIAL 1 Communicate Grow Evangelos Ntrivalas, MD, PhD,

MASA Understand Prove CONFIDENTIAL 1 Communicate Grow Evangelos Ntrivalas, MD, PhD,

Ev Evan angelos Nt Ntriv rivalas, M MD, D, P PhD, D, H HCLD/ D/CC(ABB), D( D(ABMLI) Director of Medical & Scientific Affairs Nova Biomedical MASA Understand Prove CONFIDENTIAL 1 Communicate Grow Evangelos Ntrivalas,

743 views • 56 slides
Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a

Mail Merge Internals Eilidh McAdam Mail Merge Mail merge fjlls a template from a datasource, producing a single or separate documents Datasource includes databases and spreadsheets Also used to generate labels and envelopes

345 views • 17 slides
Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw

Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw

Anatomy of an Apache OpenOffice Extension Pedro Giffuni pfg@apache.org AOO Architecture: Jigsaw Puzzle 26/11/14 2 So how do I develop for Apache OpenOffice - Develop within the main OpenOffice platform (yes, it is open): - Mostly C++

162 views • 12 slides
A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III, Ph.D.

A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III, Ph.D.

A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III, Ph.D. Professor Director, Greater New Orleans Center for Information Assurance (GNOCIA) Department of Computer Science University of New Orleans Co-founder,

576 views • 23 slides
Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of

Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of

Embedded Systems Intro to the Arduino Laboratory for Perceptual Robotics Department of Computer Science Arduino Uno www.arduino.cc > Learning > Getting started 1. Digital pins - Use these pins with digitalRead(), digitalWrite(),

67 views • 3 slides

More recommend