A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer...
Transcript of A Moose Once Bit My Honeypot - Botconf 2018 · $ whoami Malware Researcher at ESET Infosec lecturer...
AMooseOnceBitMyHoneypot
AStoryofanEmbeddedLinuxBotnetbyOlivierBilodeau( )@obilodeau
$whoamiMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealPreviously
infosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy
CaracteristicsofEmbeddedLinuxSystems
SmallamountofmemorySmallamountofflashNonx86architectures:ARM,MIPSWide-varietyoflibcimplementations/versionsSameABI-compatibleLinuxkernel(2.4<x<4.3)SupportELFbinariesRarelyanintegratedUINetworked
It’sRealSeveralcasesdisclosedinthelasttwoyearsAlotofsame-oldbackgroundnoise(DDoSer)Thingsareonlygettingworse
Sowhatkindofmalwarecanwefindonsuchinsecuredevices?Linux/AidraLinux/BassoboChinaZfamily(XOR.DDoS,…)Linux/DoflooLinux/DNSAmp(MrBlack,BillGates)Linux/Gafgyt(LizardStresser)Linux/HydraLinux/Tsunami…
Static/strippedELFprimerNoimports(librarycalls)presentAllthecodebundledtogetherdowntokernelsyscallDisassembler(ifavailableforarch)doesn’thelpmuch
Ecosystemmakesitworst[forreversers]
GCCandGNUlibcarealwayschangingsocompiledbinariesalwayschangeLittleIDAFLIRTsignaturesavailable(ifany)VariousClibraries:µClibc,eglibc,glibc,musl,…
AFailedAttemptMapsyscallswithIDAscriptButlibcistoobigStilltoomuchcodetoREProvidedtool:https://github.com/eset/malware-research/blob/master/moose/ida/mips_identify_syscalls.py
BetterSolutionReproduceenvironment(arch,libc/compilerversions)Buildlibrariesw/symbolsundersameconditionsUsebindifftomaplibraryfunctionsFocusonmalwarecode
Lesson#0Lesson#0GoingdowntosyscallsistoolonginlargebinariesFindaclosematchofClibraryBuildwithsymbolsBindiffit(ormaybeFLIRTit)
andStrings$stringsmoose_mips.elf[...]cat/proc/cpuinfoGET/xx/rnde.php?p=%d&f=%d&m=%dHTTP/1.1Host:www.getcool.comConnection:Keep-Alive127.0.0.1[...]
Lesson#1Lesson#1BecarefulwithdetectionnamesDon’trequestdomaintakedownbasedonoutputofstringsanddon’tdosoforotherpeople’sresearch!
SampleStaticallylinkedstrippedELFbinaryARM(GNUEABIandEABI5)MIPS(littleandbigendian)Nox86samplefoundC&CIPinintegerformburiedinallthiscode
NetworkcapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyservice
onlyavailabletoasetofauthorizedIPaddressesRemotelyconfiguredgenericnetworksnifferDNSHijacking
HintsAurelimages:
Qemucommand:https://people.debian.org/~aurel32/qemu/mips/
qemu-system-mips-Mmalta\-no-reboot-nographic\-kernelvmlinux-3.2.0-4-4kc-malta\-hdadebian_wheezy_mips_standard.qcow2\-append"root=/dev/sda1console=ttyS0"\-redirtcp:10073::10073-redirtcp:22::22-redirtcp:23::23
ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookies
Twitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO
WhitepaperImpactFewweeksafterthepublicationtheC&Cserverswentdark
Afterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect
FoundUpdateNewproxyserviceport(20012)C&CselectiononCLIC&Cserverreturns404onunknownbotsStillunderanalysisStilltryingtogetinfected
Researchartifactsreleased
PythonandShellScriptsProtocoldissectors,fakeservers,tsharkwrappers
YararulesIOCshttps://github.com/eset/malware-research/tree/master/moose