Download - Embedded linux 악성코드 동향 20150323 v1.0 공개판
(Home Router 중심) IoT악성코드
2015.03.20 (V1.0) – 공개용
안랩시큐리티대응센터(ASEC) 분석팀
차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원
사실 Home Network Devices 중심 Embedded Linux 악성코드
© AhnLab, Inc. All rights reserved. 2
:~$apropos
• IoT
• Embedded Linux
• Home Network
• 주요Embedded Linux 악성코드
• Case study
© AhnLab, Inc. All rights reserved. 3
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Antivirus Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석및 연구 중
- 민간합동 조사단, 사이버보안전문단
- AVED, AMTSO, vforum 멤버
- Wildlist Reporter
Contents
01
02
03
04
05
06
07
IoT 그리고 Embedded Linux
Home Network
사건사고
주요악성코드
Case study
대응방법과한계
맺음말및전망
01
IoT그리고Embedded Linux
© AhnLab, Inc. All rights reserved. 6
IoT (Internet of Things)
• IoT
- 사람과사물, 사물과사물간정보를상호소통하는지능형기술및서비스
* Source : http://en.wikipedia.org/wiki/Internet_of_Things
© AhnLab, Inc. All rights reserved. 7
IoT (Internet of Things)
• 활용분야
-
* Source : http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners
© AhnLab, Inc. All rights reserved. 8
IoT (Internet of Things)
사생활침해
훔쳐 보기
정보유출
개인 정보 유출
데이터조작
내부/통신데이터 조작
의료 기기는 큰 문제
악성코드감염
DDoS 공격
Bitcoin 채굴 등
보안위협
© AhnLab, Inc. All rights reserved.
IoT (Internet of Things)
OS
Embeded Linux
iOS Windows
Contiki Riot
mbed
Tizen
© AhnLab, Inc. All rights reserved. 10
IoT (Internet of Things)
• Windows 10 Raspberry Pi 2 지원
-
* Source : http://www.raspberrypi.org/raspberry-pi-2-on-sale
© AhnLab, Inc. All rights reserved. 11
Embedded Linux
• Embedded Linux
-
* Source : http://en.wikipedia.org/wiki/Linux_on_embedded_systems
02
Home Network
© AhnLab, Inc. All rights reserved. 13
Home Network
• Home Router
- 인터넷공유기, Wi-Fi Router, Wireless Router
* Source : http://en.wikipedia.org/wiki/Wireless_router
© AhnLab, Inc. All rights reserved. 14
Home Network
• SOC (System on a chip)
-
* Source : http://en.wikipedia.org/wiki/System_on_a_chip
© AhnLab, Inc. All rights reserved. 15
Home Network
Home Router
• 제품사양
- MIPS
-Embedded Linux
* Source : http://www.iptime.co.kr& http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf
© AhnLab, Inc. All rights reserved. 16
Home Network
Embedded Linux
• Busybox
- 주요Linux 명령어를하나의파일에담음
* Source : http://www.busybox.net/
© AhnLab, Inc. All rights reserved. 17
Home Network
Embedded Linux
• Login
- 공장출시기본Login / password
© AhnLab, Inc. All rights reserved. 18
Home Network
Embedded Linux
• BusyBox
-
© AhnLab, Inc. All rights reserved. 19
Home Network
Home Router
• cpuinfo
-
© AhnLab, Inc. All rights reserved. 20
Home Network
Embedded Linux
• Shellshock 테스트
- 다행히취약점없음
03
사건사고
© AhnLab, Inc. All rights reserved. 22
드라마속 IoT
• 해킹을통한살인
- 말기암환자가 자동차, POS, 엘리베이터를해킹해살해시도
* Source : CSI NewyorkSeason 6 Eipsode2 (2009)
© AhnLab, Inc. All rights reserved. 23
설정변경
• 인터넷공유기DNS 주소변경
- 인터넷공유기보안취약점이용해DNS 주소변경해유명사이트접속할때가짜웹사이트유도
© AhnLab, Inc. All rights reserved. 24
설정변경
• 인터넷공유기DNS 주소변경
- 인터넷공유기허점이용해악성코드감염시도
* source : http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950
© AhnLab, Inc. All rights reserved. 25
설정변경
• 인터넷공유기제작업체
- firmware 업데이트권고
*
source :http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=2&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=
on&sc=on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=812
© AhnLab, Inc. All rights reserved. 26
설정변경
• Sality
- Salityvirus가primary DNS 변경하는Rbrute설치
* Source : http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29
© AhnLab, Inc. All rights reserved. 27
자료변조
• sinology 사의NAS 취약점공격
- DSM 4.3-3810 or earlier 취약점이용해내부보관파일암호화후돈요구 ransomware등장
* source : http://www.synology.com/en-us/company/news/article/470
© AhnLab, Inc. All rights reserved. 28
Backdoor
• Netis router 내Backdoor 포함
- UDP 53413 이용
* source : http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034
© AhnLab, Inc. All rights reserved. 29
Backdoor
• Netis router 내Backdoor 포함
- NetisKorea에서국내제품에는Backdoor 존재하지않음공지
* source : http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034
© AhnLab, Inc. All rights reserved. 30
DDoS
• 인터넷장애발생
- 2014년11월29일오전SK 브로드밴드와LG 유플러스DNS 서버에대한공격발생
* Source : http://www.zdnet.co.kr/news/news_view.asp?artice_id=20141129202907&type=xml
© AhnLab, Inc. All rights reserved. 31
DDoS
• Home Router 이용한DDoS공격
-2014년크리스마스때Lizard Squad 의Microsoft’s Xbox live, Sony PlayStation Network 공격
* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
04
주요악성코드
© AhnLab, Inc. All rights reserved.
Timeline
2009
Aidra
Gafgyt
(Fgt)Uteltend (Knb,
Chuck Norris)
2010 20122008 2013 2014 2015
Darlloz
Uteltend (Knb,
Chuck Norris 2)Psybot Themoon Moose
Baswool
2011
Hydra
© AhnLab, Inc. All rights reserved. 34
Hydra
• Hydra
-2011년4월공개된 IRCbot
-2008년부터underground forums에서존재
-D-Link 장비취약점이용
* Source : http://baume.id.au/psyb0t/PSYB0T.pdf
© AhnLab, Inc. All rights reserved. 35
Psybot
• Psybot
- 2009년1월Terry Baume 발견
* Source : http://baume.id.au/psyb0t/PSYB0T.pdf
© AhnLab, Inc. All rights reserved. 36
Psybot
• Psybot
- 첫 in the wild. DDoS공격에이용
* Source : http://www.dronebl.org/blog/8
© AhnLab, Inc. All rights reserved. 37
Psybot
• Psybot
-MIPS Linux 악성코드
-UPX 로압축
© AhnLab, Inc. All rights reserved. 38
Uteltend (Chuck Norris, Knb)
• Chuck Norris Botnet
-2009년말Czech 의Masaryk 대학에서발견
-MIPS Linux IRCbot
-TELNET brute force attack
* Source : http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet
© AhnLab, Inc. All rights reserved. 39
Uteltend (Chuck Norris, Knb)
• Chuck Norris Botnet
-Source code 내이탈리아어 ‘[R]anger Killato: in nomedi Chuck Norris!’ 존재
- knb-mipsUPX 해제하면 ‘KnbKeep nick bot 0.2.2’ 문자열존재
© AhnLab, Inc. All rights reserved. 40
Uteltend (Chuck Norris, Knb)
• 파일구성
- 설정파일
- IRC Bot + DDoS공격도구
-password
© AhnLab, Inc. All rights reserved. 41
Uteltend (Chuck Norris, Knb)
• 파일구성
- Kaiten(Tsunami) DDoS공격도구포함
© AhnLab, Inc. All rights reserved. 42
Aidra (Lightaidra)
• 악성 IRCbot
- 2012년2월발견. 국내에도감염보고
-DDoS공격
* Source : http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/
© AhnLab, Inc. All rights reserved. 43
Aidra (Lightaidra)
getbinaries.sh
ARM MIPS MIPSELPower
PCSuperH script
© AhnLab, Inc. All rights reserved. 44
Aidra (Lightaidra)
• Aidra vs Darlloz
- 경쟁관계인Darlloz제거기능 추가
* Source : http://now.avg.com/war-of-the-worms/
© AhnLab, Inc. All rights reserved. 45
Darlloz (Zollard)
• Darlloz
-2013년10월발견된 Internet of Things감염worm
- x86, MIPS, ARM, PowerPC 감염
-가상화폐채굴기능추가
* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
© AhnLab, Inc. All rights reserved. 46
Darlloz (Zollard)
• 감염
-전세계31,000 대시스템감염추정
-국내시스템이전체감염중17 % 차지
* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
© AhnLab, Inc. All rights reserved.
Darlloz (Zollard)
script
armeabi
arm
Power PC
MIPS
mipsel
x86
© AhnLab, Inc. All rights reserved. 48
Darlloz (Zollard)
• Darlloz
-PHP 취약점php-cgi Information Disclosure Vulnerability (CVE-2012-1823) 이용
- router, set-top boxes 암호추측 : dreambox, vizxv, stemroot, sysadmin, superuser, 1234, 12345, 1111, smcadmin
© AhnLab, Inc. All rights reserved. 49
Darlloz (Zollard)
• Darlloz
- 시스템에맞는cpuminer 다운로드후설치해Mincoins, Dogecoins, Bitcoins 등가상화폐채굴
© AhnLab, Inc. All rights reserved. 50
Themoon
• Themoon
- 2014년2월13일발견
-Linksys Home router 취약점이용해감염
* Source :https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633
© AhnLab, Inc. All rights reserved. 51
Themoon
• Themoon
- Strings
© AhnLab, Inc. All rights reserved. 52
Themoon
• Themoon
- 포함된PNG 이미지
© AhnLab, Inc. All rights reserved. 53
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
- Trend Micro에서BusyBox이용한Bashlite로소개
* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/
© AhnLab, Inc. All rights reserved. 54
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
- Dr. Web 정보공개
* Source : https://news.drweb.com/show/?i=7092&lng=en
© AhnLab, Inc. All rights reserved. 55
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
-이미최소2014년8월부터존재
-2014년11월24일Microsoft DDoS공격에이용
-2014년말게임사이트DDoS공격한Lizard's Stresser에이용
-2015년1월Source code 공개
-Source code 공개로다양한변형제작중
© AhnLab, Inc. All rights reserved. 56
Gafgyt (Bashlite.SMB, Fgt)
• 기능
* Source : http://vms.drweb.com/virus/?i=4242198
© AhnLab, Inc. All rights reserved. 57
Gafgyt (Bashlite.SMB, Fgt)
• bin.sh
* Source : http://vms.drweb.com/virus/?i=4242198
© AhnLab, Inc. All rights reserved. 58
Moose
• Moose
- 최소2014년10월부터활동시작한BitCoin채굴
-ARM, MIPS 버전존재
-국내Home Router 에서도발견
© AhnLab, Inc. All rights reserved. 59
Baswool
• Baswool
- 2014년11월국내발견확인
-Bashwoop(Powbot) 과유사
© AhnLab, Inc. All rights reserved. 60
Baswool
• 변형
- Virustotal에2014년12월9일최초접수
-주요문자열암호화
* md5 : 331596b415ce2228e596cda400d8bfd2
05
Case study
06
대응방법과한계
© AhnLab, Inc. All rights reserved.
현재문제점
Antivirus 프로그램부재
• Antivirus를포함한별다른보안프로그램없음
• 특성상백신및전용백신배포어려움
• 현재사용자가직접설치해야함
악성코드제거
• 수동제거해야함
• 가정방문해제거 ! (가가호호 !)
Firmware Update
• 사용자가직접업데이트
• 얼마나많은사람이Firmware Update 를 ?!
© AhnLab, Inc. All rights reserved. 64
정부대책
• 미래부인터넷공유기보안강화발표
-2015년6월 : 인터넷공유기의실시간모니터링시스템구축
-2015년7월 : 공유기보안업데이트체계구축·운영
* Source : http://www.ddaily.co.kr/news/article.html?no=127945
© AhnLab, Inc. All rights reserved. 65
정부대책
• 반응
-
* Source : http://www.clien.net/cs2/bbs/board.php?bo_table=news&wr_id=1953579
© AhnLab, Inc. All rights reserved. 66
정부대책
• 반응
-
* Source : http://cafe.naver.com/malzero
© AhnLab, Inc. All rights reserved. 67
정부대책
• 반응
-
* Source :
http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=1&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=on&sc=
on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=915
© AhnLab, Inc. All rights reserved. 68
현재문제점
• 분석가입장
- EmbededLinux Linux경험부족
- ARM / MIPS Processor경험부족
-Hardware debugging 경험부족
-수많은 IoT에대한분석능력필요?!
07
맺음말및전망
© AhnLab, Inc. All rights reserved. 70
Wrap up
• 이미많은공유기악성코드존재
- 2009년부터공격시작되었지만우리는너무몰랐네…
• Study !
- ARM, MIPS
-Embedded Linux
-Hardware debugging 등
© AhnLab, Inc. All rights reserved. 71
MIPS
• What the hell ?!
-생소한명령어
-색다른syscall방식
-아직Hex-rays decompiler미지원
© AhnLab, Inc. All rights reserved. 72
Vulnerabilities
• Smart Home 분석
-온도조절장치, 스마트잠금장치, 스마트전구, 스마트연기감지기, 스마트에너지관리기기, 스마트허브등50 가
지분석
* Source : http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom
© AhnLab, Inc. All rights reserved. 73
Vulnerabilities
• 계속발견되는취약점
-
* Source : https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2
© AhnLab, Inc. All rights reserved. 74
Vulnerabilities
• 계속발견되는취약점
-
* Source : https://beyondbinary.io/advisory/seagate-nas-rce
© AhnLab, Inc. All rights reserved. 75
현재의보안문제
• Not really a fair fight
* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
© AhnLab, Inc. All rights reserved. 76
현재의보안문제
• 모두가함께해야하는보안
* source : http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 77
Q&A
email : [email protected] / [email protected]
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 78
Reference
• Marta Janus/Kaspersky, ‘Heads of the Hydra. Malware for Network Devices’ , 2011
(http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network-
devices/?replyto=15081&tree=0)
• Marta Janus/Kaspersky, ‘State of play: network devices facing bulls-eye’, 2014
(http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye)
• 손기종/공유기공격사례를통한사물인터넷기기보안위협, 2015
• 장영준/Samsung (Personal Communication)
• 류소준 (Ryu Sojun)/KISA (Personal Communication)
• 신동은 (Shin Dongeun)/KISA (Personal Communication)
• 조인중 (Cho Injoong)/SK Broadband (Personal Communication)
D E S I G N Y O U R S E C U R I T Y