embedded linux 악성코드 동향 20150323 v1.0 공개판

(Home Router 중심) IoT악성코드

2015.03.20 (V1.0) – 공개용

안랩시큐리티대응센터(ASEC) 분석팀

차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원

사실 Home Network Devices 중심 Embedded Linux 악성코드

© AhnLab, Inc. All rights reserved. 2

:~$apropos

• IoT

• Embedded Linux

• Home Network

• 주요Embedded Linux 악성코드

• Case study


:~$whoami

Profile

− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)

− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작

− 1989년 : Brain virus 변형 감염

− 1997년 : AhnLab 입사

− AhnLab 책임 연구원 (Senior Antivirus Researcher)

− 시큐리티 대응센터(ASEC) 분석팀에서

악성코드 분석및 연구 중

- 민간합동 조사단, 사이버보안전문단

- AVED, AMTSO, vforum 멤버

- Wildlist Reporter

Contents

01

02

03

04

05

06

07

IoT 그리고 Embedded Linux

Home Network

사건사고

주요악성코드

Case study

대응방법과한계

맺음말및전망

01

IoT그리고Embedded Linux


IoT (Internet of Things)

• IoT

- 사람과사물, 사물과사물간정보를상호소통하는지능형기술및서비스

* Source : http://en.wikipedia.org/wiki/Internet_of_Things



• 활용분야

-

* Source : http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners



사생활침해

훔쳐 보기

정보유출

개인 정보 유출

데이터조작

내부/통신데이터 조작

의료 기기는 큰 문제

악성코드감염

DDoS 공격

Bitcoin 채굴 등

보안위협

© AhnLab, Inc. All rights reserved.


OS

Embeded Linux

iOS Windows

Contiki Riot

mbed

Tizen



• Windows 10 Raspberry Pi 2 지원

-

* Source : http://www.raspberrypi.org/raspberry-pi-2-on-sale


Embedded Linux

• Embedded Linux

-

* Source : http://en.wikipedia.org/wiki/Linux_on_embedded_systems

02

Home Network


Home Network

• Home Router

- 인터넷공유기, Wi-Fi Router, Wireless Router

* Source : http://en.wikipedia.org/wiki/Wireless_router


Home Network

• SOC (System on a chip)

-

* Source : http://en.wikipedia.org/wiki/System_on_a_chip


Home Network

Home Router

• 제품사양

- MIPS

-Embedded Linux

* Source : http://www.iptime.co.kr& http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf


Home Network

Embedded Linux

• Busybox

- 주요Linux 명령어를하나의파일에담음

* Source : http://www.busybox.net/


Home Network

Embedded Linux

• Login

- 공장출시기본Login / password


Home Network

Embedded Linux

• BusyBox

-


Home Network

Home Router

• cpuinfo

-


Home Network

Embedded Linux

• Shellshock 테스트

- 다행히취약점없음

03

사건사고


드라마속 IoT

• 해킹을통한살인

- 말기암환자가 자동차, POS, 엘리베이터를해킹해살해시도

* Source : CSI NewyorkSeason 6 Eipsode2 (2009)


설정변경

• 인터넷공유기DNS 주소변경

- 인터넷공유기보안취약점이용해DNS 주소변경해유명사이트접속할때가짜웹사이트유도


설정변경

• 인터넷공유기DNS 주소변경

- 인터넷공유기허점이용해악성코드감염시도

* source : http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950


설정변경

• 인터넷공유기제작업체

- firmware 업데이트권고

*

source :http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=2&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=

on&sc=on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=812


설정변경

• Sality

- Salityvirus가primary DNS 변경하는Rbrute설치

* Source : http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29


자료변조

• sinology 사의NAS 취약점공격

- DSM 4.3-3810 or earlier 취약점이용해내부보관파일암호화후돈요구 ransomware등장

* source : http://www.synology.com/en-us/company/news/article/470


Backdoor

• Netis router 내Backdoor 포함

- UDP 53413 이용

* source : http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034


Backdoor

• Netis router 내Backdoor 포함

- NetisKorea에서국내제품에는Backdoor 존재하지않음공지

* source : http://www.netiskorea.com/atboard_view.php?grp1=news&grp2=notice&uid=9034


DDoS

• 인터넷장애발생

- 2014년11월29일오전SK 브로드밴드와LG 유플러스DNS 서버에대한공격발생

* Source : http://www.zdnet.co.kr/news/news_view.asp?artice_id=20141129202907&type=xml


DDoS

• Home Router 이용한DDoS공격

-2014년크리스마스때Lizard Squad 의Microsoft’s Xbox live, Sony PlayStation Network 공격

* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/

04

주요악성코드


Timeline

2009

Aidra

Gafgyt

(Fgt)Uteltend (Knb,

Chuck Norris)

2010 20122008 2013 2014 2015

Darlloz

Uteltend (Knb,

Chuck Norris 2)Psybot Themoon Moose

Baswool

2011

Hydra


Hydra

• Hydra

-2011년4월공개된 IRCbot

-2008년부터underground forums에서존재

-D-Link 장비취약점이용

* Source : http://baume.id.au/psyb0t/PSYB0T.pdf


Psybot

• Psybot

- 2009년1월Terry Baume 발견

* Source : http://baume.id.au/psyb0t/PSYB0T.pdf


Psybot

• Psybot

- 첫 in the wild. DDoS공격에이용

* Source : http://www.dronebl.org/blog/8


Psybot

• Psybot

-MIPS Linux 악성코드

-UPX 로압축


Uteltend (Chuck Norris, Knb)

• Chuck Norris Botnet

-2009년말Czech 의Masaryk 대학에서발견

-MIPS Linux IRCbot

-TELNET brute force attack

* Source : http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet



• Chuck Norris Botnet

-Source code 내이탈리아어 ‘[R]anger Killato: in nomedi Chuck Norris!’ 존재

- knb-mipsUPX 해제하면 ‘KnbKeep nick bot 0.2.2’ 문자열존재



• 파일구성

- 설정파일

- IRC Bot + DDoS공격도구

-password



• 파일구성

- Kaiten(Tsunami) DDoS공격도구포함


Aidra (Lightaidra)

• 악성 IRCbot

- 2012년2월발견. 국내에도감염보고

-DDoS공격

* Source : http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/


Aidra (Lightaidra)

getbinaries.sh

ARM MIPS MIPSELPower

PCSuperH script


Aidra (Lightaidra)

• Aidra vs Darlloz

- 경쟁관계인Darlloz제거기능 추가

* Source : http://now.avg.com/war-of-the-worms/


Darlloz (Zollard)

• Darlloz

-2013년10월발견된 Internet of Things감염worm

- x86, MIPS, ARM, PowerPC 감염

-가상화폐채굴기능추가

* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency


Darlloz (Zollard)

• 감염

-전세계31,000 대시스템감염추정

-국내시스템이전체감염중17 % 차지

* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency


Darlloz (Zollard)

script

armeabi

arm

Power PC

MIPS

mipsel

x86


Darlloz (Zollard)

• Darlloz

-PHP 취약점php-cgi Information Disclosure Vulnerability (CVE-2012-1823) 이용

- router, set-top boxes 암호추측 : dreambox, vizxv, stemroot, sysadmin, superuser, 1234, 12345, 1111, smcadmin


Darlloz (Zollard)

• Darlloz

- 시스템에맞는cpuminer 다운로드후설치해Mincoins, Dogecoins, Bitcoins 등가상화폐채굴


Themoon

• Themoon

- 2014년2월13일발견

-Linksys Home router 취약점이용해감염

* Source :https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633


Themoon

• Themoon

- Strings


Themoon

• Themoon

- 포함된PNG 이미지


Gafgyt (Bashlite.SMB, Fgt)

• Gafgyt (Bashlite.SMB, Fgt)

- Trend Micro에서BusyBox이용한Bashlite로소개

* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/




- Dr. Web 정보공개

* Source : https://news.drweb.com/show/?i=7092&lng=en




-이미최소2014년8월부터존재

-2014년11월24일Microsoft DDoS공격에이용

-2014년말게임사이트DDoS공격한Lizard's Stresser에이용

-2015년1월Source code 공개

-Source code 공개로다양한변형제작중



• 기능

* Source : http://vms.drweb.com/virus/?i=4242198



• bin.sh

* Source : http://vms.drweb.com/virus/?i=4242198


Moose

• Moose

- 최소2014년10월부터활동시작한BitCoin채굴

-ARM, MIPS 버전존재

-국내Home Router 에서도발견


Baswool

• Baswool

- 2014년11월국내발견확인

-Bashwoop(Powbot) 과유사


Baswool

• 변형

- Virustotal에2014년12월9일최초접수

-주요문자열암호화

* md5 : 331596b415ce2228e596cda400d8bfd2

05

Case study

06

대응방법과한계


현재문제점

Antivirus 프로그램부재

• Antivirus를포함한별다른보안프로그램없음

• 특성상백신및전용백신배포어려움

• 현재사용자가직접설치해야함

악성코드제거

• 수동제거해야함

• 가정방문해제거 ! (가가호호 !)

Firmware Update

• 사용자가직접업데이트

• 얼마나많은사람이Firmware Update 를 ?!


정부대책

• 미래부인터넷공유기보안강화발표

-2015년6월 : 인터넷공유기의실시간모니터링시스템구축

-2015년7월 : 공유기보안업데이트체계구축·운영

* Source : http://www.ddaily.co.kr/news/article.html?no=127945


정부대책

• 반응

-

* Source : http://www.clien.net/cs2/bbs/board.php?bo_table=news&wr_id=1953579


정부대책

• 반응

-

* Source : http://cafe.naver.com/malzero


정부대책

• 반응

-

* Source :

http://www.iptime.co.kr/~iptime/bbs/view.php?id=notice&page=1&ffid=&fsid=&dffid=&dfsid=&dftid=&sn1=&divpage=1&dis_comp=&sn=off&ss=on&sc=

on&select_arrange=headnum&desc=asc&dis_comp=&ng_value=&x_value=&no=915


현재문제점

• 분석가입장

- EmbededLinux Linux경험부족

- ARM / MIPS Processor경험부족

-Hardware debugging 경험부족

-수많은 IoT에대한분석능력필요?!

07

맺음말및전망


Wrap up

• 이미많은공유기악성코드존재

- 2009년부터공격시작되었지만우리는너무몰랐네…

• Study !

- ARM, MIPS

-Embedded Linux

-Hardware debugging 등


MIPS

• What the hell ?!

-생소한명령어

-색다른syscall방식

-아직Hex-rays decompiler미지원


Vulnerabilities

• Smart Home 분석

-온도조절장치, 스마트잠금장치, 스마트전구, 스마트연기감지기, 스마트에너지관리기기, 스마트허브등50 가

지분석

* Source : http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom


Vulnerabilities

• 계속발견되는취약점

-

* Source : https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2


Vulnerabilities

• 계속발견되는취약점

-

* Source : https://beyondbinary.io/advisory/seagate-nas-rce


현재의보안문제

• Not really a fair fight

* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png


현재의보안문제

• 모두가함께해야하는보안

* source : http://www.security-marathon.be/?p=1786


Q&A

email : [email protected] / [email protected]

http://xcoolcat7.tistory.com

https://twitter.com/xcoolcat7, https://twitter.com/mstoned7


Reference

• Marta Janus/Kaspersky, ‘Heads of the Hydra. Malware for Network Devices’ , 2011

(http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network-

devices/?replyto=15081&tree=0)

• Marta Janus/Kaspersky, ‘State of play: network devices facing bulls-eye’, 2014

(http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye)

• 손기종/공유기공격사례를통한사물인터넷기기보안위협, 2015

• 장영준/Samsung (Personal Communication)

• 류소준 (Ryu Sojun)/KISA (Personal Communication)

• 신동은 (Shin Dongeun)/KISA (Personal Communication)

• 조인중 (Cho Injoong)/SK Broadband (Personal Communication)

D E S I G N Y O U R S E C U R I T Y

embedded linux 악성코드 동향 20150323 v1.0 공개판

Technology