DOCSLIB.ORG

The Circle of Life: a Large-Scale Study of the Iot Malware Lifecycle

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle Omar Alrawi?, Charles Lever?, Kevin Valakuzhy?, Ryan Court}, Kevin Snow}, Fabian Monrose†, Manos Antonakakis? ? Georgia Institute of Technology {alrawi, chazlever, kevinv, manos}@gatech.edu } Zero Point Dynamics {rccourt, kevin}@zeropointdynamics.com † University of North Carolina at Chapel Hill [email protected] Abstract RQ2, we qualitatively evaluate how traditional anti-malware Our current defenses against IoT malware may not be ade- techniques work and judge their efficacy based on empirical quate to remediate an IoT malware attack similar to the Mirai observations from the IoT malware ecosystem. botnet. This work seeks to investigate this matter by systemat- Answering RQ1 allows the security community to under- ically and empirically studying the lifecycle of IoT malware stand the evolutionary trend of IoT malware and respond and comparing it with traditional malware that target desktop accordingly. For example, how do malware adapt to infect and mobile platforms. We present a large-scale measurement and persist on IoT devices? Are there trends that can allow of more than 166K Linux-based IoT malware samples col- us to better predict the impact of IoT malware on future IoT lected over a year. We compare our results with prior works technologies? Compared to desktop and mobile malware, are by systematizing desktop and mobile malware studies into a IoT malware capabilities bound by the device’s resources? novel framework and answering key questions about defense How does the IoT malware ecosystem impact different stake- readiness. Based on our findings, we deduce that the required holders? Furthermore, RQ2 allows the security community to technology to defend against IoT malware is available, but gauge if there are sufficient defensive techniques to counter a we conclude that there are insufficient efforts in place to deal fast-evolving IoT threat. with a large-scale IoT malware infection breakout. To date, there have been several efforts to investigate IoT malware [1]–[8]. However, these efforts either focus on in- depth analysis of a single malware family or rely on small 1 Introduction malware corpora collected over short periods. Nonetheless, these efforts provide a fascinating glimpse into the IoT threat The Mirai botnet set a record for the largest distributed denial landscape and demonstrate the need for additional research. of service (DDoS) attack and drew the attention of many se- Moreover, current threat frameworks are either too complex curity professionals [1]. In the aftermath of the attack, many with a focus on traditional malware, such as the MITRE new developments have shaped the IoT malware ecosystem. ATT&CK [9] framework, or study only the infection stage Therefore, studying the threat lifecycle for IoT malware is of IoT malware [10], [11]. Our work seeks to address these vital for securing IoT devices. For example, the Mirai botnet gaps with a comprehensive evaluation of the IoT malware infected devices by using default usernames and passwords, lifecycle. We guide our study by a principled framework that but current IoT malware variants target unpatched vulnera- characterizes various stages of an IoT malware’s lifecycle, bilities. We seek to study how the emerging IoT malware and we compare our findings with traditional malware. ecosystem has evolved since Mirai and whether current de- Our work makes four contributions. First, we propose a fenses for traditional malware can protect against it. novel analysis framework that captures the threat lifecycle of To investigate this matter, we need to systematically un- IoT malware, which considers the infection vectors, payload derstand how IoT malware infect systems, deploy payloads, properties, persistence methods, capabilities, and C&C infras- persist on systems, abuse resources, and operate their infras- tructure. Second, we use our framework to systematize 25 tructure. We guide our analysis by answering two research papers that study traditional malware. Third, we characterize questions (RQ), namely RQ1: How is IoT malware differ- IoT malware by examining more than 166K samples spanning ent than traditional malware? and RQ2: Are current anti- 6 different system architectures collected over a year. Fourth, malware techniques effective against IoT malware? To answer we make available the largest and most comprehensive IoT RQ1, we compare the IoT malware lifecycle with traditional malware corpus to date and include their analysis artifacts, malware and highlight the similarities and differences. For which can be found at https://badthings.info. Our results show that IoT malware differs from traditional hensive studies examine individual components of the IoT malware in a few key areas including infection vectors and malware lifecycle. For example, several works [3], [5], [10], C&C communication. We find signature-based detection lacks [37] examine IoT malware infection tactics and the payload support and coverage for many IoT malware variants and that properties. Other works [6], [38] look at how to detect IoT at least 15% of new variants utilize packing to evade detection. malware by studying its binary static structural features. De Additionally, IoT malware uses various persistent methods Donno et al. [11] organize IoT malware attack capabilities to overcome read-only file systems found in IoT devices by into a taxonomy while Choi et al. [4] study the role that C&C reusing vendor-specific tools. We find a large array of capa- infrastructure plays in the lifecycle of IoT malware. bilities that have been incorporated into IoT malware such as Additional efforts [39], [40] investigate scanners on the in- proxy services, device bricking, and information theft. We ob- ternet to identify if they are infected by IoT malware. Finally, serve that the current IoT malware ecosystem has not reached Çetin et al. [41] present a unique perspective on IoT malware its full potential but may become a severe threat due to the infection cleanup by combining multiple data sources and a sheer number of IoT devices coming online. We conclude user study to measure remediation efforts. Our work differs with a set of recommendations for different stakeholders in- in two aspects, first we propose a five-component framework cluding device owners, device vendors, and ISP operators. that captures the entire lifecycle of IoT malware, which we use to compare with desktop and mobile malware. Second, 2 Background and Related Work we conduct the largest and most comprehensive empirical measurement for more than 166K Linux-based IoT malware Malware targeting embedded Linux-based systems was first samples collected over an entire year. reported in 2008 with the discovery of the Hydra IRC bot [12]. Since then, several other bots have entered the scene with var- 3 Framework and Methodology ious capabilities. Such bots include psyb0t [13], Chuck Nor- ris [14], Carna [15], Tsunami [16], Aidra [17], Dofloo [18], Next, we describe the data sources, methodology, and the Gafgyt [19], Elknot [20], XOR.DDoS [21], Wifatch [22], The- framework that we use for the comparative analysis. We define Moon [23], LUABot [24], Remaiten [25], NewAidra [26], each component’s subcategories and present a summary of our and Moose [27]. Each family had different purposes such results in Table1. AppendixA presents an extended analysis as credential theft [27], cryptocurrency mining [28], device of desktop and mobile malware from prior works. destruction [29], internet-wide scanning [15], and cleaning up infected devices [2], [22]. IoT malware development has 3.1 Comparative Framework many considerations due to the heterogeneity of devices. For example, an IP camera and a set top box can have differ- Our framework looks at five components for malware’s lifecy- ent processors, C libraries (uclibc, musel, glibc), and kernel cle. We study the infection vector, the payload properties, the versions/features (Linux 2.6, 3.2, 4.6, etc.). persistence methods, the capabilities, and the C&C infrastruc- The release of Mirai’s source code and recent develop- ture. For each component, we identify techniques discussed ments in embedded system toolchains has made it easier for in the literature for traditional malware (desktop/mobile) and IoT malware development. Antonakakis et al. [1] note that empirically measure it for IoT malware. The following defines Mirai had a wide impact due to the fact that its small code each component: base runs on diverse devices, spreads efficiently, and targets • Infection Vector is how the malware attacks a system. a large number of insecure IoT devices on the internet [30], • Payload is the dropped malware code after exploitation. [31]. The Mirai botnet took down critical DNS infrastruc- • Persistence is how the malware installs on a system. ture [32], disconnected over 900K internet subscribers [33], • Capabilities are the functions in the malware code. and attacked a large cloud service provider [34]. Soon after • C&C Infrastructure is how the malware communicates the release of Mirai’s code, many variants began to surface with the operator. with enhancement to its infection vector, payload obfusca- We study 25 papers from prior works to qualitatively de- tion, and command-and-control (C&C) communication. For rive subcategories under each component, which are in Ap- example, Satori [35], a Mirai variant, gained momentum as it pendixA. For example, we cite the work of Holz et al. [42] exploited a new vulnerability in Huawei routers. These recent to support the use of drive-by downloads in desktop malware developments provide further motivation to understand the and their distribution networks. Moreover, we use the MITRE IoT malware landscape. ATT&CK taxonomy to derive additional subcategories that Prior studies looked at IoT malware from different perspec- are not found in prior work but are documented by security tives. Cozzi et al. [36] investigate Linux-based malware but companies. Table1 summarizes the comparative analysis. only examine 10K samples, of which 35% are for x86 and x86_64 architecture. Other studies examine specific malware families such as Mirai [1] and Hajime [2].
Recommended publications
  • Iot Threats, Challenges and Secured Integration

    Iot Threats, Challenges and Secured Integration

    IoT Threats, Challenges and Secured Integration Christian Shink, p. eng., CSSLP System Engineer • Why IoT Devices? • Bot Attacks • 3 Botnets fighting over IoT Firepower • Secure IoT integration Why IoT Devices Internet of Things Internet working of physical devices, vehicles, buildings, … Devices embedded with electronics, software, sensors, actuators Network connectivity Any Path Any Service Any Network Anytime Any Business Any context Anyone Machinery Anybody Building energy Anything Management Any Device Healthcare Retail A Rapidly Growing Number of Connected Devices Copyright © 2017 Radware. All rights reserved. IoT is Highly Susceptible to Cyber Attacks IoT devices run an embedded or stripped-down version of the familiar Linux operating system. 1 Malware can easily be compiled for the target architecture, mostly ARM, MIPS, x86 internet-accessible, lots of (I)IoT and ICS/SCADA are deployed without any form of 2 firewall protection Stripped-down operating system and processing power leaves less room for security 3 features, including auditing, and most compromises go unnoticed by the owners To save engineering time, manufacturers re-use portions of hardware and software in different 4 classes of devices resulting in default passwords and vulnerabilities being shared across device classes and manufacturers Internet Security Trend report 2015 by Nexus guard: IoT is becoming a soft target for cyber-attack Copyright © 2017 Radware. All rights reserved. From the News “D-Link failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information” “The cameras aren’t designed to receive software updates so the zero-day exploits can’t be patched.” “We believe that this backdoor was introduced by Sony developers on purpose” Sources: 1.
  • Internet Security Threat Report Volume 24 | February 2019

    Internet Security Threat Report Volume 24 | February 2019

    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
  • Security Now! #664 - 05-22-18 Spectreng Revealed

    Security Now! #664 - 05-22-18 Spectreng Revealed

    Security Now! #664 - 05-22-18 SpectreNG Revealed This week on Security Now! This week we examine the recent flaws discovered in the secure Signal messaging app for desktops, the rise in DNS router hijacking, another seriously flawed consumer router family, Microsoft Spectre patches for Win10's April 2018 feature update, the threat of voice assistant spoofing attacks, the evolving security of HTTP, still more new trouble with GPON routers, Facebook's Android app mistake, BMW's 14 security flaws and some fun miscellany. Then we examine the news of the next-generation of Spectre processor speculation flaws and what they mean for us. Our Picture of the Week Security News Update your Signal Desktop Apps for Windows & Linux A few weeks ago, Argentinian security researchers discovered a severe vulnerability in the Signal messaging app for Windows and Linux desktops that allows remote attackers to execute malicious code on recipient systems simply by sending a message—without requiring any user interaction. The vulnerability was accidentally discovered while researchers–amond them Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL. However, the XSS payload unexpectedly got executed on the Signal desktop app!! (Juliano Rizzo was on the beach when the BEAST and CRIME attacks occurred to him.) After analyzing the scope of this issue by testing multiple XSS payloads, they found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.
  • Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research

    Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research

    applied sciences Systematic Review Internet of Things Botnet Detection Approaches: Analysis and Recommendations for Future Research Majda Wazzan 1,*, Daniyal Algazzawi 2 , Omaima Bamasaq 1, Aiiad Albeshri 1 and Li Cheng 3 1 Computer Science Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] (O.B.); [email protected] (A.A.) 2 Information Systems Department, Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia; [email protected] 3 Xinjiang Technical Institute of Physics & Chemistry Chinese Academy of Sciences, Urumqi 830011, China; [email protected] * Correspondence: [email protected] Abstract: Internet of Things (IoT) is promising technology that brings tremendous benefits if used optimally. At the same time, it has resulted in an increase in cybersecurity risks due to the lack of security for IoT devices. IoT botnets, for instance, have become a critical threat; however, systematic and comprehensive studies analyzing the importance of botnet detection methods are limited in the IoT environment. Thus, this study aimed to identify, assess and provide a thoroughly review of experimental works on the research relevant to the detection of IoT botnets. To accomplish this goal, a systematic literature review (SLR), an effective method, was applied for gathering and critically reviewing research papers. This work employed three research questions on the detection methods used to detect IoT botnets, the botnet phases and the different malicious activity scenarios. The authors analyzed the nominated research and the key methods related to them. The detection Citation: Wazzan, M.; Algazzawi, D.; methods have been classified based on the techniques used, and the authors investigated the botnet Bamasaq, O.; Albeshri, A.; Cheng, L.
  • Technical Brief P2P Iot Botnets Clean AC Font

    Technical Brief P2P Iot Botnets Clean AC Font

    Uncleanable and Unkillable: The Evolution of IoT Botnets Through P2P Networking Technical Brief By Stephen Hilt, Robert McArdle, Fernando Merces, Mayra Rosario, and David Sancho Introduction Peer-to-peer (P2P) networking is a way for computers to connect to one another without the need for a central server. It was originally invented for file sharing, with BitTorrent being the most famous P2P implementation. Decentralized file-sharing systems built on P2P networking have stood the test of time. Even though they have been used to share illegal pirated content for over 20 years, authorities have not been able to put a stop to these systems. Of course, malicious actors have used it for malware for quite a long time as well. Being able to create and manage botnets without the need for a central server is a powerful capability, mostly because law enforcement and security companies typically take down criminal servers. And since a P2P botnet does not need a central command-and-control (C&C) server, it is much more difficult to take down. From the point of view of defenders, this is the scariest problem presented by P2P botnets: If they cannot be taken down centrally, the only option available would be to disinfect each of the bot clients separately. Since computers communicate only with their own peers, the good guys would need to clean all the members one by one for a botnet to disappear. Originally, P2P botnets were implemented in Windows, but developers of internet-of-things (IoT) botnets do have a tendency to start incorporating this feature into their creations.
  • Internet Infrastructure Review Vol.34

    Internet Infrastructure Review Vol.34

    Internet Infrastructure Review Mar.2017 Vol. 34 Infrastructure Security Ursnif (Gozi) Anti-Analysis Techniques and Methods for Bypassing Them Technology Trends The Current State of Library OSes Internet Infrastructure Review March 2017 Vol.34 Executive Summary ............................................................................................................................ 3 1. Infrastructure Security .................................................................................................................. 4 1.1 Introduction ..................................................................................................................................... 4 1.2 Incident Summary ........................................................................................................................... 4 1.3 Incident Survey ...............................................................................................................................11 1.3.1 DDoS Attacks ...................................................................................................................................11 1.3.2 Malware Activities ......................................................................................................................... 13 1.3.3 SQL Injection Attacks ..................................................................................................................... 17 1.3.4 Website Alterations .......................................................................................................................
  • Evolution of Iot Attacks

    Evolution of Iot Attacks

    Evolution of IoT Attacks By 2025, there will be 41.6 billion connected IoT devices, generating 79 zettabytes (ZB) of data (IDC). Every Internet-connected “thing,” from power grids to smart doorbells, is at risk of attack. BLUETOOTH INDUSTRIAL MEDICAL Throughout the last few decades, cyberattacks against IoT devices have become more sophisticated, more common, and unfortunately, much BOTNET GENERIC IOT SMART HOME more effective. However, the technology sector has fought back, developing and implementing new security technologies to prevent and CAR INFRASTRUCTURE WATCH/WEARABLE protect against cyberattacks. This infographic shows how the industry has evolved with new technologies, protocols, and processes to raise the bar on cybersecurity. STUXNET WATER BMW MIRAI FITBIT SAUDI PETROL SILEX LINUX DARK NEXUS VIRUS UTILITY CONNECTED BOTNET VULNERABILITY CHEMICAL MALWARE BOTNET SYSTEM DRIVE SYSTEM PLANT ATTACK (SCADA) PUERTO UNIVERSITY UKRAINIAN HAJIME AMNESIA AMAZON PHILIPS HUE RICO OF MICHIGAN POWER VIGILANTE BOTNET RING HACK LIGHTBULB SMART TRAFFIC GRID BOTNET METERS LIGHTS MEDTRONIC GERMAN TESLA CCTV PERSIRAI FANCY SWEYNTOOTH INSULIN STEEL MODEL S BOTNET BOTNET BEAR VS. FAMILY PUMPS MILL HACK REMOTE SPORTS HACK HACKABLE HEART BASHLITE FIAT CHRYSLER NYADROP SELF- REAPER THINKPHP TWO MILLION KAIJI MONITORS BOTNET REMOTE CONTROL UPDATING MALWARE BOTNET EXPLOITATION TAKEOVER MALWARE First Era | THE AGE OF EXPLORATION | 2005 - 2009 Second Era | THE AGE OF EXPLOITATION | 2011 - 2019 Third Era | THE AGE OF PROTECTION | 2020 Security is not a priority for early IoT/embedded devices. Most The number of connected devices is exploding, and cloud connectivity Connected devices are ubiquitous in every area of life, from cyberattacks are limited to malware and viruses impacting Windows- is becoming commonplace.
  • Edge Computing in the Context of Open Manufacturing

    Edge Computing in the Context of Open Manufacturing

    Edge Computing in the Context of Open Manufacturing 01.07.2021 LEGAL DISCLAIMERS © 2021 Joint Development Foundation Projects, LLC, OMP Series and its contributors. All rights reserved. THESE MATERIALS ARE PROVIDED ”AS IS.” The parties expressly disclaim any warranties (express, implied, or otherwise), including implied warranties of merchantability, non- infringement, fitness for a particular purpose, or title, related tothe materials. The entire risk as to implementing or otherwise using the materials is assumed by the implementer and user. IN NO EVENT WILL THE PARTIES BE LIABLE TO ANY OTHER PARTY FOR LOST PROFITS OR ANY FORM OF INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER FROM ANY CAUSES OF ACTION OF ANY KIND WITH RESPECT TO THIS DELIVERABLE OR ITS GOVERNING AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND WHETHER OR NOT THE OTHER MEMBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2 ACKNOWLEDGMENTS This document is a work product of the Open Manufacturing Platform – IoT Connectivity Working Group, chaired by Sebastian Buckel (BMW Group) and co-chaired by Dr. Veit Hammerstingl (BMW Group). AUTHORS Anhalt, Christopher, Dr. (Softing) Buckel, Sebastian (BMW Group) Hammerstingl, Veit, Dr. (BMW Group) Köpke, Alexander (Microsoft) Müller, Michael (Capgemini) Muth, Manfred (Red Hat) Ridl, Jethro (Reply) Rummel, Thomas (Softing) Weber Martins, Thiago, Dr. (SAP) FURTHER CONTRIBUTION BY Attrey, Kapil (Cognizant) Kramer, Michael (ZF) Krapp, Chiara (BMW Group) Krebs, Jeremy (Microsoft) McGrath, Daniel (Cognizant) Title Image by Possessed Photography from unsplash.com 3 Contents Contents 1 Introduction: The Importance of Edge Computing 5 2 Definition of Edge Computing 6 3 Reference Use Case 6 4 Views on Edge Computing 8 4.1 Infrastructural View .
  • Reporting, and General Mentions Seem to Be in Decline

    Reporting, and General Mentions Seem to Be in Decline

    CYBER THREAT ANALYSIS Return to Normalcy: False Flags and the Decline of International Hacktivism By Insikt Group® CTA-2019-0821 CYBER THREAT ANALYSIS Groups with the trappings of hacktivism have recently dumped Russian and Iranian state security organization records online, although neither have proclaimed themselves to be hacktivists. In addition, hacktivism has taken a back seat in news reporting, and general mentions seem to be in decline. Insikt Group utilized the Recorded FutureⓇ Platform and reports of historical hacktivism events to analyze the shifting targets and players in the hacktivism space. The target audience of this research includes security practitioners whose enterprises may be targets for hacktivism. Executive Summary Hacktivism often brings to mind a loose collective of individuals globally that band together to achieve a common goal. However, Insikt Group research demonstrates that this is a misleading assumption; the hacktivist landscape has consistently included actors reacting to regional events, and has also involved states operating under the guise of hacktivism to achieve geopolitical goals. In the last 10 years, the number of large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016. This constitutes a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism. Attack vectors used by hacktivist groups have remained largely consistent from 2010 to 2019, and tooling has assisted actors to conduct larger-scale attacks. However, company defenses have also become significantly better in the last decade, which has likely contributed to the decline in successful hacktivist operations.
  • Malware Trends

    Malware Trends

    NCCIC National Cybersecurity and Communications Integration Center Malware Trends Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) October 2016 This product is provided subject only to the Notification Section as indicated here:http://www.us-cert.gov/privacy/ SUMMARY This white paper will explore the changes in malware throughout the past several years, with a focus on what the security industry is most likely to see today, how asset owners can harden existing networks against these attacks, and the expected direction of developments and targets in the com- ing years. ii CONTENTS SUMMARY .................................................................................................................................................ii ACRONYMS .............................................................................................................................................. iv 1.INTRODUCTION .................................................................................................................................... 1 1.1 State of the Battlefield ..................................................................................................................... 1 2.ATTACKER TACTIC CHANGES ........................................................................................................... 2 2.1 Malware as a Service ...................................................................................................................... 2 2.2 Destructive Malware ......................................................................................................................
  • A Malicious Concept That Conquered the Elf Format

    A Malicious Concept That Conquered the Elf Format

    DDOS TROJAN: A MALICIOUS fl ooding tools) that provides an attacker with the possibility of forming a malicious botnet. The framework consists of C&C CONCEPT THAT CONQUERED panels, bot builders, installation scripts, port scanners, SSH THE ELF FORMAT brute-forcers, etc. In our paper we provide a survey of current Linux DDoS bots and we sketch a wider context of usage of Peter Kálnai & Jaromír Hořejší the above-mentioned components. This topic has been covered Avast Software, Czech Republic by many independent security researchers, e.g. the MalwareMustDie! group summarised their series of blogposts Email {kalnai, horejsi}@avast.com in [2]. The authors presented its early development in [21]. 2. COMMON CHARACTERISTICS ABSTRACT DDoS threats have been around ever since the Internet took 2.1 About the ELF format over half of global communications, posing the real problem of ELF is short for ‘Executable and Linkable Format’, which is a denial of access to online service providers. Recently, a new common standard format for executables under Unix systems. trend has emerged in non-Windows DDoS attacks that has been The instruction set architecture (ISA) of the binary is stored at induced by code availability, lack of security and an abundance the offset e_machine, and we refer to this parameter using the of resources. The attack infrastructure has undergone prefi x ‘EM_’. Unix systems power not only desktop and server signifi cant changes in structure, function and complexity. machines, but are also the main operating systems for Malware has evolved into complex and relatively sophisticated embedded devices. Although Intel 80386 (EM_386) and pieces of code, employing compression, advanced encryption AMD64 (EM_x86_64) ISAs are the most common for desktops and even rootkit capabilities.
  • Training & Conferences

    Training & Conferences

    WWW.ISSA - COS.ORG VOLUME 6 NUMBER 6 J U N E 2 0 1 7 Training & Conferences olleagues, Our first Security+ Exam Prep Review Seminar, held on April 1 and 8, was another Hard to believe, but we’re almost huge success – as it always is – thanks to C half-way through the year. Our the exceptional work by Susan Ross and our impressive team of volunteers has volunteer instructors. And our second dedicated much time and effort to bring a Security+ Seminar kicks off in just a few variety of events to our membership. This days! Each of these seminars provides a 12- chapter hosts a lot of amazing events, all hour comprehensive due to the efforts of our review of the CompTIA volunteers. Security+ exam material. Our first conference of A Note From Over 50 students the year, the Cyber Focus registered for these Day (CFD), was a huge Seminars! success! We had over 200 Our President We held eight people attend the one-day membership meetings, in conference, earning seven Jan, Feb, Apr, and May, continuing education units. four at lunchtime and four If you weren’t able to in the evening. If you attend CFD this year, you haven’t made it to our missed some great presen- monthly meetings, here’s tations! what you missed so far: Our Training Commit- tee held two Mini- By Ms. Colleen Murphy Airport Security, by Seminars, providing three Dr. Shawn Murray continuing education opportunities for each What Constitutes mini-seminar, with more Mini-Seminars on Reasonable Security?, by Mr.