Technical Analysis: Intelligent hardware worm threatens Internet security

Review: The real time of the internet of Things to the network security will be a great challenge, the future of perceptual layer equipment is not only a simple embedded device, but as a strong performance of the host, but these devices are clearly not the security of the host we use compared to, so very harmful.

Original address: http://www.freebuf.com/articles/terminal/55382.html

reference:

From the same date (December 10) Global Internet-wide DNS traffic is abnormal. The Cloud Dike team (Damddos) quickly participates in the analytical disposition. The attack has been ongoing since the wee hours of December 10, and for the longest-lasting DNS DDoS attack in recent years, the maximum traffic currently monitored is nearly 100 million QPS (76.38Gbps)

< Strong style= "Box-sizing:border-box; font-weight:700 "> trace :

December 10, the DNS abnormal failure period, 360 Network Defense Lab's small partners are also following up this issue. Before locating to *.arkhamnetwork.org; *.arkhamnetwork.com (attack on the authoritative domain name server of a game service provider, the last service provider resolves the content Fraud.ddos.go.away, surrenders) 360 of the recursive DNS cache of the traffic that was attacked probably 30000qps, The attack method used is to cause a denial of service to the recursive service by initiating a parse request for a random prefix domain name query.

is based on the 360 Big Data security analysis visualization platform to find a bot terminal to resolve domain names, the attack is very obvious, and the attack method is very rude.

Through the following image analysis to the denial of service attacks more than *.arkhamnetwork.org; *.arkhamnetwork.com, these two root domains. Its main two DNS servers are ns11.dnsmadeeasy.com and ns12.dnsmadeeasy.com, many of which are similar to ip:167.114.25.179 such as bot initiated a lot against *. arkhamnetwork.org DNS denial of service attack request. resulting in two nameserver denial of service.

in-depth analysis, most of these IP addresses are routers, smart cameras and other devices. initially the attacker obtains system privileges through the execution of these remote commands, or weak passwords. Then the worm is implanted, the network activity of the worm after the script is continuously scanning any C segment of Port 23rd, using weak passwords to catch more intelligent hardware devices, expand the number of points to generate greater attack traffic.

The process files that are targeted through network activity to invoke network activity are as follows, and the worm generates many new process files that contain the instructions executed by the process.

After execution, the worm generates malicious code with a random file name in the specified directory and deletes it from the runtime.

Fortunately, some malicious samples were found that were not deleted. So the program download down analysis.

The first thing to judge is that these malicious files are elf executables, not script-type.

We perform a static analysis of the sample file under Ida to see some of the task instructions for the worm and the address of the C2 server. There are also some C2 server IP addresses that show the state of this smart hardware. The current analysis to the two states of Sleep,dildos.

According to the key information obtained after the inverse analysis, further evidence of the state of the intelligent hardware worm is found, which shows that the intelligent hardware is in the sleeping state.

When entering the sleeping state, this terminal is only connected to the C2 server (23.227.173.210), does not perform any scan infection tasks, and does not carry out Dos attack tasks.

Through the program analysis of this intelligent hardware to summarize the path of worm infection of intelligent hardware, first of all, the attacker takes advantage of intelligent hardware vulnerabilities to gain root privileges and execute worm code. The C2 server waits for smart hardware to go online, and then the smart hardware that infects the worm by default automatically scans for other smart hardware and automates the exploit to make the target infected with the worm. The control program also has a status of sleeping, which is to keep the connection to the C2 server. Wait for the order to be issued, do not do any network activity at present. Finally, it is the dildos state when the attack is launched. According to the current static analysis of the results have such a few states, do not rule out future variants will have more states.

Harm

According to data from the cloud embankment, December 10, The maximum traffic that has been detected is nearly 100 million QPS, (about 76.38Gbps) combined with some foreign messages about this attack, the attack was made using more than 1000 terminal attacks. This number is already very scary, if 10,000 such smart hardware is attacked by the infection, then the traffic will reach about 700G. Not to mention the current smart camera, router vulnerabilities, smart sockets endless, future shipments are also multiplied. So when smart hardware reaches a magnitude, its own security issues can pose a significant security threat to the Internet. In fact, this is the domain that extends the network battlefield into the smart hardware.

Precautionary measures

This kind of malicious program is difficult to prevent, because most of them reside in the intelligent hardware firmware system, the firmware does not have the environment that Avira malicious program relies on, completely killing up very difficult. And many users do not control these devices after the initial configuration is complete, which also increases the difficulty of Avira.

1. For users to modify their own smart camera, router and other hardware default password. Follow the official release of the update program. 2. For manufacturers, it is necessary to strengthen the security audit of the firmware, to evaluate the intelligent hardware, to ensure that the intelligent hardware does not exist information security issues, can be supplied. and focus on the security test results and vulnerabilities of intelligent hardware at home and abroad. Patches are required when new vulnerabilities arise. 3. For the relevant departments, operators, security companies, these bot should be all-round monitoring, if the bot launched a large number of abnormal attacks from the carrier level of traffic cleaning. Regular sampling and analysis of changes in bot malicious versions. Develop related Avira scripts. 

Technical Analysis: Intelligent hardware worm threatens Internet security (RPM)