Marion Marschalek speaks about Linux and Internet of things Malware. Occasionally we see samples coming out of our pipe which do not fit with the stream of malware, such as clickjackers, banking Trojans and spybots. These exotic creatures are dedicated to target platforms other than the Windows operating system. While they make up for a significantly smaller portion than the load of Windows malware, Cyphort labs has registered a rise in Linux and Internet of Things Malware (IoT) malware. A number of different families has been seen. But what is their level of sophistication and the associated risk? This webinar provides an overview of Linux and IoT malware that Cyphort labs has spotted in the wild and gives an insight into the development of these threats and the direction they are taking.

2. EXOTIC CREATURES
Internet of Things and Linux Malware

3. Your speakers today
Marion Marschalek
Security Research Expert
Shel Sharma
Product Marketing Director

4. Agenda
o Linux & IoT in the spotlight
o Cyphort Lab’s in-the-wild spottings
o Status of Linux & IoT malware
CyphortLabsT-shirt

5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

6. THE INTERNET
http://greendisc.dacya.ucm.es/wp-content/uploads/2014/10/Internet_of_Things.jpg
might be bigger than you thought

7. By broadening the internet surface...
http://datasciencebe.com/category/data-science-2/iot-analytics/
... we broaden our attack surface.

8. Internet
technology
in every
day life

9. WEAK
DEFAULT
SECURITY

10. LINUX & IoT MALWARE

11. ESPIONAGE GOES LINUX
o Suspected to be Russian government malware
o Active since 2008
o Linux component uncovered 2014
o Backdoor capabilities & stealthy C&C
communication
Turla‘s Linux component

12. LINUX MARKET SHARES
o Linux on desktop systems under 5%
o Public servers ~36%
o Mainframes >96%
o Embedded systems ~30%

13. INDUSTRIAL CONTROL SYSTEMS UNDER ATTACK
o Enumerates network resources
through Windows API
o OPC – OLE process control
o ICS spy:
o Network entities UNC paths
o Thereof OPC servers
o Server version
o OPC version support
o etc.
Havex on industrial espionage

14. BROADENING THE ATTACK SURFACE
More devices more attack vectors
IoT compromises
Hacked baby monitors and CCTV cameras in
UK
Smart meters vulnerable to attacks, could
harm national power network
‚Spike‘ botnet runs DoS attacks from IoT
devices
Linux risks
Servers and critical infrastructure based on
Unix distributions
Webservers as entry point to corporate
network
Major flaws in legacy open source software
show vulnerability of Linux systems

15. EXOTIC CREATURES
in the wild

16. CYPHORT LAB‘S IN-THE-WILD ENCOUNTERS
o Mayday | 10:2014
o Sotdas | 10:2014
o Snessik | 10:2014
o Ganiw | 10:2014
o SSHb | 11:2014
o Darlloz | 12:2014
o Zendran| 12:2014

17. LINUX.MAYDAY
o DDoS bot with task scheduler
o Comes packed with UPX
o C++ binary including object
information
o Contains a logger class for
categories:
INFO, DEBUG, FATAL and WARNING

18. LINUX.GANIWo Backdoor / DDoS bot
o Exfiltrates the following
information:
o OS name and version
o System’s MAC address
o Amount of RAM
o Number of network interfaces
o CPU usage and frequency
o Calculates stats on the
attacks it performs
o Kills instances of malware already present

19. LINUX.SOTDASo DDoS bot, no binary protection
o Target URL downloaded from C&C
o The following methods are supported:
o UDP flood
o TCP flood
o Syn flood
o DNS flood
o DIY with custom built
TCP and HTTP packets
o Shuts down iptables,
SuSEfirewall2 or ebtables services

20. LINUX.SNESSIK
o Backdoor / DDoS bot
o Spawns shells to execute commands from its botmaster
o Uses curl for file up-/download
o Data exchanged with C&C is BASE64 & XOR encoded
o The binary contains HTTP headers for US English and
Chinese

21. LINUX.SSHB
o Simple backdoor
o Enabling access to the machine through SSH
o Implementing source from OpenSSH

22. IoT WORM DARLLOZ
o Targets Linux distributions on routers, security cameras &
gaming systems
o Spreads by bruteforcing telnet logins or by exploiting PHP
vulnerability CVE-2012-1823
o Cross compiled for:
o arm
o ppc
o mipsel
o mips
o x86

23. o DDoS bot based on IRC based scanner
Lightaidra
o Cross-compiled for x86, x64,
PPC, MIPS, MIPSEL, ARM
and SuperH
o Comes packed with UPX
o Communicates to C&C via IRC
o 2 stages:
o Downloader script
o Platform specific binary
IoT BOT ZENDRAN

24. WHERE ARE WE NOW
and what does the future hold

25. EXOTIC CREATURE‘S FEATURES
Unprotected binaries
Low evasiveness
Lack of stealth
Binaries coming with symbols
A lot of source code re-use
Low AV detection
Consistently low default
security for Linux & IoT
Easy prey for attackers
Rising number of infections

26. REMEDIES
1. Network focussed security
2. Reviewing security settings of devices / machines
3. Regular updates and patches, where applicable
4. Network segmentation to counter lateral movement

27. Q and A
o Information sharing and
advanced threats resources
o Blogs on latest threats and
findings
o Tools for identifying malware

28. Thank You!

30. FURTHER READING
o Havex attacks Industrial Control Systems
http://www.cyphort.com/windows-meets-industrial-control-systems-ics-havex-rat-spells-security-
risks-2/
o Baby monitors hacken in UK homes
http://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-
webcams-from-uk-homes-and-businesses-hacked-and-uploaded-onto-russian-website-
9871830.html
o Smart meters vulnerable to attack
http://securityaffairs.co/wordpress/29353/security/smart-meters-hacking.html
o Spike botnet runs DoS attacks from IoT devices
http://securityaffairs.co/wordpress/28642/cyber-crime/spike-botnet-runs-ddos.html