임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트...

임베디드리눅스악성코드로본사물인터넷보안

2015.04.08

안랩시큐리티대응센터(ASEC) 분석팀

차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원

© AhnLab, Inc. All rights reserved. 2

:~$apropos

• IoT

• Embedded Linux

• Home Network Devices

• 주요Embedded Linux 악성코드


:~$whoami

Profile

− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)

− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작

− 1989년 : Brain virus 변형 감염

− 1997년 : AhnLab 입사

− AhnLab 책임 연구원 (Senior Antivirus Researcher)

− 시큐리티 대응센터(ASEC) 분석팀에서

악성코드 분석및 연구 중

- 민간합동 조사단, 사이버보안전문단

- AVED, AMTSO, vforum 멤버

- Wildlist Reporter

Contents

01

02

03

04

05

IoT 그리고 Embedded Linux

Home Network

Threat

주요악성코드

맺음말

01

IoT그리고Embedded Linux


IoT (Internet of Things)

• IoT

- 사람과사물, 사물과사물간정보를상호소통하는지능형기술및서비스

* Source : http://en.wikipedia.org/wiki/Internet_of_Things



• 활용분야

-

* Source : http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners

© AhnLab, Inc. All rights reserved.


OS

Embedded

Linux

Windows

Android iOS

Contiki

Tizen

Riot

mbed



• Embedded Linux

-

* Source : http://en.wikipedia.org/wiki/Linux_on_embedded_systems



• Embedded Linux

- set top box, Home router, NAS 등

* Source : https://www.synology.com/ko-kr/products/

02

Home Network


Home Network

• Home Router

- 인터넷공유기, Wi-Fi Router, Wireless Router

* Source : http://en.wikipedia.org/wiki/Wireless_router


Home Network

Home Router

• Specification

- MIPS

-Embedded Linux

* Source : http://www.iptime.co.kr& http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf


Home Network

Network Attached Storage (NAS)

• Specification

- ARM, Intel 등

-Embedded Linux

* Source : https://www.qnap.com/i/en/product/model.php?II=122&event=2


Home Network

Embedded Linux

• Busybox

- 주요Linux 명령어를하나의파일에담음

* Source : http://www.busybox.net/


Home Network

Home Router

• Login

- 공장출시기본Login / password


Home Network

Home Router

• BusyBox

-


Home Network

Home Router

• cpuinfo

-


Home Network

•

* Source :

03

Threat


Threat

TV 드라마

• 해킹을통한살인

- 말기암환자가 자동차, POS, 엘리베이터를해킹해살해시도

* Source : CSI NewyorkSeason 6 Episode 2 (2009)


Threat

TV 드라마

• CSI Cyber

-

* Source : CSI Cyber Season 1 Episode 1 (2015)


Threat

사생활침해및정보유출

훔쳐 보기

개인 정보 유출

설정변경/데이터 조작

광고 노출

내부/통신데이터 조작

의료 기기는 큰 문제

Backdoor

주로 디버깅 목적

의도적으로 포함한다면 ?

악성코드

DDoS 공격

광고 노출/변경, 피싱 사이트 유도

Bitcoin 채굴 등

보안위협


Threat


• 사생활침해

- 도둑질에도악용가능

* Source http://abcnews.go.com/blogs/headlines/2013/08/baby-monitor-hacking-alarms-houston-parents/


Threat


• 사생활침해

-도둑질에도이용가능

* Source : https://blogs.rsa.com/wp-content/uploads/2014/12/point-of-sale-malware-backoff.pdf


Threat


• 사생활침해

-Baby monitors, CCTV cameras, webcams

* Source : http://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-webcams-from-uk-homes-and-businesses-

hacked-and-uploaded-onto-russian-website-9871830.htmlparents/


Threat

설정변경및데이터조작

• 인터넷공유기DNS 주소변경

- 인터넷공유기보안취약점이용해DNS 주소변경해유명사이트접속할때가짜웹사이트유도


Threat


• 인터넷공유기DNS 주소변경

- 인터넷공유기허점이용해악성코드감염시도

* source : http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950


Threat


• Sality

- Salityvirus가primary DNS 변경하는Rbrute설치

* Source : http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29


Threat


• Ad-Fraud

- DNS 설정변경해다른광고보여줌

* Source : http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/


Threat


• sinology 사의NAS 취약점공격

- DSM 4.3-3810 or earlier 취약점이용해내부보관파일암호화후돈요구 ransomware등장

* source : http://www.synology.com/en-us/company/news/article/470


Threat

악성코드

• Home Router 이용한DDoS공격

-2014년11월과12월Lizard Squad 의Microsoft’s Xbox live, Sony PlayStation Network 공격

* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers


Threat

악성코드

• Lizard Stresser

-Home Router 를악성코드감염시켜DDoS공격에활용

-49.99 $, 299.99 $, 1139.99 $

* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/


Threat

Vulnerability

• Misfortune Cookie (CVE-2014-9222)

- SOHO router 취약점

* Source : http://mis.fortunecook.ie/

04

주요악성코드


Timeline

2009

Aidra

Gafgyt

(Fgt)Uteltend (Knb,

Chuck Norris)

2010 20122008 2013 2014 2015

Darlloz

Uteltend (Knb,

Chuck Norris 2)Psybot Themoon Moose

Baswool

2011

Hydra

Shellshock

Qnap NAS

worm


Hydra

• Hydra

-2011년4월공개된 IRCbot

-2008년부터underground forums에서존재

-D-Link 장비취약점이용

* Source : http://baume.id.au/psyb0t/PSYB0T.pdf


Psybot

• Psybot

- 2009년1월Terry Baume 발견

* Source : http://baume.id.au/psyb0t/PSYB0T.pdf


Psybot

• Psybot

- 첫 in the wild. DDoS공격에이용

* Source : http://www.dronebl.org/blog/8


Uteltend (Chuck Norris, Knb)

• Chuck Norris Botnet

-2009년말Czech Masaryk 대학에서발견

-MIPS Linux IRCbot

-TELNET brute force attack

* Source : http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet



• Chuck Norris Botnet

-Source code 내이탈리아어 ‘[R]anger Killato: in nomedi Chuck Norris!’ 존재

- knb-mipsUPX 해제하면 ‘KnbKeep nick bot 0.2.2’ 문자열존재



• 파일구성

- 설정파일

- IRC Bot + DDoS공격도구

-password


Aidra (Lightaidra)

• 악성 IRCbot

- 2012년2월발견. 국내에도감염보고

-DDoS공격

* Source : http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/


Aidra (Lightaidra)

getbinaries.sh /

gb.sh

ARM MIPS MIPSELPower

PCSuperH script


Aidra (Lightaidra)

• Aidra vs Darlloz

- 경쟁관계인Darlloz제거기능 추가

* Source : http://now.avg.com/war-of-the-worms/


Darlloz (Zollard)

• Darlloz

-2013년10월발견된 Internet of Things감염worm

-x86, MIPS, ARM, PowerPC 감염

-가상화폐채굴기능추가

* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency


Darlloz (Zollard)

• 감염

-전세계31,000 대시스템감염추정

-국내시스템이전체감염중17 % 차지

* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency


Darlloz (Zollard)

script

armeabi

arm

Power PC

MIPS

mipsel

x86


Darlloz (Zollard)

• Darlloz

-PHP 취약점php-cgi Information Disclosure Vulnerability (CVE-2012-1823) 이용

- router, set-top boxes 암호추측 : dreambox, vizxv, stemroot, sysadmin, superuser, 1234, 12345, 1111, smcadmin


Darlloz (Zollard)

• Darlloz

- 시스템에맞는cpuminer 다운로드후설치해Mincoins, Dogecoins, Bitcoins 등가상화폐채굴


Themoon

• Themoon

- 2014년2월13일발견

-Linksys Home router 취약점이용해감염

* Source :https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633


Themoon

• Themoon

- Strings


Themoon

• Themoon

- 포함된PNG 이미지


Gafgyt (Bashlite.SMB, Fgt)

• Gafgyt (Bashlite.SMB, Fgt)

-최소2014년8월부터존재

-2014년9월Shellshock (CVE-2014-6271) 취약점이용해퍼지기도함

-Home Router, NAS 등감염

-2014년말Lizard Squad에서Xbox Live 와PlayStation Network DDoS공격에이용해유명해짐

-2015년1월Source code 공개되어변종발생중




- Trend Micro에서BusyBox이용한Bashlite로소개

* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox&

http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987




- Dr. Web 정보공개

* Source : https://news.drweb.com/show/?i=7092&lng=en



• Source Code 공개

- server, client 모두공개



• 기능

* Source : http://vms.drweb.com/virus/?i=4242198



• bin.sh

* Source : http://vms.drweb.com/virus/?i=4242198


Moose

• Moose

- 최소2014년10월부터활동시작한BitCoin채굴

-ARM, MIPS 버전존재

-국내Home Router 에서도발견


Baswool

• Baswool

- 2014년11월국내발견확인

-Bashwoop(Powbot) 과유사


Baswool

• 변형

- Virustotal에2014년12월9일최초접수

-주요문자열암호화

* md5 : 331596b415ce2228e596cda400d8bfd2

05

맺음말


Wrap up

• 악성코드

- 2008년이전부터공격이진행중이었지만우리는너무몰랐네…

-유명악성코드의Source Code 공개로다양한변종출현예상

-Embedded Linux 외다른OS 에도악성코드등장예상

-사물인터넷시대에는컴퓨터악성코드보다더문제될수있음

• Challenge !

- ARM, MIPS …

-Embedded Linux

-기기특성

-Hardware debugging 등


현재문제점

Antivirus 부재

• Antivirus를포함한별다른보안프로그램없음

• 특성상백신및전용백신배포어려움

• 현재사용자가직접설치해야함

악성코드제거

• 재부팅(하지만재감염)혹은수동제거

• 가정방문해제거 ?!

Firmware Update

• 사용자가직접업데이트

• 얼마나많은사람이Firmware Update 를 ?

• 자동 firmware update ?

• 제조업체의보안 ?


예방

예방

Loin password

변경

최신Firmware

Update

설정변경(외부접근금지

등)


정부대책

• 미래부인터넷공유기보안강화발표

-2015년6월 : 인터넷공유기의실시간모니터링시스템구축

-2015년7월 : 공유기보안업데이트체계구축·운영

* Source : http://www.ddaily.co.kr/news/article.html?no=127945


현실

• Smart Home 분석

-온도조절장치, 스마트잠금장치, 스마트전구, 스마트연기감지기, 스마트에너지관리기기, 스마트허브등50 가

지분석

* Source : http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom


현실

• 계속발견되는취약점

-

* Source : https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2


현실

• 계속발견되는취약점

-

* Source : https://beyondbinary.io/advisory/seagate-nas-rce


현실

• 편리하면좋지그런데보안은?!

-

* Source : http://www.fnnews.com/news/201503271743343137


현실

• 다가오는 IoT시대편리하면좋지그런데보안은?!

-

* Source : google

Security


현재의보안문제

• Not really a fair fight

* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png


현재의보안문제

• 모두가함께해야하는보안

* source : http://www.security-marathon.be/?p=1786


Q&A

email : [email protected] / [email protected]

http://xcoolcat7.tistory.com

https://twitter.com/xcoolcat7, https://twitter.com/mstoned7


Reference

• Marta Janus/Kaspersky, ‘Heads of the Hydra. Malware for Network Devices’ , 2011

(http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network-

devices/?replyto=15081&tree=0)

• Marta Janus/Kaspersky, ‘State of play: network devices facing bulls-eye’, 2014

(http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye)

• 손기종/공유기공격사례를통한사물인터넷기기보안위협, 2015

• 장영준/Samsung (Personal Communication)

• 류소준 (Ryu Sojun)/KISA (Personal Communication)

• 신동은 (Shin Dongeun)/KISA (Personal Communication)

• 조인중 (Cho Injoong)/SK Broadband (Personal Communication)

• ganachoco(Personal Communication)

D E S I G N Y O U R S E C U R I T Y

임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트...

Technology