임베디드 리눅스 악성코드로 본 사물인터넷 보안 차민석 20150406_코드게이트...
TRANSCRIPT
임베디드리눅스악성코드로본사물인터넷보안
2015.04.08
안랩시큐리티대응센터(ASEC) 분석팀
차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7) 책임연구원
© AhnLab, Inc. All rights reserved. 2
:~$apropos
• IoT
• Embedded Linux
• Home Network Devices
• 주요Embedded Linux 악성코드
© AhnLab, Inc. All rights reserved. 3
:~$whoami
Profile
− 차민석 (車珉錫, CHA Minseok, Jacky Cha, mstoned7)
− 1988년 1월 7일 : Apple ][+ 복제품으로 컴퓨터 시작
− 1989년 : Brain virus 변형 감염
− 1997년 : AhnLab 입사
− AhnLab 책임 연구원 (Senior Antivirus Researcher)
− 시큐리티 대응센터(ASEC) 분석팀에서
악성코드 분석및 연구 중
- 민간합동 조사단, 사이버보안전문단
- AVED, AMTSO, vforum 멤버
- Wildlist Reporter
Contents
01
02
03
04
05
IoT 그리고 Embedded Linux
Home Network
Threat
주요악성코드
맺음말
01
IoT그리고Embedded Linux
© AhnLab, Inc. All rights reserved. 6
IoT (Internet of Things)
• IoT
- 사람과사물, 사물과사물간정보를상호소통하는지능형기술및서비스
* Source : http://en.wikipedia.org/wiki/Internet_of_Things
© AhnLab, Inc. All rights reserved. 7
IoT (Internet of Things)
• 활용분야
-
* Source : http://www.kpcb.com/blog/how-kleiner-perkins-invests-in-the-internet-of-things-picking-the-winners
© AhnLab, Inc. All rights reserved.
IoT (Internet of Things)
OS
Embedded
Linux
Windows
Android iOS
Contiki
Tizen
Riot
mbed
© AhnLab, Inc. All rights reserved. 9
IoT (Internet of Things)
• Embedded Linux
-
* Source : http://en.wikipedia.org/wiki/Linux_on_embedded_systems
© AhnLab, Inc. All rights reserved. 10
IoT (Internet of Things)
• Embedded Linux
- set top box, Home router, NAS 등
* Source : https://www.synology.com/ko-kr/products/
02
Home Network
© AhnLab, Inc. All rights reserved. 12
Home Network
• Home Router
- 인터넷공유기, Wi-Fi Router, Wireless Router
* Source : http://en.wikipedia.org/wiki/Wireless_router
© AhnLab, Inc. All rights reserved. 13
Home Network
Home Router
• Specification
- MIPS
-Embedded Linux
* Source : http://www.iptime.co.kr& http://www.netcheif.com/Reviews/BR-6478AC/PDF/8197D.pdf
© AhnLab, Inc. All rights reserved. 14
Home Network
Network Attached Storage (NAS)
• Specification
- ARM, Intel 등
-Embedded Linux
* Source : https://www.qnap.com/i/en/product/model.php?II=122&event=2
© AhnLab, Inc. All rights reserved. 15
Home Network
Embedded Linux
• Busybox
- 주요Linux 명령어를하나의파일에담음
* Source : http://www.busybox.net/
© AhnLab, Inc. All rights reserved. 16
Home Network
Home Router
• Login
- 공장출시기본Login / password
© AhnLab, Inc. All rights reserved. 17
Home Network
Home Router
• BusyBox
-
© AhnLab, Inc. All rights reserved. 18
Home Network
Home Router
• cpuinfo
-
© AhnLab, Inc. All rights reserved. 19
Home Network
•
* Source :
03
Threat
© AhnLab, Inc. All rights reserved. 21
Threat
TV 드라마
• 해킹을통한살인
- 말기암환자가 자동차, POS, 엘리베이터를해킹해살해시도
* Source : CSI NewyorkSeason 6 Episode 2 (2009)
© AhnLab, Inc. All rights reserved. 22
Threat
TV 드라마
• CSI Cyber
-
* Source : CSI Cyber Season 1 Episode 1 (2015)
© AhnLab, Inc. All rights reserved. 23
Threat
사생활침해및정보유출
훔쳐 보기
개인 정보 유출
설정변경/데이터 조작
광고 노출
내부/통신데이터 조작
의료 기기는 큰 문제
Backdoor
주로 디버깅 목적
의도적으로 포함한다면 ?
악성코드
DDoS 공격
광고 노출/변경, 피싱 사이트 유도
Bitcoin 채굴 등
보안위협
© AhnLab, Inc. All rights reserved. 24
Threat
사생활침해및정보유출
• 사생활침해
- 도둑질에도악용가능
* Source http://abcnews.go.com/blogs/headlines/2013/08/baby-monitor-hacking-alarms-houston-parents/
© AhnLab, Inc. All rights reserved. 25
Threat
사생활침해및정보유출
• 사생활침해
-도둑질에도이용가능
* Source : https://blogs.rsa.com/wp-content/uploads/2014/12/point-of-sale-malware-backoff.pdf
© AhnLab, Inc. All rights reserved. 26
Threat
사생활침해및정보유출
• 사생활침해
-Baby monitors, CCTV cameras, webcams
* Source : http://www.independent.co.uk/life-style/gadgets-and-tech/baby-monitors-cctv-cameras-and-webcams-from-uk-homes-and-businesses-
hacked-and-uploaded-onto-russian-website-9871830.htmlparents/
© AhnLab, Inc. All rights reserved. 27
Threat
설정변경및데이터조작
• 인터넷공유기DNS 주소변경
- 인터넷공유기보안취약점이용해DNS 주소변경해유명사이트접속할때가짜웹사이트유도
© AhnLab, Inc. All rights reserved. 28
Threat
설정변경및데이터조작
• 인터넷공유기DNS 주소변경
- 인터넷공유기허점이용해악성코드감염시도
* source : http://www.krcert.or.kr/kor/data/secNoticeView.jsp?p_bulletin_writing_sequence=20950
© AhnLab, Inc. All rights reserved. 29
Threat
설정변경및데이터조작
• Sality
- Salityvirus가primary DNS 변경하는Rbrute설치
* Source : http://www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute29
© AhnLab, Inc. All rights reserved. 30
Threat
설정변경및데이터조작
• Ad-Fraud
- DNS 설정변경해다른광고보여줌
* Source : http://aralabs.com/blog/2015/03/25/ad-fraud-malware-hijacks-router-dns-injects-ads-via-google-analytics/
© AhnLab, Inc. All rights reserved. 31
Threat
설정변경및데이터조작
• sinology 사의NAS 취약점공격
- DSM 4.3-3810 or earlier 취약점이용해내부보관파일암호화후돈요구 ransomware등장
* source : http://www.synology.com/en-us/company/news/article/470
© AhnLab, Inc. All rights reserved. 32
Threat
악성코드
• Home Router 이용한DDoS공격
-2014년11월과12월Lizard Squad 의Microsoft’s Xbox live, Sony PlayStation Network 공격
* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers
© AhnLab, Inc. All rights reserved. 33
Threat
악성코드
• Lizard Stresser
-Home Router 를악성코드감염시켜DDoS공격에활용
-49.99 $, 299.99 $, 1139.99 $
* Source : http://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/
© AhnLab, Inc. All rights reserved. 34
Threat
Vulnerability
• Misfortune Cookie (CVE-2014-9222)
- SOHO router 취약점
* Source : http://mis.fortunecook.ie/
04
주요악성코드
© AhnLab, Inc. All rights reserved.
Timeline
2009
Aidra
Gafgyt
(Fgt)Uteltend (Knb,
Chuck Norris)
2010 20122008 2013 2014 2015
Darlloz
Uteltend (Knb,
Chuck Norris 2)Psybot Themoon Moose
Baswool
2011
Hydra
Shellshock
Qnap NAS
worm
© AhnLab, Inc. All rights reserved. 37
Hydra
• Hydra
-2011년4월공개된 IRCbot
-2008년부터underground forums에서존재
-D-Link 장비취약점이용
* Source : http://baume.id.au/psyb0t/PSYB0T.pdf
© AhnLab, Inc. All rights reserved. 38
Psybot
• Psybot
- 2009년1월Terry Baume 발견
* Source : http://baume.id.au/psyb0t/PSYB0T.pdf
© AhnLab, Inc. All rights reserved. 39
Psybot
• Psybot
- 첫 in the wild. DDoS공격에이용
* Source : http://www.dronebl.org/blog/8
© AhnLab, Inc. All rights reserved. 40
Uteltend (Chuck Norris, Knb)
• Chuck Norris Botnet
-2009년말Czech Masaryk 대학에서발견
-MIPS Linux IRCbot
-TELNET brute force attack
* Source : http://www.muni.cz/research/projects/4622/web/chuck_norris._botnet
© AhnLab, Inc. All rights reserved. 41
Uteltend (Chuck Norris, Knb)
• Chuck Norris Botnet
-Source code 내이탈리아어 ‘[R]anger Killato: in nomedi Chuck Norris!’ 존재
- knb-mipsUPX 해제하면 ‘KnbKeep nick bot 0.2.2’ 문자열존재
© AhnLab, Inc. All rights reserved. 42
Uteltend (Chuck Norris, Knb)
• 파일구성
- 설정파일
- IRC Bot + DDoS공격도구
-password
© AhnLab, Inc. All rights reserved. 43
Aidra (Lightaidra)
• 악성 IRCbot
- 2012년2월발견. 국내에도감염보고
-DDoS공격
* Source : http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/
© AhnLab, Inc. All rights reserved. 44
Aidra (Lightaidra)
getbinaries.sh /
gb.sh
ARM MIPS MIPSELPower
PCSuperH script
© AhnLab, Inc. All rights reserved. 45
Aidra (Lightaidra)
• Aidra vs Darlloz
- 경쟁관계인Darlloz제거기능 추가
* Source : http://now.avg.com/war-of-the-worms/
© AhnLab, Inc. All rights reserved. 46
Darlloz (Zollard)
• Darlloz
-2013년10월발견된 Internet of Things감염worm
-x86, MIPS, ARM, PowerPC 감염
-가상화폐채굴기능추가
* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
© AhnLab, Inc. All rights reserved. 47
Darlloz (Zollard)
• 감염
-전세계31,000 대시스템감염추정
-국내시스템이전체감염중17 % 차지
* source : http://www.symantec.com/connect/blogs/iot-worm-used-mine-cryptocurrency
© AhnLab, Inc. All rights reserved.
Darlloz (Zollard)
script
armeabi
arm
Power PC
MIPS
mipsel
x86
© AhnLab, Inc. All rights reserved. 49
Darlloz (Zollard)
• Darlloz
-PHP 취약점php-cgi Information Disclosure Vulnerability (CVE-2012-1823) 이용
- router, set-top boxes 암호추측 : dreambox, vizxv, stemroot, sysadmin, superuser, 1234, 12345, 1111, smcadmin
© AhnLab, Inc. All rights reserved. 50
Darlloz (Zollard)
• Darlloz
- 시스템에맞는cpuminer 다운로드후설치해Mincoins, Dogecoins, Bitcoins 등가상화폐채굴
© AhnLab, Inc. All rights reserved. 51
Themoon
• Themoon
- 2014년2월13일발견
-Linksys Home router 취약점이용해감염
* Source :https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633
© AhnLab, Inc. All rights reserved. 52
Themoon
• Themoon
- Strings
© AhnLab, Inc. All rights reserved. 53
Themoon
• Themoon
- 포함된PNG 이미지
© AhnLab, Inc. All rights reserved. 54
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
-최소2014년8월부터존재
-2014년9월Shellshock (CVE-2014-6271) 취약점이용해퍼지기도함
-Home Router, NAS 등감염
-2014년말Lizard Squad에서Xbox Live 와PlayStation Network DDoS공격에이용해유명해짐
-2015년1월Source code 공개되어변종발생중
© AhnLab, Inc. All rights reserved. 55
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
- Trend Micro에서BusyBox이용한Bashlite로소개
* Source : http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox&
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
© AhnLab, Inc. All rights reserved. 56
Gafgyt (Bashlite.SMB, Fgt)
• Gafgyt (Bashlite.SMB, Fgt)
- Dr. Web 정보공개
* Source : https://news.drweb.com/show/?i=7092&lng=en
© AhnLab, Inc. All rights reserved. 57
Gafgyt (Bashlite.SMB, Fgt)
• Source Code 공개
- server, client 모두공개
© AhnLab, Inc. All rights reserved. 58
Gafgyt (Bashlite.SMB, Fgt)
• 기능
* Source : http://vms.drweb.com/virus/?i=4242198
© AhnLab, Inc. All rights reserved. 59
Gafgyt (Bashlite.SMB, Fgt)
• bin.sh
* Source : http://vms.drweb.com/virus/?i=4242198
© AhnLab, Inc. All rights reserved. 60
Moose
• Moose
- 최소2014년10월부터활동시작한BitCoin채굴
-ARM, MIPS 버전존재
-국내Home Router 에서도발견
© AhnLab, Inc. All rights reserved. 61
Baswool
• Baswool
- 2014년11월국내발견확인
-Bashwoop(Powbot) 과유사
© AhnLab, Inc. All rights reserved. 62
Baswool
• 변형
- Virustotal에2014년12월9일최초접수
-주요문자열암호화
* md5 : 331596b415ce2228e596cda400d8bfd2
05
맺음말
© AhnLab, Inc. All rights reserved. 64
Wrap up
• 악성코드
- 2008년이전부터공격이진행중이었지만우리는너무몰랐네…
-유명악성코드의Source Code 공개로다양한변종출현예상
-Embedded Linux 외다른OS 에도악성코드등장예상
-사물인터넷시대에는컴퓨터악성코드보다더문제될수있음
• Challenge !
- ARM, MIPS …
-Embedded Linux
-기기특성
-Hardware debugging 등
© AhnLab, Inc. All rights reserved.
현재문제점
Antivirus 부재
• Antivirus를포함한별다른보안프로그램없음
• 특성상백신및전용백신배포어려움
• 현재사용자가직접설치해야함
악성코드제거
• 재부팅(하지만재감염)혹은수동제거
• 가정방문해제거 ?!
Firmware Update
• 사용자가직접업데이트
• 얼마나많은사람이Firmware Update 를 ?
• 자동 firmware update ?
• 제조업체의보안 ?
© AhnLab, Inc. All rights reserved.
예방
예방
Loin password
변경
최신Firmware
Update
설정변경(외부접근금지
등)
© AhnLab, Inc. All rights reserved. 67
정부대책
• 미래부인터넷공유기보안강화발표
-2015년6월 : 인터넷공유기의실시간모니터링시스템구축
-2015년7월 : 공유기보안업데이트체계구축·운영
* Source : http://www.ddaily.co.kr/news/article.html?no=127945
© AhnLab, Inc. All rights reserved. 68
현실
• Smart Home 분석
-온도조절장치, 스마트잠금장치, 스마트전구, 스마트연기감지기, 스마트에너지관리기기, 스마트허브등50 가
지분석
* Source : http://www.symantec.com/connect/blogs/iot-smart-home-giving-away-keys-your-kingdom
© AhnLab, Inc. All rights reserved. 69
현실
• 계속발견되는취약점
-
* Source : https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2
© AhnLab, Inc. All rights reserved. 70
현실
• 계속발견되는취약점
-
* Source : https://beyondbinary.io/advisory/seagate-nas-rce
© AhnLab, Inc. All rights reserved. 71
현실
• 편리하면좋지그런데보안은?!
-
* Source : http://www.fnnews.com/news/201503271743343137
© AhnLab, Inc. All rights reserved. 72
현실
• 다가오는 IoT시대편리하면좋지그런데보안은?!
-
* Source : google
Security
© AhnLab, Inc. All rights reserved. 73
현재의보안문제
• Not really a fair fight
* source : http://image-store.slidesharecdn.com/81268b95-5c3b-4604-9129-d83ab3dc4600-large.png
© AhnLab, Inc. All rights reserved. 74
현재의보안문제
• 모두가함께해야하는보안
* source : http://www.security-marathon.be/?p=1786
© AhnLab, Inc. All rights reserved. 75
Q&A
email : [email protected] / [email protected]
http://xcoolcat7.tistory.com
https://twitter.com/xcoolcat7, https://twitter.com/mstoned7
© AhnLab, Inc. All rights reserved. 76
Reference
• Marta Janus/Kaspersky, ‘Heads of the Hydra. Malware for Network Devices’ , 2011
(http://securelist.com/analysis/36396/heads-of-the-hydra-malware-for-network-
devices/?replyto=15081&tree=0)
• Marta Janus/Kaspersky, ‘State of play: network devices facing bulls-eye’, 2014
(http://securelist.com/blog/research/67794/state-of-play-network-devices-facing-bulls-eye)
• 손기종/공유기공격사례를통한사물인터넷기기보안위협, 2015
• 장영준/Samsung (Personal Communication)
• 류소준 (Ryu Sojun)/KISA (Personal Communication)
• 신동은 (Shin Dongeun)/KISA (Personal Communication)
• 조인중 (Cho Injoong)/SK Broadband (Personal Communication)
• ganachoco(Personal Communication)
D E S I G N Y O U R S E C U R I T Y