SlideShare une entreprise Scribd logo

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies

DefCamp
DefCamp

Andrei Costin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

Technologie
1  sur  66
Télécharger pour lire hors ligne
IoT Malware Comprehensive Survey, Analysis Framework and Case Studies Andrei Costin and Jonas Zaddach UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO
Who are we? Andrei Costin ● Assistant professor at University of Jyväskylä ● Researching/Teaching on security/malware for IoT/embedded ● Firmware.RE Project ● ancostin@jyu.fi @costinandrei
Who are we? Jonas Zaddach ● Malware researcher at Talos ● Working on IoT malware analysis and analysis automation
Agenda ● Introduction ● Challenges ● Malware Study ○ Methodology and Collection ○ Metadata and Survey ○ Analysis and Sandbox ● Case Studies ● Conclusions ● Q&A
Introduction: IoT malware vs. PC malware
What is IoT?
Why is IoT a malware target? ● Always on ● Always connected ● Awareness and defence against IoT malware lower than for PC malware ● Less sophisticated exploits needed ● Source code for malware is available for use and adoption ● Build automation is offsetting the pain of developing for several platforms
What’s so special about IoT malware? PC IoT Platform heterogeneity low high Malware family plurality high low Detection on the system easy hard In-vivo analysis easy very hard Sandbox execution easy hard Removal medium hard to impossible Vulnerability assessment medium very hard
Introduction: Timeline of IoT/embedded malware
IoT Malware Timeline 2012 Carna (Census2012) 2010 Kaiten (pre-IoT) Stuxnet (PLC) ChuckNorris2 2009 psyb0t ChuckNorris Aidra Darlloz 2005 RBOT Spybot 2007 ZLOB DNSChanger 2014 KaitenSTD/Tsunami TheMoon Bashlite/Qbot muBoT SOHOPharmingAttack LightAidra Spike SynoLocker Synology Dogecoin GoARM Wifatch DHpot XorDDoS 2015 TheMoon2 PNScan1 PNScan2 Moose Umbreon 2016 Mirai Hajime LuaBot NyaDrop Amnesia DVR cryptojack ExploitKit DNSChanger 2017 Mirai Satori IoTReaper BrickerBot Gr1n UPnProxy Shishiga Persirai RPi MulDrop.14 RPi ProxyM 2001 knight.c kaiten.c 2018 Mirai Okiru Mirai Masuta Mirai PureMasuta JenX/Jennifer Muhstik Slingshot DoubleDoor Hide and Seek GoScanSSH VPNFilter
Malware study
Malware study: Methodology and Collection
Methodology ● Identify complete set of IoT/embedded malware families ● Identify relevant and trusted information sources ● Collect comprehensive information and metadata ○ Samples ○ Analysis and technical reports ○ Real-world and honeypot attack reports ○ Malware family and botnet evolution ○ Infection and propagation ■ Vulnerabilities and exploits ■ Credentials ○ Defensive measures (IDS, Yara, VAS) ○ Any other relevant information
Methodology ● Structure and systematize information and metadata ○ Machine-readable ○ Easy to process, transform and code ● Analyse metadata ○ Produce reports and insights ○ Understand where IoT/embedded security fails ○ Understand where IoT/embedded defense can be improved ● Analyse samples ○ Produce reports and insights ○ Produce new or additional defensive mechanisms ● Cross-correlate all that information (gathered + generated) - future work
Malware study: Metadata and Surveys
Metadata - In a Nutshell ● Analyzed IoT malware families (to date) ~ 28 ○ Of collected and covered ~ 60 ● Analyzed Resources/URLs ~ 1300 ● Analyzed Vulns/CVEs (to date) ~ 80 ○ Of collected and covered ~ 120 ● Metadata: collected, analyzed, reviewed, archived, etc. ● Improvements and corrections always welcome :)
Metadata - Features Analyzed ● Malware Families ● Around several dozens of features, e.g., ○ Timelines for first seen, online submission, analysis, SoK, attacks ○ Timelines for defense by IDS/IPS, VAS, Yara ○ CVEs/vulns/exploits used ○ CVSS scores base and temporal - both v2 and v3 ○ Credential details ○ Source availability ○ Botnet characteristics (e.g., size, countries) ○ Missing, incorrect or inconsistent/confusing information to be fixed
Metadata - Features Analyzed ● CVEs/vulns/exploits ● Around a dozen of features, e.g.,: ○ CVSS scores base and temporal - both v2 and v3 ○ Timelines for discovery, disclosure, analysis, exploits, attacks ○ Timelines for defense by IDS/IPS, VAS, Yara ○ Missing, incorrect or inconsistent/confusing information to be fixed
Survey - Vulns/CVEs ● Analyzed ~ 80 (Collect and cover ~ 120) ○ CVE-ID ~ 67 (84%) ○ CVE-MAP-NOMATCH ~ 13 (16%) ● CVSSv3 ○ Mean 8.0 ○ Median 8.1 ● CVSSv2 ○ Mean 7.2 ○ Median 7.5
● IDS rules ● Not present/found ~ 27 ● Present ~ 53 ● Earliest rule for Vuln/CVE ○ Based on Present ~ 53 ○ Mean ~ 517 days after earliest knowledge of Vuln/CVE ○ Median ~ 184 days after earliest knowledge of Vuln/CVE Survey - Vulns/CVEs
Survey - Vulns/CVEs ● VAS rules ● Not present/found ~ 47 ● Present ~ 33 ● Earliest rule for Vuln/CVE ○ Based on Present ~ 33 ○ Mean ~ 226 days after earliest knowledge of Vuln/CVE ○ Median ~ 71 days after earliest knowledge of Vuln/CVE
Survey - Malware Families ● Analyzed ~ 28 (Collect and cover ~ 60) ● CVEs/Vulns per family ○ Mean ~ 3 count ○ Median ~ 3 count ● CVE/Vuln knowledge was available before earliest knowledge of malware ○ Mean ~ 1095 days before ○ Median ~ 790 days before
Survey - Malware Families ● IDS rules ● Not present/found ~ 11 ● Present ~ 17 ○ Malware specific rules were available ■ Mean ~ 320 days after earliest malware knowledge ■ Median ~ 81 days after earliest malware knowledge ● Augmenting Malware rules with Vuln/CVE rules ○ Mean ~ 749 days before earliest malware knowledge ○ Median ~ 706 days before earliest malware knowledge
Survey - Malware Families ● VAS rules ● Not present/found ~ 27 ● Present ~ 1 ○ Malware specific rules were available ■ 43 days after earliest malware knowledge ● Augmenting Malware rules with Vuln/CVE rules ○ Mean ~ 1083 days before earliest malware knowledge ○ Median ~ 748 days before earliest malware knowledge
Survey - Malware Families ● YARA rules ● Not present/found ~ 17 ● Present ~ 11 ○ Malware specific rules were available ■ Mean ~ 499 days after earliest malware knowledge ■ Median ~ 213 days after earliest malware knowledge
Malware study: Dynamic IoT malware analysis
Motivation ● In-vivo analysis is challenging ○ Tools need to be purpose-build for every device ■ E.g., gdb or strace for debugging programs ○ In-circuit analysis is non-trivial ■ Requires dedicated hardware (JTAG, SWD) ■ Requires lots of knowledge ■ Is time-consuming ● High volume of file samples requires automation
Challenges ● Heterogeneity of platforms ○ CPU architecture ○ Runtime libraries ○ Special instructions ● High preparatory work ○ Toolchains for every architecture need to be build ○ System images are required ○ System instrumentation needed ● Little-tested tools pose challenges ○ Code must be massaged to compile ○ Lots of bugs
Platform heterogeneity On a PC: Executable x86_64 x86
Platform heterogeneity On IoT: Executable Linux other OS barebones statically linked dyn. linked glibc dyn. linked uclibc dyn. linked musl ARM MIPSPowerPCx86 R2 R6 little endian big endian ...
Previous work ● Few attempts to tie together a sandbox, execution environment and instrumentation for malware ○ Cozzi et al: Understanding Linux Malware ○ HuntingMalware (link often down) ■ Based on Cuckoo ○ Limon? ■ Linux sandbox based on strace/sysdig, limited support for non-x86 architectures ○ Detux? ■ Linux sandbox with support for several architectures, no updates for the last two years
Sandbox architecture
System image preparation ● System image compiled with Buildroot ○ From distribution configuration ○ From kernel configuration ○ With additional patches ● A build hook integrates instrumentation ○ The systemtap kernel module for tracing syscalls is built and integrated
Analysis process ● Sample is triaged ● The emulator is prepared ○ Systemtap script for monitoring syscalls is loaded ○ The sample is injected into the analysis machine via the Cuckoo agent ● Sample is executed ● Execution terminates ○ Regular termination or exception ○ Timeout through Cuckoo ● Log files are analyzed ○ Cuckoo agent copies log to host ○ Cuckoo parses the log file
Example report
Case Studies
Case Studies Hydra D-Link Exploit
Case Studies - Hydra D-Link Exploit ● Original Hydra malware dates back to 2008 ○ “Authentication bypass vulnerability” in D-Link DIR645 routers ○ Hydra code open-sourced (or leaked) in April 2011 (hydra-2008.1.zip) ● Exploits ○ D-Link Authentication Bypass and Config Info Disclosure ● However ... ○ CVE-MAP-NOMATCH
Case Studies - Hydra D-Link Exploit ● It then reappears … ○ Security advisory in February 2013 ● However, still ... ○ CVE-MAP-NOMATCH
Case Studies - Hydra D-Link Exploit ● And then once again … ○ Used in October 2017 in IoTReaper ○ Security advisory in November 2017 for D-Link 850L and D-Link DIR8xx routers ● Still yet ... ○ CVE-MAP-NOMATCH
Case Studies - Hydra D-Link Exploit ● Open questions ○ What should it take to properly file and track a vulnerability for decades to come? ○ How come CVE-MAP-NOMATCH even after: ■ 10+ years ■ 1 malware incident and code leak ■ 1 Metasploit module ■ 3 different (but essentially similar) security advisories ○ Is it really infeasible or impossible to create CVEs “a posteriori”?
Case Studies VirusTotal’s In The Wild “2010-11-20”
Case Studies - VirusTotal’s In The Wild “2010-11-20” ● At least 10 malware families have samples first seen in the wild = 2010-11-20
Case Studies - VirusTotal’s In The Wild “2010-11-20” ● At least 10 malware families have samples first seen in the wild = 2010-11-20
Case Studies - VirusTotal’s In The Wild “2010-11-20” ● Summarising response from VirusTotal support team:
Case Studies - VirusTotal’s In The Wild “2010-11-20” ● “Not all metadata is created equal” ● Need to trust your metadata vendor ● Still, need to continuously check, reassess, clean metadata ● And even then, what should be a more trusted “first seen in the wild” source?
Case Studies Challenges with Metadata Analysis
References to CVE and Vulnerabilities Missing CVEs ● Hydra/Aidra ○ https://securelist.com/heads-of-the-hydra-malware-for-network-devices/36396/ ○ Use of a D-Link authentication bypass exploit ● Observations ○ Which CVE and exploit exactly? ○ Which IDS/IPS rules to watch? ○ Why not get to the bottom of the root cause as above “Case Studies - Hydra D-Link Exploit”
References to CVE and Vulnerabilities Missing CVEs ● Hajime ○ https://x86.re/blog/hajime-a-follow-up/ ○ The atk module is now capable of infecting ARRIS modems by using the password-of-the-day “backdoor” with the default seed ● Observations ○ Why not mention CVE-2009-5149?
References to CVE and Vulnerabilities Missing CVEs ● Hajime ○ https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ ○ 1. TR-069 exploitation; 3. Arris cable modem password of the day attack. ● Observations ○ Why not mention CVE-2016-10372 and CVE-2009-5149?
References to CVE and Vulnerabilities Wrong CVEs ● TheMoon ○ https://github.com/paralax/BurningDogs/commit/59194664a0b2090866761760a36cb9c5aba51 f01#diff-6f7d97840d5faa6509e84af3e771b78aR51 ○ 1. TR-069 exploitation; 3. Arris cable modem password of the day attack. ● Observations ○ CVE-2012-1823 PHP CGI Argument Injection - NOT TheMoon ○ TheMoon is EDB-31683
References to CVE and Vulnerabilities Wrong CVEs ● ExploitKit DNSChanger ○ http://doc.emergingthreats.net/bin/view/Main/2020857 ○ ET EXPLOIT Belkin Wireless G Router DNS Change POST Request ○ www.exploit-db.com/exploits/3605 ● Observations ○ EDB-3605 "Picture-Engine 1.2.0 - 'wall.php?cat' SQL Injection" CVE-2007-1791 ○ EBD-6305 “Belkin Wireless G Router - Authentication Bypass” CVE-2008-1244
References to CVE and Vulnerabilities Messy CVEs ● VPNFilter and CVE-2013-2679 ● TrendMicro ○ CVE-2013-2679 OS Command Injection Linksys E4200 ● EDB-25292 and Cloudscan.me ○ CVE-2013-2679 Cross-site scripting (reflected) ● MITRE ○ ** RESERVED **
References to CVE and Vulnerabilities Messy CVEs ● VPNFilter and CVE-2013-2678 ● TrendMicro ○ CVE-2013-2678 Reaper OS Command Injection Linksys E2500 ● Cloudscan.me ○ CVE-2013-2678 File path traversal ● EBD-24478 and EDB-24475 ○ Linksys E1500/E2500 - Multiple Vulnerabilities ○ Linksys WRT160N - Multiple Vulnerabilities ● MITRE ○ ** RESERVED **
References to CVE and Vulnerabilities Non-machine-readable IOCs ● Aidra and Darlloz ● http://avg.soup.io/post/402112529/Linux-Aidra-vs-Linux-D arlloz-War-of
References to CVE and Vulnerabilities Single-family multi-name problem ● Darlloz a.k.a. Zollard ○ Zollard - http://doc.emergingthreats.net/bin/view/Main/2017798 ○ Darlloz - https://snort.org/rule_docs/1-32013
Conclusions
Key Takeaways ● To understand (IoT) malware A wider view is both necessary and beneficial ○ Must go beyond just samples and honeypots analysis ○ Must use widely and intensively ■ Metadata ■ Timestamps ■ Archives ■ Sec-adv ■ Internet “dumpster diving” ■ Etc.
Key Takeaways ● To improve security posture of IoT/embedded Proper vulnerability management, disclosure and defense ○ Need to dramatically improve CVE and disclosure management ○ Must have defense ready with (or before) offense and (PoC-)exploits ● Possible solutions?
Key Takeaways ● To improve security posture of IoT/embedded Proper vulnerability management, disclosure and defense ● 1. Defense as part of “full/responsible disclosure” ■ Develop and release IDS/IPS, Yara, VAS rules/scripts before (or at least at the same time) PoC and exploits ● 2. “Bug-bounties for Defense” - Yara, IDS, VAS rules/scripts for ■ Vulnerabilities that miss defense rules ■ Exploits that miss defense rules ■ Malware samples that miss defense rules ● 3. Security data “cleanup day” ■ Fix missing/wrong references and details ■ Assign and correct CVEs
Key Takeaways ● To enable AI-powered cybersecurity Proper, clean, structured, updated data is absolutely necessary ○ Need to continuously correct bad data in: CVEs, sec-adv, defense rules (IDS, Yara, VAS) ○ Else: GIGO = Garbage In Garbage Out ■ “The effectiveness of a data mining exercise depends critically on the quality of the data. In computing this idea is expressed in the familiar acronym GIGO – Garbage In, Garbage Out” (“Principles of Data Mining”, 2001)
Key Takeaways ● IoT malware works well with 0lday ○ Really old exploits are (re)used over a long timespan ■ 0lday works excellently -> no need to discover (or burn) 0-day ○ Device firmware doesn’t get updated much ○ A discovered vulnerability does not necessarily get fixed for similar devices ● More and better (automated) tools for IoT malware analysis are needed ○ The presented sandbox is a step in that direction ○ Still, more community and collaborative work is required ● Many/most IoT malware families (and their exploits) are closely related ○ Good to keep track of metadata and historic evolution
Q & A
Thank you! ● Reach us here: ○ ancostin@jyu.fi or @costinandrei ○ jzaddach@cisco.com or @jzaddach ● The datasets, the whitepaper and the slides periodically updated here: ○ Available shortly after the conference ○ http://firmware.re/bh18us ○ http://firmware.re/malw ● The sandbox code (will be available soon) ○ http://github.com/CISCO-Talos/
License ● The datasets, the whitepaper and the slides are covered by: ○ Attribution 3.0 Unported (CC BY 3.0) ○ BY: “Andrei Costin (University of Jyvaskyla, Firmware.RE Project) and Jonas Zaddach (Cisco, Talos Intelligence Group), 2018”
Media sources ● Ecovacs DeeBot by Faktoren (CC-BY-SA 4.0) ● NAS Server by Bin im Garten (CC-BY-SA 3.0) ● A Winter’s Day by jknaus (copyright/license info missing)

Recommandé

Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareSajjad "JJ" Arshad
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International WorkshopScadaLab Project
 

Recommandé

Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareSajjad "JJ" Arshad
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
First SCADA LAB International Workshop
First SCADA LAB International WorkshopFirst SCADA LAB International Workshop
First SCADA LAB International WorkshopScadaLab Project
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Talos
TalosTalos
TalosMuhammad ilyas
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3Setia Juli Irzal Ismail
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningMender.io
 

Contenu connexe

Tendances

Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attackYadnyawalkya Tale
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC AnalystPaulAronhalt
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015ESET
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartSatria Ady Pradana
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabTeymur Kheirkhabarov
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learningsecurityxploded
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseAshwini Almad
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesPantheon
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceAlienVault
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseChristiaan Beek
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Priyanka Aash
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Danny Akacki
 

Tendances (20)

Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
 
Rise of software supply chain attack
Rise of software supply chain attackRise of software supply chain attack
Rise of software supply chain attack
 
Talos
TalosTalos
Talos
 
Making a SOC Analyst
Making a SOC AnalystMaking a SOC Analyst
Making a SOC Analyst
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015Operation Buhtrap - AVAR 2015
Operation Buhtrap - AVAR 2015
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
Web Security Workshop : A Jumpstart
Web Security Workshop : A JumpstartWeb Security Workshop : A Jumpstart
Web Security Workshop : A Jumpstart
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion Techniques
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal SitesDefense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
Defense in Depth - Lessons Learned from Securing over 100,000 Drupal Sites
 
Best Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat IntelligenceBest Practices for Leveraging Security Threat Intelligence
Best Practices for Leveraging Security Threat Intelligence
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst Applied cognitive security complementing the security analyst
Applied cognitive security complementing the security analyst
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 

Similaire à IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies

OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningMender.io
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...SegInfo
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfKerimBozkanli
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security systemNadun Rajasinghe
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depthyalegko
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
BackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksBackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksKnoldus Inc.
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018randomuserid
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Ken Belva
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Alex Pinto
 

Similaire à IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies (20)

OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
 
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an..."Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
"Automated Malware Analysis" de Gabriel Negreira Barbosa, Malware Research an...
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
iotsecurity-171108154118.pdf
iotsecurity-171108154118.pdfiotsecurity-171108154118.pdf
iotsecurity-171108154118.pdf
 
INSECS: Intelligent networks security system
INSECS: Intelligent networks security systemINSECS: Intelligent networks security system
INSECS: Intelligent networks security system
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
WebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in DepthWebGoat.SDWAN.Net in Depth
WebGoat.SDWAN.Net in Depth
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
BackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacksBackStabber Special: Supply chain attacks
BackStabber Special: Supply chain attacks
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018Cloud Intrusion Detection Reloaded - 2018
Cloud Intrusion Detection Reloaded - 2018
 
Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)Introducing IoT Crusher (Open Source Version)
Introducing IoT Crusher (Open Source Version)
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Tech w23
Tech w23Tech w23
Tech w23
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
 

Plus de DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Plus de DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 

Dernier (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 

IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies

  • 1. IoT Malware Comprehensive Survey, Analysis Framework and Case Studies Andrei Costin and Jonas Zaddach UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO
  • 2. Who are we? Andrei Costin ● Assistant professor at University of Jyväskylä ● Researching/Teaching on security/malware for IoT/embedded ● Firmware.RE Project ● ancostin@jyu.fi @costinandrei
  • 3. Who are we? Jonas Zaddach ● Malware researcher at Talos ● Working on IoT malware analysis and analysis automation
  • 4. Agenda ● Introduction ● Challenges ● Malware Study ○ Methodology and Collection ○ Metadata and Survey ○ Analysis and Sandbox ● Case Studies ● Conclusions ● Q&A
  • 7. Why is IoT a malware target? ● Always on ● Always connected ● Awareness and defence against IoT malware lower than for PC malware ● Less sophisticated exploits needed ● Source code for malware is available for use and adoption ● Build automation is offsetting the pain of developing for several platforms
  • 8. What’s so special about IoT malware? PC IoT Platform heterogeneity low high Malware family plurality high low Detection on the system easy hard In-vivo analysis easy very hard Sandbox execution easy hard Removal medium hard to impossible Vulnerability assessment medium very hard
  • 10. IoT Malware Timeline 2012 Carna (Census2012) 2010 Kaiten (pre-IoT) Stuxnet (PLC) ChuckNorris2 2009 psyb0t ChuckNorris Aidra Darlloz 2005 RBOT Spybot 2007 ZLOB DNSChanger 2014 KaitenSTD/Tsunami TheMoon Bashlite/Qbot muBoT SOHOPharmingAttack LightAidra Spike SynoLocker Synology Dogecoin GoARM Wifatch DHpot XorDDoS 2015 TheMoon2 PNScan1 PNScan2 Moose Umbreon 2016 Mirai Hajime LuaBot NyaDrop Amnesia DVR cryptojack ExploitKit DNSChanger 2017 Mirai Satori IoTReaper BrickerBot Gr1n UPnProxy Shishiga Persirai RPi MulDrop.14 RPi ProxyM 2001 knight.c kaiten.c 2018 Mirai Okiru Mirai Masuta Mirai PureMasuta JenX/Jennifer Muhstik Slingshot DoubleDoor Hide and Seek GoScanSSH VPNFilter
  • 13. Methodology ● Identify complete set of IoT/embedded malware families ● Identify relevant and trusted information sources ● Collect comprehensive information and metadata ○ Samples ○ Analysis and technical reports ○ Real-world and honeypot attack reports ○ Malware family and botnet evolution ○ Infection and propagation ■ Vulnerabilities and exploits ■ Credentials ○ Defensive measures (IDS, Yara, VAS) ○ Any other relevant information
  • 14. Methodology ● Structure and systematize information and metadata ○ Machine-readable ○ Easy to process, transform and code ● Analyse metadata ○ Produce reports and insights ○ Understand where IoT/embedded security fails ○ Understand where IoT/embedded defense can be improved ● Analyse samples ○ Produce reports and insights ○ Produce new or additional defensive mechanisms ● Cross-correlate all that information (gathered + generated) - future work
  • 16. Metadata - In a Nutshell ● Analyzed IoT malware families (to date) ~ 28 ○ Of collected and covered ~ 60 ● Analyzed Resources/URLs ~ 1300 ● Analyzed Vulns/CVEs (to date) ~ 80 ○ Of collected and covered ~ 120 ● Metadata: collected, analyzed, reviewed, archived, etc. ● Improvements and corrections always welcome :)
  • 17. Metadata - Features Analyzed ● Malware Families ● Around several dozens of features, e.g., ○ Timelines for first seen, online submission, analysis, SoK, attacks ○ Timelines for defense by IDS/IPS, VAS, Yara ○ CVEs/vulns/exploits used ○ CVSS scores base and temporal - both v2 and v3 ○ Credential details ○ Source availability ○ Botnet characteristics (e.g., size, countries) ○ Missing, incorrect or inconsistent/confusing information to be fixed
  • 18. Metadata - Features Analyzed ● CVEs/vulns/exploits ● Around a dozen of features, e.g.,: ○ CVSS scores base and temporal - both v2 and v3 ○ Timelines for discovery, disclosure, analysis, exploits, attacks ○ Timelines for defense by IDS/IPS, VAS, Yara ○ Missing, incorrect or inconsistent/confusing information to be fixed
  • 19. Survey - Vulns/CVEs ● Analyzed ~ 80 (Collect and cover ~ 120) ○ CVE-ID ~ 67 (84%) ○ CVE-MAP-NOMATCH ~ 13 (16%) ● CVSSv3 ○ Mean 8.0 ○ Median 8.1 ● CVSSv2 ○ Mean 7.2 ○ Median 7.5
  • 20. ● IDS rules ● Not present/found ~ 27 ● Present ~ 53 ● Earliest rule for Vuln/CVE ○ Based on Present ~ 53 ○ Mean ~ 517 days after earliest knowledge of Vuln/CVE ○ Median ~ 184 days after earliest knowledge of Vuln/CVE Survey - Vulns/CVEs
  • 21. Survey - Vulns/CVEs ● VAS rules ● Not present/found ~ 47 ● Present ~ 33 ● Earliest rule for Vuln/CVE ○ Based on Present ~ 33 ○ Mean ~ 226 days after earliest knowledge of Vuln/CVE ○ Median ~ 71 days after earliest knowledge of Vuln/CVE
  • 22. Survey - Malware Families ● Analyzed ~ 28 (Collect and cover ~ 60) ● CVEs/Vulns per family ○ Mean ~ 3 count ○ Median ~ 3 count ● CVE/Vuln knowledge was available before earliest knowledge of malware ○ Mean ~ 1095 days before ○ Median ~ 790 days before
  • 23. Survey - Malware Families ● IDS rules ● Not present/found ~ 11 ● Present ~ 17 ○ Malware specific rules were available ■ Mean ~ 320 days after earliest malware knowledge ■ Median ~ 81 days after earliest malware knowledge ● Augmenting Malware rules with Vuln/CVE rules ○ Mean ~ 749 days before earliest malware knowledge ○ Median ~ 706 days before earliest malware knowledge
  • 24. Survey - Malware Families ● VAS rules ● Not present/found ~ 27 ● Present ~ 1 ○ Malware specific rules were available ■ 43 days after earliest malware knowledge ● Augmenting Malware rules with Vuln/CVE rules ○ Mean ~ 1083 days before earliest malware knowledge ○ Median ~ 748 days before earliest malware knowledge
  • 25. Survey - Malware Families ● YARA rules ● Not present/found ~ 17 ● Present ~ 11 ○ Malware specific rules were available ■ Mean ~ 499 days after earliest malware knowledge ■ Median ~ 213 days after earliest malware knowledge
  • 26. Malware study: Dynamic IoT malware analysis
  • 27. Motivation ● In-vivo analysis is challenging ○ Tools need to be purpose-build for every device ■ E.g., gdb or strace for debugging programs ○ In-circuit analysis is non-trivial ■ Requires dedicated hardware (JTAG, SWD) ■ Requires lots of knowledge ■ Is time-consuming ● High volume of file samples requires automation
  • 28. Challenges ● Heterogeneity of platforms ○ CPU architecture ○ Runtime libraries ○ Special instructions ● High preparatory work ○ Toolchains for every architecture need to be build ○ System images are required ○ System instrumentation needed ● Little-tested tools pose challenges ○ Code must be massaged to compile ○ Lots of bugs
  • 29. Platform heterogeneity On a PC: Executable x86_64 x86
  • 30. Platform heterogeneity On IoT: Executable Linux other OS barebones statically linked dyn. linked glibc dyn. linked uclibc dyn. linked musl ARM MIPSPowerPCx86 R2 R6 little endian big endian ...
  • 31. Previous work ● Few attempts to tie together a sandbox, execution environment and instrumentation for malware ○ Cozzi et al: Understanding Linux Malware ○ HuntingMalware (link often down) ■ Based on Cuckoo ○ Limon? ■ Linux sandbox based on strace/sysdig, limited support for non-x86 architectures ○ Detux? ■ Linux sandbox with support for several architectures, no updates for the last two years
  • 33. System image preparation ● System image compiled with Buildroot ○ From distribution configuration ○ From kernel configuration ○ With additional patches ● A build hook integrates instrumentation ○ The systemtap kernel module for tracing syscalls is built and integrated
  • 34. Analysis process ● Sample is triaged ● The emulator is prepared ○ Systemtap script for monitoring syscalls is loaded ○ The sample is injected into the analysis machine via the Cuckoo agent ● Sample is executed ● Execution terminates ○ Regular termination or exception ○ Timeout through Cuckoo ● Log files are analyzed ○ Cuckoo agent copies log to host ○ Cuckoo parses the log file
  • 38. Case Studies - Hydra D-Link Exploit ● Original Hydra malware dates back to 2008 ○ “Authentication bypass vulnerability” in D-Link DIR645 routers ○ Hydra code open-sourced (or leaked) in April 2011 (hydra-2008.1.zip) ● Exploits ○ D-Link Authentication Bypass and Config Info Disclosure ● However ... ○ CVE-MAP-NOMATCH
  • 39. Case Studies - Hydra D-Link Exploit ● It then reappears … ○ Security advisory in February 2013 ● However, still ... ○ CVE-MAP-NOMATCH
  • 40. Case Studies - Hydra D-Link Exploit ● And then once again … ○ Used in October 2017 in IoTReaper ○ Security advisory in November 2017 for D-Link 850L and D-Link DIR8xx routers ● Still yet ... ○ CVE-MAP-NOMATCH
  • 41. Case Studies - Hydra D-Link Exploit ● Open questions ○ What should it take to properly file and track a vulnerability for decades to come? ○ How come CVE-MAP-NOMATCH even after: ■ 10+ years ■ 1 malware incident and code leak ■ 1 Metasploit module ■ 3 different (but essentially similar) security advisories ○ Is it really infeasible or impossible to create CVEs “a posteriori”?
  • 42. Case Studies VirusTotal’s In The Wild “2010-11-20”
  • 43. Case Studies - VirusTotal’s In The Wild “2010-11-20” ● At least 10 malware families have samples first seen in the wild = 2010-11-20
  • 44. Case Studies - VirusTotal’s In The Wild “2010-11-20” ● At least 10 malware families have samples first seen in the wild = 2010-11-20
  • 45. Case Studies - VirusTotal’s In The Wild “2010-11-20” ● Summarising response from VirusTotal support team:
  • 46. Case Studies - VirusTotal’s In The Wild “2010-11-20” ● “Not all metadata is created equal” ● Need to trust your metadata vendor ● Still, need to continuously check, reassess, clean metadata ● And even then, what should be a more trusted “first seen in the wild” source?
  • 47. Case Studies Challenges with Metadata Analysis
  • 48. References to CVE and Vulnerabilities Missing CVEs ● Hydra/Aidra ○ https://securelist.com/heads-of-the-hydra-malware-for-network-devices/36396/ ○ Use of a D-Link authentication bypass exploit ● Observations ○ Which CVE and exploit exactly? ○ Which IDS/IPS rules to watch? ○ Why not get to the bottom of the root cause as above “Case Studies - Hydra D-Link Exploit”
  • 49. References to CVE and Vulnerabilities Missing CVEs ● Hajime ○ https://x86.re/blog/hajime-a-follow-up/ ○ The atk module is now capable of infecting ARRIS modems by using the password-of-the-day “backdoor” with the default seed ● Observations ○ Why not mention CVE-2009-5149?
  • 50. References to CVE and Vulnerabilities Missing CVEs ● Hajime ○ https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ ○ 1. TR-069 exploitation; 3. Arris cable modem password of the day attack. ● Observations ○ Why not mention CVE-2016-10372 and CVE-2009-5149?
  • 51. References to CVE and Vulnerabilities Wrong CVEs ● TheMoon ○ https://github.com/paralax/BurningDogs/commit/59194664a0b2090866761760a36cb9c5aba51 f01#diff-6f7d97840d5faa6509e84af3e771b78aR51 ○ 1. TR-069 exploitation; 3. Arris cable modem password of the day attack. ● Observations ○ CVE-2012-1823 PHP CGI Argument Injection - NOT TheMoon ○ TheMoon is EDB-31683
  • 52. References to CVE and Vulnerabilities Wrong CVEs ● ExploitKit DNSChanger ○ http://doc.emergingthreats.net/bin/view/Main/2020857 ○ ET EXPLOIT Belkin Wireless G Router DNS Change POST Request ○ www.exploit-db.com/exploits/3605 ● Observations ○ EDB-3605 "Picture-Engine 1.2.0 - 'wall.php?cat' SQL Injection" CVE-2007-1791 ○ EBD-6305 “Belkin Wireless G Router - Authentication Bypass” CVE-2008-1244
  • 53. References to CVE and Vulnerabilities Messy CVEs ● VPNFilter and CVE-2013-2679 ● TrendMicro ○ CVE-2013-2679 OS Command Injection Linksys E4200 ● EDB-25292 and Cloudscan.me ○ CVE-2013-2679 Cross-site scripting (reflected) ● MITRE ○ ** RESERVED **
  • 54. References to CVE and Vulnerabilities Messy CVEs ● VPNFilter and CVE-2013-2678 ● TrendMicro ○ CVE-2013-2678 Reaper OS Command Injection Linksys E2500 ● Cloudscan.me ○ CVE-2013-2678 File path traversal ● EBD-24478 and EDB-24475 ○ Linksys E1500/E2500 - Multiple Vulnerabilities ○ Linksys WRT160N - Multiple Vulnerabilities ● MITRE ○ ** RESERVED **
  • 55. References to CVE and Vulnerabilities Non-machine-readable IOCs ● Aidra and Darlloz ● http://avg.soup.io/post/402112529/Linux-Aidra-vs-Linux-D arlloz-War-of
  • 56. References to CVE and Vulnerabilities Single-family multi-name problem ● Darlloz a.k.a. Zollard ○ Zollard - http://doc.emergingthreats.net/bin/view/Main/2017798 ○ Darlloz - https://snort.org/rule_docs/1-32013
  • 58. Key Takeaways ● To understand (IoT) malware A wider view is both necessary and beneficial ○ Must go beyond just samples and honeypots analysis ○ Must use widely and intensively ■ Metadata ■ Timestamps ■ Archives ■ Sec-adv ■ Internet “dumpster diving” ■ Etc.
  • 59. Key Takeaways ● To improve security posture of IoT/embedded Proper vulnerability management, disclosure and defense ○ Need to dramatically improve CVE and disclosure management ○ Must have defense ready with (or before) offense and (PoC-)exploits ● Possible solutions?
  • 60. Key Takeaways ● To improve security posture of IoT/embedded Proper vulnerability management, disclosure and defense ● 1. Defense as part of “full/responsible disclosure” ■ Develop and release IDS/IPS, Yara, VAS rules/scripts before (or at least at the same time) PoC and exploits ● 2. “Bug-bounties for Defense” - Yara, IDS, VAS rules/scripts for ■ Vulnerabilities that miss defense rules ■ Exploits that miss defense rules ■ Malware samples that miss defense rules ● 3. Security data “cleanup day” ■ Fix missing/wrong references and details ■ Assign and correct CVEs
  • 61. Key Takeaways ● To enable AI-powered cybersecurity Proper, clean, structured, updated data is absolutely necessary ○ Need to continuously correct bad data in: CVEs, sec-adv, defense rules (IDS, Yara, VAS) ○ Else: GIGO = Garbage In Garbage Out ■ “The effectiveness of a data mining exercise depends critically on the quality of the data. In computing this idea is expressed in the familiar acronym GIGO – Garbage In, Garbage Out” (“Principles of Data Mining”, 2001)
  • 62. Key Takeaways ● IoT malware works well with 0lday ○ Really old exploits are (re)used over a long timespan ■ 0lday works excellently -> no need to discover (or burn) 0-day ○ Device firmware doesn’t get updated much ○ A discovered vulnerability does not necessarily get fixed for similar devices ● More and better (automated) tools for IoT malware analysis are needed ○ The presented sandbox is a step in that direction ○ Still, more community and collaborative work is required ● Many/most IoT malware families (and their exploits) are closely related ○ Good to keep track of metadata and historic evolution
  • 63. Q & A
  • 64. Thank you! ● Reach us here: ○ ancostin@jyu.fi or @costinandrei ○ jzaddach@cisco.com or @jzaddach ● The datasets, the whitepaper and the slides periodically updated here: ○ Available shortly after the conference ○ http://firmware.re/bh18us ○ http://firmware.re/malw ● The sandbox code (will be available soon) ○ http://github.com/CISCO-Talos/
  • 65. License ● The datasets, the whitepaper and the slides are covered by: ○ Attribution 3.0 Unported (CC BY 3.0) ○ BY: “Andrei Costin (University of Jyvaskyla, Firmware.RE Project) and Jonas Zaddach (Cisco, Talos Intelligence Group), 2018”
  • 66. Media sources ● Ecovacs DeeBot by Faktoren (CC-BY-SA 4.0) ● NAS Server by Bin im Garten (CC-BY-SA 3.0) ● A Winter’s Day by jknaus (copyright/license info missing)