Lightboard Lessons: Mirai Botnet and GRE Floods
The Mirai Botnet grabbed headlines at the end of last year when it used thousands of IoT devices to launch DDoS attacks on several targets. These attacks were larger than anything the Internet has ever seen. While it's certainly newsworthy to discuss the Mirai Botnet in general, we wanted to dig a little deeper into one of the actual DDoS attack vectors used by this botnet. So, in this video we talk about Mirai but we dig into GRE floods and how they work. Enjoy! Related Resources: Mirai Strikeback - an iRule to kill IoT Bot Processes from your F5 F5 Labs Analysis -- Mirai: The IoT Bot That Took Down Krebs And Launched A Tbps Attack On OVHThe Icebox Cometh
Will the Internet of Things turn homes into a House of Cards? Our homes are being invaded...but not with critters that you'd call an exterminator for. Last summer I wrote Hackable Homes about the potential risks of smart homes, smart cars and vulnerabilities of just about any-'thing' connected to the internet. (I know, everyone loves a bragger) Many of the many2014 predictions included the internet of things as a breakthrough technology? (trend?) for the coming year. Just a couple weeks ago, famed security expert Bruce Schneier wrote about how the IoT (yes, it already has it's own 3 letter acronym) is wildly insecure and often unpatchable in this Wired article. And Google just bought Nest Labs, a home automation company that builds sensor-driven, WiFi enabled thermostats and smoke detectors. So when will the first refrigerator botnet launch? It already has. Last week, Internet security firm Proofpoint said the bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks. The first cyber attack using the Internet of Things, particularly home appliance botnets. This attack included everything from routers to smart televisions to at least one refrigerator. Yes, The Icebox! As criminals have now uncovered, the IoT might be a whole lot easier to infiltrate than typical PCs, laptops or tablets. During the attack, there were a series of malicious emails sent in 100,000 lots about 3 times a day from December 23 through January 6. they found that over 25% of the volume was sent by things that were not conventional laptops, desktops or mobile devices. Instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and that one refrigerator. These devices were openly available primarily due to the fact that they still had default passwords in place. If people don't update their home router passwords or even update the software, how are they going to do it for the 50+ (give or take) appliances they have in their home? Heck, some people have difficulty setting the auto-brew start time for the coffee pot, can you imagine the conversations in the future? 'What's the toaster's password? I need to change the bagel setting!' Or 'Oh no! Overnight a hacker replaced my fine Kona blend with some decaf tea!' Come on. Play along! I know you got one you just want to blurt out! I understand this is where our society/technology/lives are going and I really like the ability to see home security cameras over the internet but part of me feels, is it really necessary to have my fridge, toaster, blender and toilet connected to the internet? Maybe the fridge alerts you when something buried in back is molding. I partially get the thermostats and smart energy things but I can currently program my thermostat for temperature adjustments without an internet connection. I push a few buttons and done. Plus I don't have to worry about someone firing up my furnace in the middle of July. We have multiple locks on our doors, alarm systems for our dwellings, security cameras for our perimeter, dogs under the roof and weapons ready yet none of that will matter if the digital locks for our 'things' are made of dumpling dough. Speaking of dumplings, the smart-steamer just texted me with a link to see the live feed of the dim sum cooking - from inside the pot! My mind just texted my tummy to get ready. ps Related: Proofpoint Uncovers Internet of Things (IoT) Cyberattack The Internet of Things Is Wildly Insecure — And Often Unpatchable For The First Time, Hackers Have Used A Refrigerator To Attack Businesses The Internet Of Things Has Been Hacked, And It's Turning Nasty Smart refrigerators and TVs hacked to send out spam, according to a new report Here's What It Looks Like When A 'Smart Toilet' Gets Hacked Bricks (Thru the Window) and Mortar (Rounds) Technorati Tags: IoT,internet of things,botnet,malware,household,silva,attacks Connect with Peter: Connect with F5:
Threat Analysis: perlb0t
This ancient bot, also known as the “Mambo” bot (due to an old vulnerability in the Mambo CMS it tried to exploit) has been around for a very long time, and many variations of it has been seen. However, from our observations, it is still being actively used in recent exploitations. After successfully exploiting an existing vulnerability on an unpatched webserver, a malicious Perl-based script is executed and turns the webserver into a member of a botnet. The names of the variables and functions in the code reveal that the bot author is likely a Portuguese speaker. Examples are words such as “servidor” (server), “conectar” (connect) and “pacotes” (packets). Like every “good” bot, perlb0t supports several functionality, such as port scanning, using Google search to find other vulnerable servers (also known as “Google Dorking”), running shell commands on the server and more. However, it seems that the main business model of this bot is a DDoS service. The bot supports HTTP and TCP floods, by sending “GET” requests or just opening (3-way handshake) and closing TCP connections respectively. But the most interesting DDoS functionality in this bot is the “UDP flood”, as its author calls it. At first glance it seems like the author is trying to create specific floods (ICMP, UDP, IGMP, TCP), however when further analyzing, this functionality is no more than just sending malformed packets of different protocols. Let’s look at this one… The C&C (Command&Control) instructs its bots to perform a “UDP flood” with 3 parameters: 1. Target (IP/Domain) 2. Packet size (in Kbytes) 3. Duration (in seconds) As we see from the source code, the bot uses raw sockets for the three types of packets, with different protocol numbers as the third argument, and one datagram socket for simple UDP. Using a raw socket enables the attacker to control more fields in the packet itself, however the bot writer needs to manually construct all the protocol headers. By looking at the table of supported IP protocols, we see that the bot creates raw packets of IGMP, ICMP and TCP protocols. Those packets are just being marked with those protocol numbers, however other fields and headers are not actually set. The packet is filled with “A” characters according to the size specified by the C&C command, making the packet a malformed one. However, even more interesting is the distinction the bot writer makes between the above protocols and other protocols the writer uses afterward. After sending malformed IGMP, UDP, ICMP and TCP packets, the bot will send 252 additional malformed packets of all other protocols (running from 3 to 255 protocol numbers, skipping previously sent protocols). The above screenshot displays a single loop in the attack, while each loop uses a different source port sequentially (running from 1 to 65000). Note the inaccuracy; the bot writer must have meant to run over all the 65k ports, which is 65,536. As we see from the bot’s traffic, a sequence of malformed packets is sent (the only well-formed is UDP), while the protocol number is sequentially incremented. (In the screenshot, this is shown as: 0xc, 0xd, 0xe, 0xf, 0x10…) It is important to note, that creating raw sockets needs administrative privileges, so if the infected webserver does not run as the root user, the attack will be a simple UDP flood. Note the destination port sequence. To sum up, a lot of attackers are lazy. They will do the minimum required to make their money suggesting DDoS services. As we learn from this example, an ancient bot first detected back around 2005 is still in the wild. Having the same basic structure, with edited nuances and sometimes functionality, it still spreads by exploiting recently discovered web vulnerabilities, making your web server part of a botnet.Inside Look: BIG-IP ASM Botnet and Web Scraping Protection
I hang with WW Security architect Corey Marshall to get an inside look at the Botnet detection and Web scraping protection in BIG-IP ASM. ps Related: F5's YouTube Channel In 5 Minutes or Less Series (23 videos – over 2 hours of In 5 Fun) Inside Look Series Technorati Tags: asm,waf,botnet,web scraping,big-ip,security,protection,vulnerabilities,silva,video,demo,brands,v11.3 Connect with Peter: Connect with F5:
Is There Such a Thing as a Safe Area of the Web?
It only takes one click …. Alan Shimel posted a question as a blog post last week regarding the usefulness of anti-virus products on desktops. I am pretty savvy, try to stay away from sites and links that I am not familiar with and don’t remember the last time I saw a warning from my AV product. I run scan regularly and patch when I am supposed to as well. So do I really need AV? If so is there any value to actually paying for one? It was an intriguing question because no doubt many of us who are security savvy have asked ourselves the same thing – especially if our AV scanner is consuming resources or introducing latency that becomes noticeable. When security gets in the way, it’s often the case that we tend to want to end-run around it. At least I do, and I assume I’m not the only way to think that way. That’s especially true when it appears that the security solution isn’t really doing anything. The three-fold security strategy Alan references – patch, scan, and avoid unsafe sites/links – is a common mantra amongst security professionals. But it’s that last part that is most likely to trip us all up: only visit “safe” sites. Is there any such thing today? “70% of the top 100 most popular Web sites either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious sites.” (Websense, 2009) -- WhiteHat/F5, “Strategically Blocking Cross-Site Scripting and SQL Injection Attacks” A study conducted last year by Microsoft found that over 2.2 million PCs in the U.S. were part of botnets, and that the U.S. is the “number one country consumed with botnet PCs.” Certainly some of those were being operated by techneophytes and it’s likely that many of them were infected while browsing what they thought were “safe” sites – or perhaps sites shared by “friends” or “followers” on a social network or other Web 2.0 application that were assumed to be safe because, well, friends wouldn’t share unsafe sites, would they? Of course not, at least if they knew the site was unsafe. But that’s the problem, isn’t it? It’s nearly impossible to tell these days which sites are safe and which ones are not. Alan’s strategy – and the advice often given by other experts – is a sound one, but it requires knowing whether a site is “safe” and that, today, is nearly impossible. And even if it was possible, if you could avoid being infected via the web, that’s the not the only means of infection available to miscreants today. There are a plethora of other attack vectors leveraged by the bad guys that result in infections. Anti-virus scanning, when configured to do so, is also a means to detect malware, viruses, and other nasty pieces of software that might be located in various other document-types that are commonly sent even to consumers – Word documents, PDF documents, archives containing family photos, executable programs. Whether via e-mail or shared via the corporate or home network or found on a USB key shared amongst family members, malicious software has many ways in which it can be deposited on a device and anti-virus is one way in which to prevent such pieces of software from taking up permanent residence. THE ALTERNATIVE ACCESS CHALLENGE This isn’t just a problem for Grandma and consumers. Given the increasing number of folks who work from “home” and use alternative devices and machines from which to access corporate networks and resources, it should be an imperative to leverage technology not only capable of enforcing some level-set of security measures but also to take into consider the very real danger that a bot or virus presents to the organization. Yes, the VPN protects data in transmit, but what about the documents saved and stored on that machine while the user “works” on them? A bot with unrestricted access can easily obtain them and ship them off to who knows where, without detection. Combined with the alternative access avenues leveraged by miscreants, there are a plethora of possibilities for a device to become infected, and spread that infection to everyone to which we are digitally connected. Given the exponential leaps in processing power and memory available on desktops and other end-user devices, the resources consumed by an AV scanner are minimal. While a safe, savvy web browser may in fact avoid be able to avoid infection and render such scanners little more than overhead reality is that it only takes one infection, one click, for your desktop to become a remote-controlled security nightmare with ramifications that go far beyond your own domain. A single infection by a trusted friend, co-worker, or relative can easily become the launch point for a massive, corporate or family-wide infection with little effort on the part of the miscreant. AV scanners don’t just protect against web-based attack vectors, they are a valuable tool in protecting against infection via e-mail and other common methods of sharing data (photos, programs, documents) as well as providing the means by which corporate information security strategies can be implemented to secure both local and remote access to corporate resources. So do you still need AV on your desktop? You betcha. Just because your house hasn’t yet been broken into doesn’t mean you stop locking your doors.
