Friday, April 28, 2017

Botnet inoculates IoT nodes against bad viruses

By Nick Flaherty www.flaherty.co.uk

I love this story about a virus that can inoculate IoT devices against malicious attacks. For millions of connect devices such as cameras that don’t have security built in, or simple admin passwords, this virus can spread form node to node to add that protection.

Hajime is a sophisticated IoT botnet that acts just like a biological virus. Just as cowpox blocked the cell receptors to stop the smallpox virus infecting a person, so Hajime gets into a vulnerable IoT node and switches off the ports that malware uses to infect it.
An analysis by Radware at security.radware.com/WorkArea/DownloadAsset.aspx?id=1461 has shown it is capable of updating itself and provides the ability to extend its member bots with more functions as the malware threats change.

Hajime was first reported by Sam Edwards and Ioannis Profetis from Rapidity Networks, who discovered the first occurrence of Hajime back in October, 2016, and a more quantitative research by Symantec, which assesses the size of the threat. It has binaries for the arm5, arm6, arm7, mipseb and mipsel platforms, demonstrating the embedded focus of the virus.
The Radware report does a great job explaining how it works and how it is benign. The distributed bot network used for command and control and updating is overlaid as a traceless torrent on top of the public BitTorrent peer-to-peer network using dynamic info_hashes that change on a daily basis. All communications through BitTorrent are signed and encrypted using RC4 and private/public keys.

The current extension module provides scan and loader services to discover and infect new victims. The efficient SYN scanner implementation scans for open ports TCP/23 (telnet) and TCP/5358 (WSDAPI). Upon discovering open Telnet ports, the extension module tries to exploit the victim using brute force shell login in the same way as the malware Mirai virus.

Radware’s logs from its isolated ‘honeypot’ show that the credentials used during an exploit change depending on the login banner of the victim. In doing so, Hajime increases its chances of successfully exploiting the device within a limited set of attempts and avoid the system account being locked or its IP being blacklisted for a set amount of time.

Hajime accounted for half the IoT bot activity in Radware’s honeypots. In a timespan of little over five weeks, Radware recorded 14,348 infection attempts from 12,023 unique IPs. Considering Hajime sometimes uses a different infected node to download its malware, the total number of unique infected IPs counted was 18,623, indicating a huge security issue with IoT nodes that is beig addressed.

Upon execution, Hajime prevents further access to the device through filtering ports known to be abused by IoT bots such as Mirai:
  • TCP/23 (telnet) – the primary exploit vector of Mirai and most IoT botnets 
  • TCP/7547 (TR-069) – as first used in the DT attack by a Mirai variant 
  • TCP/5555 (TR-069) – alternate port commonly used in TR-069 
  • TCP/5358 (WSDAPI) 
At the same time, Hajime also tries to remove existing firewall rules with the name ‘CWMP_CR’, the CPE WAN Management Protocol or TR-069. Removing any potential CWMP rules set by an ISP to allow specific management IPs or subnets that will now be locked out leaving ISPs without control of the CPE device. 

Besides locking down the device, Hajime opens up port UDP/1457 and a random higher port number (> 1024) for UDP and TCP. In doing so, allowing itself to use BitTorrent DHT and uTP from port UDP/1457 to build its peer-to-peer command and control network. The random higher port serves the purpose of the loader service used by the infection process to remotely download the malware onto new victims.

Hajime prefers the use of volatile file systems as working directory, ensuring any indicator of compromise is gone after a device reboot. The botnet code is not persistent so rebooting the device will clean it from infection, but only until the next infection.

security.radware.com/WorkArea/DownloadAsset.aspx?id=1461

Related embedded IoT security stories (there's lots on the blog):

No comments:

PLATINUM SPONSOR

South West Innovation News - news from across the region for oneof the world's hottest tech clusters