.
Linux/Mooseendangeredorextinct?
AnupdateonthisatypicalembeddedLinuxbotnetbyOlivierBilodeau
$aproposStaticallylinkedstrippedELFchallengesMooseDNA(description)MooseHerding(theOperation)AStrangeAnimalLatestDevelopments
$whoamiMalwareResearcheratESETInfoseclectureratETSUniversityinMontrealPreviouslyinfosecdeveloper,networkadmin,linuxsystemadmin
Co-founderMontrehack(hands-onsecurityworkshops)FounderNorthSecHackerJeopardy
Static/strippedELFprimerNoimports(librarycalls)presentAllthecodebundledtogetherdowntokernelsyscallDisassembler(ifavailableforarch)doesn’thelpmuch
Linux/MoosebinaryinIDA
printffamily
Ecosystemmakesitworst[forreversers]
GCCandGNUlibcisalwayschangingsocompiledbinariesalwayschangeLittleIDAFLIRTsignaturesavailable(ifany)µClibc,eglibc,glibc,musl,…
AFailedAttemptMapsyscallswithIDAscriptButlibcistoobigitisstilltoomuch
BetterSolutionReproduceenvironment(arch,libc/compilerversions)Buildlibrariesw/symbolsundersameconditionsUsebindifftomaplibraryfunctionsFocusonmalwarecode
MooseDNAakaMalwaredescription
Hangtight,thisisarecap
Linux/Moose…Namedafterthestring"elan"presentinthemalware
executable
ElanisFrenchfor
TheLotusElan
ElánTheSlovakrockband(from1969andstillactive)
NetworkcapabilitiesPivotthroughfirewallsHome-madeNATtraversalCustom-madeProxyserviceonlyavailabletoasetofwhitelistedIPaddresses
RemotelyconfiguredgenericnetworksnifferDNSHijacking
Worm-likebehaviorTriestoreplicateviaaggressivescanningWilldedicatemoreresourcestoscannearcurrentexternalIPWillalsoscanonLANinterfacesWillnotreinfectaninfecteddeviceCanreplicateacrossarchitecturesC&Cismadeawareofnewcompromises
CompromiseProtocol
Anti-AnalysisStaticallylinkedbinarystrippedofitsdebuggingsymbolsHardtoreproduceenvironmentrequiredformalwaretooperateMisleadingstrings(getcool.com)
MooseHerdingTheMalwareOperation
ViaC&CConfigurationNetworksnifferwasusedtostealHTTPCookiesTwitter:twll,twidFacebook:c_userInstagram:ds_user_idGoogle:SAPISID,APISIDGooglePlay/Android:LAY_ACTIVE_ACCOUNTYoutube:LOGIN_INFO
ViaProxyUsageAnalysisNatureoftrafficProtocolTargetedsocialnetworks
75%+HTTPSbut…
AnExample
AnExample(cont.)
AnExample(cont.)
AnExample(cont.)
Anti-TrackingWhitelistmeanswecan’tusetheproxyservicetoevaluatemalwarepopulationBlindbecauseofHTTPSenforcedonsocialnetworksDNSHijacking’sRogueDNSserversneverrevealed
AStrangeAnimal
DifferentfocusnotintheDDoSorbitcoinminingbusinessnox86variantfoundcontrolledbyasinglegroupofactors
Missing"features"NopersistencemechanismNoshellaccessforoperators
Thoughtbig,realizedlittle?
Insocialnetworkfraud,networksnifferirrelevantDNSHijackingpossiblebutonlyforfewdevicesNoadfraud,spam,DDoS,etc.
LatestDevelopments
WhitepaperImpactFewweeksafterthepublicationtheC&CserverswentdarkAfterareboot,allaffecteddevicesshouldbecleanedButvictimscompromisedviaweakcredentials,sotheycanalwaysreinfect
Aliveordead?
Aliveordead?(cont.)OnthelookoutforMoosev2Lookedatover150newsamplestargetingembeddedLinuxplatformsLinux/Aidra,Linux/Dofloo(AES.DDoS),Linux/DNSAmp(Mr.Black),Linux.GafgytandLinux/TsunamiStillnoMooseupdate…
Yay!except…
Mooselevel-up
UpdateNewsamplethisSaturday
Newproxyserviceport(20012)NewC&CselectionalgorithmLotsofdifferencesStillunderscrutiny
ConclusionEmbeddedmalware
NotyetcomplexToolsandprocessesneedtocatchupalowhangingfruitPreventionsimple
Questions?Thankyou!
@obilodeauandspecialthankstoThomasDupuy(@nyx__o)
Top Related