One Article Review
| Source |  w00tsec |
|---|---|
| Identifiant | 8300170 |
| Date de publication | 2014-02-18 09:43:31 (vue: 2023-01-11 16:56:00) |
| Titre | Analyzing Malware for Embedded Devices: TheMoon Worm |
| Texte | All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something totally new and we never heard of this before, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The Internet of Threats is wildly insecure, but definitely not unpatchable.To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a Hakin9 article describing it. Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC || GTFOThe aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "Analyzing and Running binaries from Firmware Images" series.TheMoon WormJohannes from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their handler's diary. Their honeypots captured the scanning activity and linked the exploit to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary: Identifying the BinaryA total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score. |
| Envoyé | Oui |
| Condensat | aurelien provides avatar /hnap/ /tmp /tmp/ 2014 256mb 4kc 50 on 8080 88a5c5f9c5de5ba612ec96682d61c7bb :debian :now :the a hakin9 access:if activities activity address administrative after against aim all already also amazing analysis analysisin analyzing and another any appropriate architecture are article describing assist aurelien authors avatar awareness backup base based because becoming before big binaries binary binary:identifying binarya bind binwalk binwally blog blog or board both botnet botnets bridged bsd build buildroot buildsystem but can captured carve case certain certificate certificates cgi check checks choosing chroot chrooted classified collaborate command commands common commonly compare compile compiled complete complex conclusioni config connect connections console consoles containing contains contents controlled copy corelv cores couple craft criminals cross ctrl+a cutlip datasets debian debug debugging decoded definitely not derivative describe describing detection devices devices: diary did didn different directly discovery disk: distribution don download drawing drop due dump dynamic e1000 e1200 e1500 e1550 e2000 e2100l e2500 e2500v2 e3000 e3200 e4200 e900 ease elf embedded emulate emulated emulation enable endian engineering enter entering: entries environment eurecom evidence execute exit exploit exploits exr extensions extract facing faking favicon favorite few file files files: filesystem final find fine fingerprint firmware firmwares first fix folder follow followed following for forget from from carna full functions gaming gdb gerty get goal good grab gtfothe had handler handlers hardcoded hashmatch have head heard here here high highly hit hitting hnap1 honeypots host hosts how http https ico:rkhunter identified identify identify/execute identifying image images important improve including infected infecting information infosec injection insecure inside install installing intended interesting interface interfaces internet io ssl ioc isp issues it here its job keep kernel known l26 lab lack laphroaig lazy let like linked linking linksys linux linuxi list little local log logs long look lot lunar machine machined machines macosx main mainstream make malicious malta malware malware:the manually manufactures massive matching may md5 media memory microwaves minutes mips mips/big mipsopenwrt missed mode moon more movie much multiple name named nature necessary need network networks never new not notch now number nvram on scans one online openwrt order organization organizational other our out outlets output own pastebin pastor patching path pdf people perfect perform persuading physical pid platform platform is pmemsave command png poc port ports possible post post: posted potentially pre prerequisites pretty probing problem problems procedure process profile proper properly properlydynamic provide provided provided: pseudo public purpose qemu qemu or qemuwe quite r3000 random range rate raw readelf ready real really recently recommended refrigerator refrigerators refuse related remember remove removed replicating report reporting reports researchers returns revd reverse reversing right risk rkhunter root router routers routers: run run busybox running same sample samples save saved says show scanning score script searches second seconds security seem seems self sends series server set settings setups seven shell should simet using similar simply sniffing soda soho some something sort specific speed spend ssdeep stage standalone start starts static steps still strace straightforward string strings structures subtarget switch switches:to syscalls system tamagotchis tap1 tar target targeted technique template test that the their them themoon there these they this threats three time too top total totally tries try trying two uncovered understand unit unpack unpatchable updates upload url use used useful users using utility values variant variants version virtual virustotal vmlinux volatility vulnerabi |
| Tags | Malware Vulnerability Patching |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.