Hajime IoT Malware and DDoS

Posted by:

In the second half of last year, the Mirai (Japanese “Future”) harmful application showed itself with a DYN DDoS attack was done by using exploited devices which can be grouped under the IoT generalization, such as router, modem, camera, dvr, nvr, etc. Mirai application uses the security vulnerabilities comes from very old and weak versions of Linux, which is base operating system on these devices, and/or unchanged default username/password settings on these devices to take control of these devices. On September 22, 2016, Mirai used to attack to Brian Krebs’s blog with reaching 620 Gbps [1] bandwidth and on October 21, 2016, another attack was made to DYN that reached the size of 1.2 Tbps [2] by Mirai. Mirai’s code was published in hackforums on September 30, 2016 by someone who introduced himself as Anna Senpai. When the details were examined, Mirai’s DDoS capabilities seemed clear.

After the release of the code, it showed another harmful side. In the work of Rapidity SRG dated 16 October 2016 [4], they are clearly describing a harmful example that we can say it more innovative. This harm ( Hajime, “start” in Japanese) was spreading through telnet ports on IoT devices like Mirai’s propagation method. But after infection, it uses BitTorrent DHT to find the second stage (stage2) files and to get that files BitTorrent uTP . Hajime distributes the secondary stage code easily by this way. In addition, with the provision of such a flexible secondary stage code, this new harmful is actually becoming a generic platform for subsequent purposes. For example, seized bots can be rented as custom secondary stages. This is a very important development.

As another researchers at the same area Ioannis Profetis talks about some changes in the current version of Hajime [5] in a recent blog post. There are comments that Hajime actually protects the infected system from being infected by other malware, along with changes such as the switch to Wget for downloads and the blocking of access to some ports, especially the telnet in the system that was infected after infection. Insomuch that, it was reported that it was a defensive system that protects the systems which written by gray hat hackers. [6]

I’m not agree with the gray hat hackers comments about hajime. The fact that closing the relevant ports may mean that Hajime’s purpose is this, as well as the inability to accept someone else in this place, that is, ownership. In addition, easily changeable secondary stage files are preparing a platform which can be used for DDoS and similar attacks in the future. In fact, the use of Bittorrent infrastructure in the first design is also pointing to this point.

Hajime is not the only one in attack approach to block these attacks. Brickerbot harmful application which is discovered recently makes IoT devices inoperable not to be infected. You may want to look at the “ruthless” command lines about how it makes inoperable this devices. [7]

In the meantime, it is also interesting that Hajime name which is given by first researchers to it is accepted by the writers of Hajime in the current versions and that they express themselves in this way. Hajime has reached to 300.000 devices currently.

If you are reading this post as an end user, do not leave pre-defined passwords for the devices like modem, camera, dvr etc. And turn off the telnet and ssh access ports if they not needed.

If you are a technical researcher, the following links will attract your interest. You may also be interested with the writing about how Brian Krebs traces the author of Mirai [8].

If you are an enterprise, consider deploying Layer7 DDoS protection measures.

  1. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  2. http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
  3. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
  4. https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
  5. https://x86.re/blog/hajime-a-follow-up/
  6. https://arstechnica.com/security/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/?comments=1
  7. https://www.bleepingcomputer.com/news/security/new-malware-intentionally-bricks-iot-devices/
  8. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

Populer Misconception: IPS can block DDoS attacks!

Posted by:

IPS products provide virtually perfect protection in application segment. Even though it has many capabilities, we cannot ignore the weaknesses of this system. Nowadays, DDOS attacks are composed of packets that are called valid packets. IPS systems filter out these valid packets in signature database and they might let them to pass through because these IPS systems only process packet titles and contents to control them. In this respect, advanced DDOS attacks made with valid packets would succeed.
Despite having some abnormality-based capabilities, IPS system needs comprehensive manual set up from specialists. Signatures in system get optimized by a team of experts. Also, it is evident that existing signatures in IPS systems are inadequate in determining today’s advanced DDOS attacks. When all these characteristics are taken into consideration, an attack that should have been prevented in seconds would not be able to prevented. At the same time, when attack records are analyzed by a team experts, they might be identified much more late or not identified at all.
Another weakness is that these devices physically fall behind against volumetric attacks. Today’s smart hackers know that IPS devices do not have high enough values for volumetric requests in regards to hardware and software architecture or in session tables after low packet requests. When a smart hacker identifies an IPS product, he aims to bring CPU levels of the IPS device to 85-95% by starting a volumetric attack on your other accessible service or sending session requests with low packet requests and make the IPS devices switch into bypass mode in these levels. After these activities, the hacker gets all the information, service or device by disabling the IPS system.


NTP Reflection Attacks

Posted by:

NTP Reflection attacks which began at the end of 2013 have reached 400 Gbps that the highest size of attack has been detected in the world in 2014. After DNS attacks recorded as 300 Gbps in March 2013 and targeting spamhaus, attacks have seen as 400Gbps of traffic size in 2014.

These attacks can reach these high levels by using mirror method. As happened in DNS Reflection flood attack type, mediator innocent public server systems are used as a point of attack in this type of attack.

The attacker is querying NTP servers in an intensive way but gives the IP address of the target system by changing its IP address deliberately while querying. This is because of that the NTP protocol running over port 123 is based on UDP. In this case, NTP servers are responding the queries made to them, but the answer of this query is returning to the target system appears as IP address asking the query. As seen in this type of attack, public NTP servers are used as a mirror.

The key factor in achieving this size of attacks is query type known as “monlist” in NTP protocol. In this query type, NTP server lists the last 600 server connected to it or set in pieces.

Labris Networks Answers to monlist query

Getting an answer to a query containing a large number of IP is possible by making monlist query with a very small package size. At this point, NTP server is making an “upgrade”.  “Amplification” as the English term is taken place. Thus, this type of attack is called as NTP Reflection and is also called as NTP Amplification attacks. Of course, the answering the question with larger packages than query is a golden blessing for attackers. In this way, the attacker takes enough answer to the queries to target IP address by imitating the IP address wanted to attack.

The following points should be noted to protect from this attack or not to be a part of it.

1. If you operate an NTP server, you should do your updates in which the versions of this command are turned off. In addition, as well as “loopinfo” and “iostats”, you should turn off NTP server configuration to “monlist” commands. For the test, you can use the control screen on “http://openntpproject.org/”.

2. You should follow monlist connections to public NTP servers out of your network. You can do this by means of an IPS signature. This may show you a possible zombie on your network.

3. You should try to prevent L3 packet speed with firewall of response packets coming from NTP server or “monlist” answers by checking content with the IPS via your security gateway.

We want to indicate that all of these can be made by Harpp DDOS Mitigator that performs DDOS special examination in L7 level. Thanks to Harrp DDoS product, various measures can be taken against related attacks in systems under L7 specific protection. Protocol Review and Defining Private Rules come at the beginning of these measures. You can determine the number of packages and regions you can get at certain times and in certain proportions in your Special Rules for NTP queries or answers or you can directly prevent this specific queries and answers with L7 review.


Did Facebook and Instagram get hit by DDoS attack?

Posted by:

After the outage of some popular web services including Facebook and Instagram, possibility of a cyber attack is being considered. Labris Networks, which provides cyber security for over 3,500 middle and high level corporations and organizations including military organizations, ministries and privately held companies in more than 20 countries with its product family consisting of HARPP DDoS Mitigator Cyber Warfare Tool, made a statement about the reasons of this latest case and the extent of DDoS threat via company’s CTO Oğuz Yılmaz.

After the outage of some popular web services including Facebook and Instagram, possibility of cyber attack is being considered. Labris Networks, which developed Turkey’s first national firewall in 2003, Turkey’s first native UTM product in 2005 and is capable of instant monitoring and control in its Security Operations Center, made a statement about the latest event. “In our research, we found out that this could be due to a DDoS attack. The hacker group Lizard Squad and DEAS also claimed responsibility for the attack. However, before Facebook issues an official statement, we cannot know for sure that the first source of this situation is related with these DDoS attacks. The outage due to a technical problem could be exploited with a DDoS attack to make Facebook experience more problems,” said Labris Networks CTO Oğuz Yılmaz in his statement.

Pointing out that Lizard Squad that claimed the responsibility for the attack made similar attacks in the past, Labris Networks CTO Oğuz Yılmaz said, “We see that Lizard Squad is involved in Playstation Network attacks throughout the year, as well as PSN and Microsoft Xbox gaming network attacks in Christmas. This group gets paid for making DDoS attacks to third parties via its website. We have been monitoring them and in 2014 they started to create an important attack network (botnet) through some major security flaws. This attack network has been created in the last months of year by exploiting certain vulnerabilities in server systems that have high bandwidth and powerful hardware. And this botnet could have been used for the first time in this attack. Even though their website was hacked and subsequently some of their clients were unveiled and some people were arrested on charges of being their member, the cellular structure of these groups make it hard to wipe out all organization at once.”
Labris Networks – which provides cyber security for over 3,500 middle and high level corporations and organizations including military organizations, ministries and privately held companies in more than 20 countries with its product family consisting of HARPP DDoS Mitigator Cyber Warfare Tool – warns organizations that DDoS attacks (which became well known with 2013 Anonymous and 2013 RedHack attacks) can be repeated in 2015 in great capacities with miscellaneous botnets created by Lizard Squad and similar groups. Stating that the attacks will become more intricate, Labris Networks CTO Oğuz Yılmaz said it was only possible to get protection with smarter systems and skilled professionals.