The tale of one thousand and one ADSL modems

Similar documents
How Breaches Really Happen

Phishing with Office 365. *Minecraft, also a Microsoft product

The poor state of SIP endpoint security

PROTECTING YOUR BUSINESS ASSETS

Computer Security Trend 2008 from Japan. SQL Injection, DNS cache poisoning, Phishing, Key logger Malware and Targeted Attacks

How to Build a Culture of Security

IT SECURITY FOR LIBRARIES PART 1: SECURING YOUR LIBRARY BRIAN PICHMAN EVOLVE PROJECT

Protection Against Malware. Alan German Ottawa PC Users Group

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

To learn more about Stickley on Security visit You can contact Jim Stickley at

The Crossed Swords wargame: Catching NATO red teams with cyber deception

Online Scams. Ready to get started? Click on the green button to continue.

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

Progress Report 1. Group RP16. All work done by Ivan Gromov and Andrew McConnell

A brief introduction to information security. Outline. Safety vs. Security. Safety vs. Security. Notes. Notes. Notes. Part I.

Unique Phishing Attacks (2008 vs in thousands)

Attack Vectors in Computer Security

Application vulnerabilities and defences

CIRT: Requirements and implementation

Your security on click Jobs

Phishing Read Behind The Lines

Cybersecurity Today Avoid Becoming a News Headline

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Advanced Threat Hunting:

Device Discovery for Vulnerability Assessment: Automating the Handoff

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

The Internet of Things. Steven M. Bellovin November 24,

Incident Response Initiatives in Brazil

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Application Firewalls

Cyber Security Basics. Presented by Darrel Karbginsky

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Staying Safe Online. My Best Internet Safety Tips. and the AgeWell Computer Education Center.

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

A practical guide to IT security

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Train employees to avoid inadvertent cyber security breaches

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

IT & DATA SECURITY BREACH PREVENTION

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER

Free antivirus software download

ANATOMY OF AN ATTACK!

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Recognizing Fraud Staying Safe 2018 Information/Cyber Security Training

Stakeholders Analysis

Subject: Top-Paying IT Certificates for 2015 (And Our New Courses)

3.5 SECURITY. How can you reduce the risk of getting a virus?

Testing Exploit-Prevention Mechanisms in Anti-Malware Products

HACKING FIRMWARE. Obvious truths to remember

An overview of the CERT/CC and CSIRT Community

Introduction to Information Security Dr. Rick Jerz

A Guide to Closing All Potential VDI Security Gaps

SPAM Malware s Super Highway. How To Protect Yourself Against Malicious s 1

Personal Cybersecurity

Welcome. Security: First Line of Defense. Chris Riley Director x4331

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Introduction to Security. Computer Networks Term A15

SO YOU THINK YOU ARE PROTECTED? THINK AGAIN! NEXT GENERATION ENDPOINT SECURITY

Mobile County Public School System Builds a More Secure Future with AMP for Endpoints

How Cyber-Criminals Steal and Profit from your Data

Security Course. WebGoat Lab sessions

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

Keeping Your PC Safe. Tips on Safe Computing from Doug Copley

2018 Edition. Security and Compliance for Office 365

Network Security Issues and New Challenges

Who We Are! Natalie Timpone

Designing a System. We have lots of tools Tools are rarely interesting by themselves Let s design a system... Steven M. Bellovin April 10,

ADDRESSING TODAY S VULNERABILITIES

How To Remove Personal Antivirus Security Pro Virus Windows 8

Cybersecurity, Cybercrime, Cyberwar, Cyberespionage...

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Show notes for today's conversation are available at the podcast website.

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Frauds & Scams. Why is the Internet so attractive to scam artists? 2006 Internet Fraud Trends. Fake Checks. Nigerian Scam

Layer by Layer: Protecting from Attack in Office 365

Chapter 10: Security and Ethical Challenges of E-Business

Staying Safe on the Internet. Mark Schulman

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CONTEMPORARY CYBER ATTACK TRENDS AND CHALLENGES DR SHASHWAT RAIZADA

PRACTICING SAFE COMPUTING AT HOME

Training UNIFIED SECURITY. Signature based packet analysis

SECURING INFORMATION SYSTEMS

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Man-In-The-Browser Attacks. Daniel Tomescu

Simple and Powerful Security for PCI DSS

Phishing Activity Trends Report August, 2006

BUILDING AN EFFECTIVE PROGRAM TO PROTECT AGAINST FRAUD

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Methodology USA UK AUSTRALIA CANADA JAPAN N=1,008 MOE=+/-3% N=1,044 MOE=+/- 3% N=1,028 MOE=+/- 3% N=1,025 MOE=+/- 3% N=1,005 MOE=+/- 3%

Security Automation Case Study Maricopa Community Colleges. Watch the full webinar replay

Phishing Activity Trends

BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Duplication and/or selling of the i-safe copyrighted materials, or any other form of unauthorized use of this material, is against the law.

A Review Paper on Network Security Attacks and Defences

Transcription:

The tale of one thousand and one ADSL modems Fabio Assolini, Malware Researcher, twitter.com/assolini Virus Bulletin 2012 Dallas, USA

PAGE 2

If we can t attack a computer or a server, we ll attack a router or modem this way, we ll win Brazilian bad guy chatting in a criminal IRC room PAGE 3

PAGE 4

compromised in a massive remote attack against SOHO network devices located in the country, since 2011, according Brazilian CERT PAGE 5

The tale of one thousand and one ADSL modems Modems and routers: devices full of vulnerabilities, bugs and flaws openly public and ignored by (some) vendors, administrators, ISPs, the security industry. Devices used with default password Non-standard upgrade model, lack of updates from vendors Problem ignored by users as long as they keep doing their job Web admin interface vulnerable to authentication bypass via CSRF SOHO routers on corporate networks are more likely than you think Hard to detect attacks with AV, attackers don t need to bypass it Result: massive attacks are REAL and here to stay PAGE 6

PAGE 7

* According a CSIRT of a Brazilian Bank PAGE 8

The tale of one thousand and one ADSL modems PAGE 9

The tale of one thousand and one ADSL modems http://www.google.com.br/css5/exploit.jar http://www.google.com.br/css5/xae.jar http://www.google.com.br/k.jar http://www.google.com.br/google_setup.exe http://www.baixaki.com.br/css5/exploit.jar http://www.baixaki.com.br/css5/xae.jar http://www.facebook.com/css5/exploit.jar http://www.facebook.com/facebook_complemento.exe http://www.terra.com.br/css5/exploit.jar http://www.terra.com.br/css5/xae.jar http://www.ig.com.br/css5/exploit.jar http://www.ig.com.br/css5/xae.jar http://www.uol.com.br/css5/exploit.jar http://www.uol.com.br/css5/xae.jar http://www.buscape.com.br/css5/exploit.jar http://www.buscape.com.br/css5/xae.jar http://www.clicrbs.com.br/css5/exploit.jar http://www.mercadolivre.com.br/css5/exploit.jar http://www.mercadolivre.com.br/css5/xae.jar PAGE 10

The tale of one thousand and one ADSL modems PAGE 11

The tale of one thousand and one ADSL modems 50.97.1XX.146 64.251.XX.113 64.251.XX.114 65.111.1XXX.179 66.90.1XX.243 66.228.XX.253 67.237.2XX.11 67.227.2XX.12 69.162.1XX.237 69.162.1XX.238 69.167.1XX.226 69.167.1XX.227 69.164.2XX.125 69.60.1XX.55 74.63.2XX.45 74.63.2XX.46 124.248.2XX.9 173.255.2XX.114 173.230.1XX.35 174.127.XX.168 178.79.1XX.139 190.120.2XX.41 190.120.2XX.57 190.120.2XX.233 200.35.1XX.230 200.35.1XX.20 212.113.XX.92 216.144.2XX.157 216.144.2XX.158 216.144.2XX.45 80.82.XX.198 94.23.XX.18 69.167.1XX.228 216.245.2XX.181 216.245.2XX.182 66.XX.110.243 80.XX.XX.198 91.94.XX.202 190.XXX.227.114 190.XXX.227.115 PAGE 12

PAGE 13

* According to a CSIRT at a Brazilian bank PAGE 14

The tale of one thousand and one ADSL modems The flaw exploited of the Brazilian attacks: chips from Broadcom are affected by a specific CSRF on admin panel. Published on March 2011 on Exploit.db, detected as HackTool.Shell.ChDNS.a PAGE 15

The tale of one thousand and one ADSL modems Automating attacks: scripts running in dedicated servers to scan a range of IPs PAGE 16

The tale of one thousand and one ADSL modems 6 hardware manufacturers affected by these flaws, all leading vendors of network devices to SOHOs in the Brazilian market Negligent vendors: how many security researchers are reporting flaws on network devices? Are all these bugs being fixed? How many flaws aren t reported? Guilty ISPs: it s common in Brazil (and probably other parts of the world) for local ISPs to lend their customers OLD and VULNERABLE network devices Government: ANATEL, Brazil s National Agency of Telecommunications, approves network devices before vendors can sell them, but they don t verify security issues, only standard functionality. PAGE 17

PAGE 18

The tale of one thousand and one ADSL modems One DNS server was located in Brazil and a law enforcement agency had access to it One log had info on more than 14k victims, while another had more than 30k The attacks always occurred at certain times of the day (business hours) In several modems the Google DNS was configured as a secondary server PAGE 19

The tale of one thousand and one ADSL modems [13:20:00] barao: how was your work today? [13:21:51] Carlos S/A: we re looking to program an ADSL modem scan [13:23:36] barao: what you mean? [13:25:49] Carlos S/A: it s a DNSChanger [13:25:54] Carlos S/A: something on this way [13:26:30] barao: did you give up to create new bankers? [13:26:50] Carlos S/A: no no [13:26:53] Carlos S/A: it s exactly for it [13:27:05] barao: your bankers aren t working even more? [13:27:44] Carlos S/A: no no [13:27:49] Carlos S/A: now I m working on a DNS changer [13:28:00] Carlos S/A: and a new method to infect [13:28:09] Carlos S/A: make a lot of infections [13:28:09] barao: ahhhh you re talking about dns spoofs [13:28:16] Carlos S/A: yeap [13:37:57] Carlos S/A: you know it? [13:38:20] barao: yeah [13:38:21] barao: on this way we ll never loose access on the machine [13:38:23] barao: hahaha PAGE 20

The tale of one thousand and one ADSL modems [13:39:41] Carlos S/A: activating it for 10 minutes [13:39:50] Carlos S/A: on a Bradesco fake website [13:39:52] Carlos S/A: wow [13:39:55] Carlos S/A: we catch a lot of info and [13:39:58] Carlos S/A: a lot of money [13:40:08] Carlos S/A: we put an warning [13:40:10] Carlos S/A: asking for [13:40:20] Carlos S/A: the installation of a plugin [13:40:58] Carlos S/A: each infection was a info collected [13:41:11] Carlos S/A: but we aren t owning a DNS server, we re scanning routers and modems and changing the DNS using a script [13:42:59] Carlos S/A: we know about another guy that developed this script and all scheme is really crazy, he earned a lot of money, traveled and spent all the money on Rio de Janeiro, when back he have no money and need to start again, but he delays a lot, for this reason we re creating our own scanner [13:43:25] Carlos S/A: it s incredible the guy hasn t a car or a motorcycle, he only want to stay on Rio with prostitutes all day [13:43:44] Carlos S/A: last month he earned more than 100,000 (one hundred thousand) reais and spent everything on Rio PAGE 21

PAGE 22

PAGE 23

PAGE 24

The tale of one thousand and one ADSL modems If network device vendors fail to deal with security issues, how can AV vendors protect their customers against these attacks? Will we need to develop protection for users hardware? Are antivirus companies responsible for detecting these kinds of exploits? Is detecting them enough to protect our customers? What about malicious redirects made via the DNS configured in these device? How good is your heuristic phishing detection? While we detect a large amount of malware, can and should we also track down such exploits? There are lots of questions and, so far, not very many answers. PAGE 25

Questions? Thanks! The tale of one thousand and one ADSL modems Fabio.assolini@kaspersky.com twitter.com/assolini Malware Researcher, Virus Bulletin 2012

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback