 Okay, hi everyone. Thank you very much for coming. So this is worms that fight back. Nematodes is an antidote for IOT malware. So worth pointing out that what I'm going to talk to you about today is presented for educational purposes only. Also worth pointing out that this isn't a brand new concept, this is building on work that's been done previously as you guys will see by the references and the kind of case studies that I'm going to talk about. So my name is Matt Wixie. I lead research for PWC UK cybersecurity business unit. I also work on its ethical hacking team. I'm a part time PhD student at UCL and my previous role was working in law enforcement in the UK leading a technical R&D team. So I want to talk about nematodes or antiworms because I think it's a really interesting and really underscored concept. So it's kind of been talked about a little bit before and it actually goes back right back to the 1970s when malware kind of first started to be experimented with and played with. I have a kind of general interest in repurposing bad stuff for good purposes. And as far as I know this kind of concept hasn't really been applied to IOT in any kind of security research sense anyway. So I'm going to cover what a nematode is, what an antiworm is. I'm going to go through a history of nematodes in the wild. I'm going to cover why those attempts didn't really kind of take off. And kind of previous attempts to produce nematode frameworks as a kind of commercial offering or service offering. I'm then going to talk about something called neotodes which is a term I've come up with just to describe new kinds of worms using new replication vectors and whether that makes it worth reopening the debate and whether antiworms are something that could be used. I've got some demos for you as well so I'm going to demo some nematodes that I've developed. I'm then going to talk about something called the antidote framework which is something experimental that we're working on at PwC and then finally I'm going to wrap up. So what is a nematode? So in biology a nematode is kind of a generic term for a worm or a kind of parasite that attacks other parasites. That's kind of how it's commonly understood. In security it's an antiworm so it's a tool which exploits the same vulnerabilities that malicious worms exploit. It replicates in the same ways that malicious worms do but it's designed to disinfect systems, patch systems, kick malicious worms off of infected hosts and there are three different kinds based on the case studies that are out there. There are true nematodes so these are designed to exploit systems which have certain vulnerabilities and then automatically download and install a patch and kick malicious worms off of that host. There are malicious nematodes so these are nematodes which are in themselves malicious but are trying to kick other malicious worms off of infected hosts to kind of boost their own infection rate to kind of kill off the competition if you like. And then finally there are moral nematodes and I use the word moral in inverted comments so these are nematodes which in the eyes of the author or the developer perform some kind of beneficial action. They don't necessarily exploit a specific vulnerability but they do something that the author believes is morally good. So if we walk through the history of nematodes the first known one and it's kind of apocryphal is Creeper versus Reaper. Has anyone heard of the Creeper virus? A couple of people. So Creeper was an experiment basically. It infected 10 X operating systems and it was arguably the first kind of self replicating spreading piece of malware. It didn't really do anything. It transferred itself over to different systems rather than replicating and it just printed out a bit of text on the terminal that you can see there. I'm the Creeper. Catch me if you can. And Reaper the rumor has it anyway is a tool that was developed to try and catch up with the Creeper virus and then kind of kick it off the system. Anyone heard of animal and the pervade routine? A couple of people. So animal was a game developed by a guy called John Walker in 1975. It was like a kind of guessing game so it would ask you to think of an animal and then try and guess what it was. And pervade was a subroutine in animal that was designed to spread the game so it would copy over to shared disks and shared drives so that it would kind of spread as far as possible. And Hunter again apocryphal was a tool that allegedly was designed to track down copies of animal and delete them from systems. There's Brain. So you'd all be familiar with Brain. I would imagine so Brain pretty old virus infected the boot sector of floppy disks. Renamed it. And you can see from this screenshot that the authors ensured that their name and address and telephone number were actually included in this. So there's a couple of interpretations of that. One is that it's just kind of a more innocent time in writing viruses and malware and that kind of thing. The other arguably is that the Brain virus was developed as a kind of warning to software pirates. And the names and addresses and telephone number in there were added so that if people were infected they would have some kind of recourse and they could get themselves patched. The Denzuko virus was a nematode that deliberately targeted Brain infected disks. So it would just replace what was on the boot sector and retitle it. Then there's Co named after the chemical formula for potassium hydroxide. So Co would encrypt your disk but it would beforehand ask for permission and it would ask you to supply the password. It's kind of a very benign form of ransomware if you like. So this is a good example of a kind of moral nematode. The reason it was doing this was to try and protect your system from being attacked and having your data stolen. On a kind of similar note there's Cruncher from 92, 93. So Cruncher would compress files on your system ostensibly to save you space. Who's heard of MaxVision or Max Butler? Yeah, quite a few people. So MaxVision, Max Butler was a penetration tester and security researcher. He ran a website called WhiteHats.com. He also ran something called RACNIDS which was a kind of database of attack signatures. And in 1998 a group called ADM released a worm that exploited a vulnerability in DNS bind software. And MaxVision, whilst on the one hand kind of writing public blog articles about that worm, on the other hand developed a nematode that he released into the wild. So that nematode would exploit the bind vulnerability. It would then attempt to download and install a patch for it. And I believe it would try and kick off the malicious worm if it was on the system as well. Unfortunately Max left a back door on the systems that were patched by that nematode so that he could access them whenever he wanted. And his nematode caused a lot of disruption in military networks that his nematode ended up infecting. If you haven't heard of him before and you're interested, Kevin Polson wrote a great book on him and his story called Kingpin which describes how he went from kind of a WhiteHat researcher to running a massive carding forum. So it's worth a read if you can get hold of a copy. Polypedo is a really interesting one. So this is a good example of a moral nematode. It's pretty basic so it was from 2001 it was written in VBS. And what Polypedo did was it would scan your hard drive for images and it would look at the file names of all those images. And it would compare those file names using regular expressions to a hard coded list of file names which were associated with child abuse. And if it found any of those images on your hard drive it would send an email to various law enforcement agencies and charities and other organizations attaching the images and kind of reporting it. So raising all sorts of really interesting legal and ethical questions about whether or not that's justified. Blaster versus wheelchair. So talking about kind of more recent ones here. So the blaster worm obviously infected, exploited a vulnerability in DCOMRPC. Welchia was released about a week later and it would download and install a patch. It would check the registry to see if the patch had been installed. If not it would download and install it. It would try and delete blaster from infected hosts and ended up causing all sorts of problems with network bandwidth and denial of service and that kind of thing. Anyone read stealing the network? Yeah, a couple of people. So really great book, really great kind of collection of stories. There's a whole series of them. They're kind of like connected short stories written by hackers about hacking. Some of the technology they speak about a little bit dated now but they're really good stories. And this particular one, the worm turns from 2003. Describes the situation very similar to the blaster and Welchia case study. So definitely worth a read if you can get hold of that. And then the worm wars from 2004. So NetSky, Bagel, MyDoom, all of which were at one point trying to kick each other off of infected hosts. And the authors were kind of trading insults in the source code of various versions of these worms as well. So good examples of malicious nematodes. And then even more recently Mirai versus Hajime. So you will be familiar with Mirai. Hajime was or is an IoT nematode that exploits some of the same vulnerabilities that Mirai does in terms of default passwords and things like that. Includes this message on infected hosts to let people know that it's infected it. And then I think most interestingly, the one that kind of I find most interesting is this one. So this is Brickabot versus Mirai, Repa and various others. So in December last year, there was a post on pace bin and ghost bin and a few other places by someone calling themselves Janitor. And they claimed to be the author of the Brickabot worm. So Brickabot would permanently disable machines infected by corrupting the firmware or overwriting the firmware with a bad image. And Janitor claims that they did that in order to prevent those devices subsequently being misused by Mirai and Repa and participating in DDoS attacks. So that again raises all sorts of really interesting legal and ethical questions about whether it's preferable for devices to be bricked or preferable to let them remain vulnerable and then have them be used in massive DDoS attacks which end up potentially taking out parts of internet infrastructure. So the kind of heyday of worms I guess was probably the mid-2000s. You obviously had Conficor a few years later, which is probably the biggest one. But in recent times, traditional kind of network worms have decreased quite a lot. So you still get the occasional one, one requires a good example. But generally things like exploit mitigations and better antivirus and security solutions, better patching, management and incident response, generally just better security has meant that those kind of big network based traditional worms have fallen off to a great extent. So there were some previous attempts to try and formalize a kind of nematode framework and make it something that could be used by the security community as something that could be used by organizations to try and protect themselves from worms. So the first one that I'm aware of is a guy called Dr. Cyrus Pakari who gave a talk at DEF CON 9 back in 2001. And he was coming from the perspective of immunology and virology and applying that to computer security. So his concept was that it might be possible to create a kind of intent, attenuated or weakened virus, release that in the wild in order to boost the immunity of antivirus systems and security solutions. So an interesting concept, it pretty much remained a concept, it was just a kind of thought experiment really. Then Dave Artel from ImmunitySec presented a talk in 2005 where he proposed a framework which would automatically generate nematodes based on exploits. So the idea was that you would feed in a recent exploit into his framework and it would then generate a nematode automatically which you could then deploy. Unfortunately I've only been able to find the slides of that talk, I haven't been able to find any source code or demos. If anyone knows where I can find any, that'd be great. And then around the same kind of time HP started something called active counter measures which is not a lot of detail available about it but it was essentially kind of using exploits to protect systems. And then in a similar vein Fujitsu was approached, may be contracted by the Japanese government in 2012 to do a similar kind of thing. So all of those proposed frameworks suggested a number of benefits. So to using nematodes on the corporate system. So as well as being able to kind of rapidly assess an entire network for vulnerabilities and if they'd already been affected by worms to disinfect them and patch them. Some people also suggested that nematodes could be used for things like distributed searching, for self discovering networks, so discovering things like shadow IT or hosts which weren't kind of 100% up. And even potentially vulnerability scanning. So consistent vulnerability scanning where every host is a scanner. The counter arguments for that are many really. So firstly there's the galatine. So just releasing a nematode into the wild in the majority of countries is going to be illegal because you're still accessing and modifying someone else's system without authorization. There's also an ethics question to it as well whether it's right to do that, whether it's right for someone to kind of take on that role of deciding that they're going to sort out your security for you. There's also a trust model. So evidence from the Max Vision case study where despite developing a kind of beneficial nematode he also put a backdoor in it as well. So what makes us able to trust nematode developers any more than a worm developer? Obvious issues with denial of service and bandwidth as well. So because nematodes will be like worms consistently scanning for new hosts to attack and will be replicating, that can potentially cause issues with that as well. Hard to target and control. So even if you are only launching a nematode on an internal network, maybe a fairly small network, if that somehow gets onto a removable device and that's then plugged into another machine, then that can spread that way potentially. And lastly, just that worms are difficult to do. Difficult to do well anyway. So it's hard to write an effective and efficient worm which isn't going to crash the host that it infects. It's not going to generate too much network traffic. So of those frameworks, none of them kind of really went anywhere. None of them kind of really addressed that fear factor and combined with the demise of those traditional big network worms, it pretty much meant that the concept died to death really. Now, nematodes or kind of new generations of worms possibly could make it worthwhile reopening this debate. So if you look at some recent and some not so recent vulnerabilities and exploits, so taking this from the left, you have the Philips Hue light bulb. So a black hat talk a couple of years ago described creating a worm using the Philips Hue light bulb which could spread across and into our city. You've then got Broad Pone looking at vulnerabilities in Broadcom Wi-Fi chipsets. Going back a few years, malware in RFID tags and readers that could spread from the tag to the reader and then from the reader to every tag that touched the reader. So the proof of concept for that one was SQL injection, fairly easy to do. Blueborne, vulnerabilities in implementations of Bluetooth. The Arduino YUN, so that was a paper from a couple of years ago about a wormable vulnerability in that particular Arduino board. And then at the bottom various IoT devices. Now these specific devices aren't necessarily vulnerable to attacks, it's just a kind of illustration of the types of devices. So particularly interesting there, you've got an IP camera and I'll talk about that a bit later on. So given that there are potentially a new generation of worms on the horizon that use different methods for propagation where traditional vulnerability management doesn't necessarily apply and applying patches can be very difficult. You might be talking about having to have physical access to the device, getting firmware updates over the air, potentially time consuming to do that as well. If you have a big network of IoT devices, many exploit mitigation mechanisms might not be possible depending on what kind of system it is. You've also got a proliferation now of IoT devices in corporate environments, so there was a good talk yesterday about smart speakers by Stephen Hill about how many organizations now just have sonar speakers in their office. And also as well if you work in security and you want to demonstrate to a client or you want to demonstrate to supervisors or whatever how damaging worms can be, nematodes are a really good way to do that potentially. Okay, so I'm going to run through some demos. So the first one is an example of a true nematode. So this is a fairly recent exploit. It was March this year. It's a command injection vulnerability in a web application called Clip Bucket. So I wrote a worm in Python. That worm exploits the vulnerability. It downloads and runs a copy of itself. It puts a web shell on the infected machine just to demonstrate that it can. And then it starts to scan for new targets. The nematode obviously exploits the same vulnerability. It searches for both the malicious worm and for the PHP back door. Deletes both of them. It takes the PHP file that contains the vulnerability and renames it and then creates a new version of that PHP file which just warns the user that they have a vulnerability and they need to update and then it will scan and replicate. So I have four virtual machines here that all have Clip Bucket running as a web application. And this is just to show at the moment that there's nothing on the system. This is kind of a fresh install of that web app. I'll skip forward a little bit. Okay, so this is the malicious worm being run. So it's running in just a small subnet, finds four vulnerable web applications, exploits them, reports back to a dashboard. So it just tells us that they've been infected. If you then look at the individual machines, that's the malicious worm that's now been replicated and you can see there's a shell.php file on there as well. So the shell.php is just a one line PHP back door that's been put on there. So it's just demonstrating that this has happened on all four of the machines. This is the back door. That's what it looks like. So a very simple example. And then just to demonstrate that that does work. Okay, so you can execute commands with the web shell, which is great. So all those machines have now been infected. And then this is running the nematode. So this is doing exactly the same thing. It's based on the malicious worm checking the same subnet, again reporting back to the dashboard. And it should tell us that they've all been now disinfected. And then if we have a look at the individual machines, you can see it's renamed the vulnerable file, which is file underscore uploader.php. It's put a back.bak file, renamed it to that. And this is the new version of file underscore uploader.php, which just tells the user that they need to update and it gives them a vulnerability reference. The nematode also removes the shell.php, so it removes the back door, so that now can't be used. And it's done that for all four machines. So in terms of practically applying that, how you would do that, one option could be that you have a feed, a vulnerability feed, something like exploit DB, something like that, and you assess for new vulnerabilities whether or not they are wormable. And if they are, or you start to hear that a worm exists in the wild, exploiting that vulnerability, then you can launch a nematode on your network that checks for it, that removes malicious worms if they're found, and tries to perform some kind of patch. So you could either do this with an official patch if one has been released, or you can do a kind of temporary workaround. Okay, second demo is an IoT nematode. So this is an IP camera manufactured under various brand names. There are two vulnerabilities in it, which can be chained together to make it wormable. So the first is a pre-authentication credential disclosure. So you get the username and password to access the camera, and then the second is authenticated command injection. So the vendors of this camera have tried to address these and some other vulnerabilities. So it used to be that you could just telnet into these cameras with no username, no password and get a root prompt. They've now disabled telnet by default, so you don't have telnet access. Users are encouraged to change the default username and password. It also randomizes the HTTP port for the web server of the camera, which is a kind of, I guess, security through obscurity more than anything else. But the underlying vulnerabilities are still there. So the worm can retrieve credentials from the web server, use those to execute commands as an authenticated user. You can then just re-enable telnet and still get a root prompt. So I was feeling pretty masochistic, I guess, so I tried to write this worm in bash. Turns out bash wasn't installed on the camera after many hours, so it turned out to be an SH worm instead. So what the worm does, it retrieves a .ini file which contains credentials, extracts them, uses those for command injection, and then replicates. So that the demo didn't take hours to show you, I've put the cameras on sequential IP addresses with a static HTTP port. So what the worm will do is it will enable telnet again with a root prompt. It will also spin the camera around so there's a kind of visual indication that's been infected. And then the nematode will run and it will stop the camera from spinning and then disable telnet again. So at the moment you can see that you can't telnet into any of these cameras. So I'm now running the malicious worm, which is going to infect these three cameras here. So you can see it starts them spinning. You can see on the screen that you've got username and password as well and that we're replicating onto the web server. Okay, and then you can see there that we can now telnet in and get a root prompt on those cameras. Sorry. Okay, so at this point the nematode has been launched and you can see it's going to stop those cameras from spinning. It's then going to clear up the malicious worm and it is also going to disable telnet access. So I will now not be able to telnet into these cameras anymore. And then the last demo is the one that I think is the most interesting. So I wanted to try and create just for purely educational experimental purposes an improved version of that polypedo worm. So definitely not advocating that anyone do this in the wild or actually put this stuff out there. But I thought there were kind of several problems with polypedo that could be improved on. So it wasn't efficient. It's spread by mailing lists and it determined what was suspicious content by the file name of the image which isn't particularly robust. So when you're talking about kind of comparing images obviously cryptographic hashes are the most common way to do that. So something like MD5 for instance there are kind of flaws associated with using that. Probably the biggest flaw is that if very slight edits are made to images it results in a completely different cryptographic hash. So the solution is something called perceptual hashing. Has anyone heard of perceptual hashing before? Yeah a couple of people. So perceptual hashing is a measure of the similarity of two images. There are various ways to do it. Reverse image searching would tend to use some kind of perceptual hashing algorithm. Mine's nowhere near as complicated as that. But it is fairly robust in the demos I'm going to show you. So essentially what it does is and it's based on some previous work in this area is it will break an image down into 8 by 8 pixels. It will then retrieve the pixel values, calculate an average pixel value. And then for every pixel if the pixel is above the average it will assign a 1 to a string and if it's below it will assign a 0. So you end up with a 64 bit string of 1s and 0s which is a representation of how each pixel differs from the average whether it's higher or lower. So you can then just compare that string. So just do simple string matching. And for what is like a really primitive algorithm really is pretty tolerant to things like resizing, so to thumbnails of images, to minor edits in the images and to like sequential frames or different frames from the same video. So the example nematode I created what it does is it scans a folder for images. It would generate perceptual hashes so 64 bit strings of those images and it would compare them to a hard coded list of hashes for suspicious images. And if it's above 90% it will send an email and attach those images. Replication is over USB so it will check for attached removable media and it uses a technique that's been seen in the wild before for I think it was KJ worm, NJ rat, that kind of family. So it will replicate itself as a hidden file, create a visible shortcut with a notepad icon and then target that shortcut as a hidden file. So the examples I'm going to use for this demo are this one, so you have an image of a plane that's just been resized, it's been cut down. You have an image where there's been a very slight modification. And then you have two stills from the same video at different points. So obviously visually similar but different images. Okay so this is the inbox that notifications are going to come into, it's empty at the moment. There's a USB drive attached to this laptop that is also empty at the moment. So this is the folder of original images and the corresponding perceptual hash values. And then this is the folder that the nematode is going to check for suspicious images. So when the nematode is run you'll be able to see that it starts to find some matches, it indicates what might be a match, says that it's sending us an email. And then at the end it replicates itself. So the plane which was the resized was a 95% possible match, the slight modification 98% and the video still is 93%. So we go and check inbox now, we can see that it sent us an email, it said I've infected this machine. I found this image which matches this reference image. Here's the similarity score. Let me know if I got it right. And it's done that for all three of those results. And then the nematode is also replicated over to the USB drive. So if we have a look at that. So there's now a shortcut file in there which just says my notes and the target for that is a hidden XE, which is the nematode which is also on there. So if we refresh the file listing for the drive you can then see that the hidden executable. So there are some refinements that could in theory be made to that to kind of make it a bit more robust so you could have like a depth count of infection so that you only infect so many machines after your initial infection. You could also have alternative replication methods as well. Okay, so the last thing I want to talk to you about was antidote. So antidote is something that we're working on at PwC. We're in the very, very early stages of doing it. The goal, the kind of the idea is to create a modular free open source framework for people to develop and use IoT nematodes, nematodes in general but with a focus on IoT on their own networks. So the dream is to have this as a kind of nematode version of Metasploit. So you can overcome a lot of those early criticisms of nematodes and nematode frameworks by customizing the exact payloads that are used, deciding whether or not you want it to replicate and how much, whether you want a delay between scans and exploitation, whether you want hosts to reboot once they've been fixed and scanned, and whether you want patches to be applied. So it is very much in the early stages. I'll just show you kind of a video so you've got an idea of what it might look like, so this is a kind of proof of concept. But it would be great to get your thoughts on this and your feedback and if you want to get involved in the development or you've got any thoughts, it'd be great to hear from you. I'll put my contact details up at the end of the talk. So this is kind of just a demo version that just shows the kind of features that it might have. So it's kind of a console-based framework. You can load in various modules according to whether they're web apps or whether they're IP cameras or whatever it is, and obviously there would be more kind of IoT devices in those categories. You can then load a module in. You can see some info about it, so whether or not it supports things like disinfection, patching, replication, what data was released, obviously what version of software it affects and targets. And then in order to do some kind of damage control so it doesn't leak out into the wild, you can set a starting IP address, an end IP address, how many IP addresses each worm should scan, whether or not you want to use disinfection, patching replication. You can have a time delay in between exploitation attack attempts so that you can kind of avoid bandwidth and denial of service problems. You can have a kill switch as well and you can finally have the nematode if you want to delete itself after it's done its job. And then it would support log files as well, so writing logs of what it's done. So if you do want to get involved in that, let me know. Just to say again we are at the very early stages but it would be great to have this as a kind of community project. We want as many people to get involved as we can. My Twitter handle is there. So to sum up, nematodes are a novel idea. I think they still are a really novel idea. Ultimately not successful when they were kind of first discussed and first deployed. And because of that demise of the big traditional network worms they weren't really applicable. But I think with the onset of worms that used different methods to propagate, replicate and exploit, there's potentially an argument to say that nematodes could be useful in the future. There are obviously still concerns that would affect it. But I think that it's potentially an area of promise. Antidote is our very kind of experimental approach to doing that. And if nothing else hopefully it will stimulate some debate and get people talking. So there's lots of references here if you want some reading about the case studies that I talked about and various other bits and pieces. Twitter handles there again. Email address if you want to email me. But yeah, that's it. Thank you very much.