IoT VILLAGE - Worms that fight back: Nematodes as an antidote for IoT malware

Video thumbnail (Frame 0) Video thumbnail (Frame 2082) Video thumbnail (Frame 3317) Video thumbnail (Frame 5616) Video thumbnail (Frame 7932) Video thumbnail (Frame 9337) Video thumbnail (Frame 10359) Video thumbnail (Frame 12415) Video thumbnail (Frame 13605) Video thumbnail (Frame 14483) Video thumbnail (Frame 15296) Video thumbnail (Frame 16506) Video thumbnail (Frame 18177) Video thumbnail (Frame 19140) Video thumbnail (Frame 25611) Video thumbnail (Frame 27608) Video thumbnail (Frame 29217) Video thumbnail (Frame 30666) Video thumbnail (Frame 31486) Video thumbnail (Frame 32320) Video thumbnail (Frame 33062) Video thumbnail (Frame 33792) Video thumbnail (Frame 34958) Video thumbnail (Frame 39300) Video thumbnail (Frame 40450) Video thumbnail (Frame 41370) Video thumbnail (Frame 45721) Video thumbnail (Frame 46445) Video thumbnail (Frame 47168) Video thumbnail (Frame 49067) Video thumbnail (Frame 50144) Video thumbnail (Frame 51678) Video thumbnail (Frame 54208) Video thumbnail (Frame 55727)
Video in TIB AV-Portal: IoT VILLAGE - Worms that fight back: Nematodes as an antidote for IoT malware

Formal Metadata

Title
IoT VILLAGE - Worms that fight back: Nematodes as an antidote for IoT malware
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
Nematodes, often called “anti-worms” or “beneficial worms”, are a controversial topic. They involve exploiting the same vulnerabilities used by malicious worms, but, rather than installing malware or being used to form a botnet, nematodes attempt to disinfect and patch the vulnerable host. In some variants, nematodes also try to perform some kind of beneficial action, such as compressing files, or reporting illegal content to law enforcement. Despite being brought up a few times in previous talks and papers, nematodes remain largely on the fringes of the security community’s consciousness. Perhaps part of the reason for this is the demise of traditional network worms – after all, it’s not 2004 any more – and perhaps, for good reason, most people think the idea usually doesn’t work in practice, or has significant legal implications. However, there has recently been a trend of wormable vulnerabilities which utilise rather different mediums – such as WiFi (Broadpwn), Bluetooth (BlueBorne), light (smart lightbulbs), RFID tags, and more - and, of course, a huge number of wormable vulnerabilities in a wide range of IoT devices. The rise of these, and the fact that IoT security issues are not easily resolvable with patching, antivirus solutions, and other security mechanisms, may make it worth re-opening the nematode debate. In this talk, I’ll consider whether it actually is worth doing so, given that we could be on the threshold of an era involving new and devastating types of worms. Along the way, I’ll cover the history of nematodes and take a journey back in time with some 'digital paleovirology', starting with the murky history of Creeper, Reaper and PERVADE in the 1970s, then moving on to Brain and Denzuko in 1986; ADM and Max Vision in 1998; PolyPedo in 2001; the ‘worm wars’ of 2003-2004; and right up to the present day battles between IoT botnets such as Mirai with IoT nematodes such as Hajime and Brickerbot. I’ll also cover the legal and ethical issues posed by nematodes; the challenges and benefits they can bring; and will present some demos of custom nematodes. These include custom-developed worms and corresponding nematodes for both a recent web application vulnerability and an IoT device, and an improved and updated alternative to the PolyPedo worm. I'll also discuss 'Antidote', an in-progress and experimental modular framework for deploying and configuring anti-worms based on recent exploits and attack techniques. Finally, I'll outline some ideas for future research in this area.
Cybersex Presentation of a group Observational study Cybersex Execution unit Digital signal Student's t-test Student's t-test Malware Goodness of fit Malware Hacker (term) Personal digital assistant Computer worm Information security Hacker (term) Addressing mode Information security Computer worm
Service (economics) Vector space Term (mathematics) Computer worm Software framework Replication (computing) Shareware Computer worm
Computer virus Group action Observational study Patch (Unix) MIDI Coroutine Einstein field equations Malware Bit rate Set (mathematics) Authorization Computer worm Information security Physical system Vulnerability (computing) Rule of inference Software developer Generic programming Bit Radical (chemistry) Word Personal digital assistant Series (mathematics) MiniDisc Game theory Information security Block (periodic table) Curve fitting Inverter (logic gate) Operating system Computer worm
Computer virus Copyright infringement Computer file Codierung <Programmierung> Multiplication sign Floppy disk Similarity (geometry) Number Malware Software Password Interpreter (computing) Authorization MiniDisc Drum memory Booting Address space Spacetime Physical system Form (programming)
Group action Computer file Patch (Unix) Mass Machine vision Machine vision Direct numerical simulation Medical imaging Internet forum Computer worm Software testing Information security Backdoor (computing) Vulnerability (computing) Physical system Email Keyboard shortcut Electronic mailing list Plastikkarte Database Maxima and minima Regulärer Ausdruck <Textverarbeitung> Electronic signature Software Blog Hard disk drive Self-organization Quicksort Reading (process) Computer worm
Windows Registry Observational study Patch (Unix) 1 (number) Denial-of-service attack Bit Connected space Band matrix Software Personal digital assistant Hacker (term) Software Computer worm Quicksort Series (mathematics) Reading (process) Vulnerability (computing) Computer worm Geometry
Point (geometry) Computer icon Default (computer science) Source code Determinism Revision control Mathematics Goodness of fit Message passing Term (mathematics) Password Authorization Computer worm Vulnerability (computing)
Robot Virtual machine Denial-of-service attack Mass Mereology Binary file Medical imaging Internetworking Order (biology) Authorization Quicksort Firmware Computer worm
Dependent and independent variables Dependent and independent variables Multiplication sign Patch (Unix) Exploit (computer security) Incidence algebra Electronic signature Antivirus software Data management Software Moving average Self-organization Computer worm Software framework Peripheral Information security Extension (kinesiology) Information security Computer worm
Computer virus Context awareness Multiplication sign Source code Port scanner Parameter (computer programming) Perspective (visual) Neuroinformatik Data management Data model Software framework Endliche Modelltheorie Information security Physical system Vulnerability (computing) Computer virus NP-hard Electric generator Software developer Open source Computer Sound effect Maxima and minima Control flow Band matrix Order (biology) Software framework Acoustic shadow Absolute value Physical system Slide rule Divisor Observational study Software developer Patch (Unix) Virtual machine Similarity (geometry) Machine vision Number Power (physics) Band matrix Authorization Divisor Acoustic shadow Backdoor (computing) Scale (map) Computer network Denial-of-service attack Density of states Exploit (computer security) Shareware Antivirus software Software Personal digital assistant Computer worm Address space
Greatest element Implementation Patch (Unix) Exploit (computer security) Client (computing) Data management Malware Goodness of fit Mechanism design Propagator Different (Kate Ryan album) Touch typing Office suite Information security Vulnerability (computing) Physical system Injektivität Vulnerability (computing) Electric generator Horizon Bit Type theory Proof theory Data management Software Integrated development environment Radio-frequency identification Acoustic shadow Self-organization Whiteboard Computer worm
Injektivität Vulnerability (computing) Injektivität Computer file Virtual machine Exploit (computer security) Shareware Virtual machine Shareware Revision control Web 2.0 Web application Function (mathematics) Computer worm Gastropod shell Backdoor (computing) Backdoor (computing) Vulnerability (computing) Computer worm
Web application Moment (mathematics) Virtual machine Physical system
Web application Term (mathematics) Bit Traffic reporting Vulnerability (computing) Computer worm
Computer file Infinite conjugacy class property Gastropod shell Virtual machine Backdoor (computing) Computer worm
Web 2.0 Virtual machine
Revision control Computer file Virtual machine Backup Computer worm
Server (computing) Injektivität Computer file Patch (Unix) Authentication Virtual machine Password IP address Shareware 2 (number) Sequence Web 2.0 Roundness (object) Root Computer configuration Term (mathematics) Algebraic closure Telnet Computer worm Information security Vulnerability (computing) Default (computer science) Injektivität Authentication Default (computer science) Vulnerability (computing) Stapeldatei Patch (Unix) Server (computing) Computer network Price index Exploit (computer security) Sequence Shareware Dynamic Host Configuration Protocol Fluid statics Software Visualization (computer graphics) Telnet Password Computer worm Address space
Web 2.0 Server (computing) Touchscreen Password Moment (mathematics) Sound effect Computer worm
Point (geometry) Polygon Email Execution unit Content (media) Shareware Computer worm
Email Keyboard shortcut Pixel Distribution (mathematics) 1 (number) Replication (computing) Measurement Medical imaging Different (Kate Ryan album) Hypermedia Hash function Videoconferencing Collision Software framework Pairwise comparison Pixel Thumbnail Area Computer icon Algorithm Email Computer file Keyboard shortcut Electronic mailing list Bit Instance (computer science) Measurement Flow separation Sequence Hash function Absolute value Quicksort Representation (politics) Reverse engineering Sine Computer file Algorithm Computer-generated imagery Similarity (geometry) Content (media) Shareware Computer icon Sequence Revision control Advanced Encryption Standard Average String (computer science) Uniqueness quantification Representation (politics) Computer worm Lie group Matching (graph theory) Polygon Content (media) Planning Binary file Shareware Similarity (geometry) Hypermedia String (computer science) Videoconferencing Family Computer worm
Point (geometry) Laptop Medical imaging Email Hash function Different (Kate Ryan album) Building Correspondence (mathematics) Moment (mathematics) Videoconferencing Musical ensemble Information security
Medical imaging Email Matching (graph theory) Building Virtual machine Videoconferencing Cuboid Similarity (geometry) Planning Resultant
Exterior algebra Computer file Keyboard shortcut Electronic mailing list Virtual machine Counting Bit Replication (computing) Shareware Theory Replication (computing)
Focus (optics) Open source Patch (Unix) Open source Port scanner Exploit (computer security) Replication (computing) Revision control Software Revision control Modul <Datentyp> Software framework Software framework Modul <Datentyp> Freeware Computer worm
Service (economics) Patch (Unix) Multiplication sign Replication (computing) IP address Twitter Revision control Advanced Encryption Standard Modul <Datentyp> Videoconferencing Video game console Software framework Chi-squared distribution Execution unit Information Projective plane Sound effect Exploit (computer security) Shareware Band matrix Web application Proof theory Category of being Process (computing) Software Order (biology) Data logger Video game console Computer worm
Area Modal logic Email Software Observational study Personal digital assistant Computer worm Bit Parameter (computer programming) Reading (process) Computer worm Twitter
Feedback Address space
okay hi everyone thank you very much for coming so this is worms that fight back nematodes as an antidote for IOT malware
so worth pointing out that what I'm going to talk to you about today is presented for our educational purposes only also worth pointing out that this isn't a brand new concept this is building on work that's been done previously as you guys will see by the the references and the kind of case studies that I'm going to talk about so my name is Matt wixi I lead research for PwC UK cyber security business unit I also work on its ethical hacking team I'm a part-time PhD student at UCL and my previous role was working in law enforcement in the UK leading a technical R&D team so I want to talk about nematodes or anti worms because I think it's a really interesting and really under explored concept so it's kind of been talked about a little bit before and it actually goes back right back to the 1970s when malware kind of first started to to be experimented with and played with I have a kind of general interest in repurposing bad stuff for good purposes and as far as I know this kind of concept hasn't really been applied to IOT in any kind of security research since anyway so I'm going to
cover what a nematode is what an anti worm is I'm going to go through a history of nematodes in the wild I'm gonna cover why those attempts didn't really kind of take off and kind of previous attempts to produce nematode frameworks as a kind of commercial offering or service offering I'm then going to talk about something called Neo toads which is a term I've come up with just to describe new kinds of worms using new replication vectors and whether that makes it worth reopening the debate and where the hansi worms are something that could be used I've got some demos for you as well so I'm going to demo some nematodes that I've developed I'm then going to talk about something called the antidote framework which is something experimental that we're being on a PwC and then finally I'm gonna wrap up so what is a nematode so
in biology a nematode is kind of a generic term for a worm or a kind of parasite that attacks other parasites that's kind of how it's commonly understood in security it's an anti worm so it's a at all which exploits the same vulnerabilities that malicious worms exploit it replicates in the same ways that malicious worms do but it's designed to disinfect systems patch systems kick malicious worms off of infected hosts and there are three different kinds based on the case studies that are out there there are true nematodes so these are designed to to exploit systems which have certain vulnerabilities and then automatically like download the nest Allah patch and kick malicious worms off of the host there are malicious nematodes so these are nematodes which are in themselves malicious but are trying to kick other malicious worms off of an infected host to kind of boost their own infection rate to kind of kill off the competition if you like and then finally there are moral nematodes and I use the word moral in inverted commas so these are nematodes which in the eyes of the author or the developer perform some kind of beneficial action they don't necessarily exploit a specific vulnerability but they do something that the the author believes is is morally good so if we walk through that the
history of nematodes the first known one and it's kind of apocryphal is Creeper versus Reaper has anyone heard of The Creeper virus a couple of people sir creeper was an experiment basically it infected 10x operating systems and it was arguably the first kind of self-replicating spreading piece of malware it didn't really do anything it transferred itself over the different systems rather than replicating and it just printed out a bit of text on the terminal that you can see there I'm the creeper catch me if you can and repr the rumor has it anyway is a tool that was developed to try and catch up with the creeper virus and then kind of kick it off the system anyone heard of animal and the pervade routine a couple of people so animal was a game developed by a guy called John Walker in 1975 it was like a kind of guessing game so it would ask you to think of an animal and it would try and guess what it was and purveyed was a subroutine in animal that was designed to spread the game so it would copy over to shared discs and shared drives said it would kind of spread as far as possible and Hunter again apocryphal was a tool that allegedly was designed to track down copies of animal and delete them from systems his brain so it'll be
familiar with brain I would imagine so brain pretty old virus infected the boot sector of floppy disks renamed it and you can see from this screenshot that the author's ensured that their name and address and telephone number were actually included in this so there's a kind of couple of interpretations of that one is that it's just kind of a more innocent time in writing viruses and malware and that kind of thing the other arguably is that the brain virus was developed as a kind of warning to software pirates and the names and addresses and telephone number in there were added so that if people were infected they would have some kind of recourse and they could get themselves patched the den Zucco virus was a nematode that deliberately targeted brain infected discs so it would just replace what was on the boot sector it retitled it then there's Co named off
there the chemical formula for potassium hydroxide Co would encrypt your desk but it would beforehand ask for permission and it would ask you to supply the password to kind of a very benign form of ransomware if you like so this is a good example of a kind of moral nematode the reason it was doing this was to try and protect your system from being attacked and having your data stolen on a kind of similar note this cruncher from 90 to 93 so cruncher would compress files on your system ostensibly to to save you space
who's heard of Mac's vision or max Butler yeah quite a few people so Mac's vision Mac's Butler was a penetration tester and security researcher he ran website called White House comm he also ran something called arachnids which was a kind of database of attack signatures and in 1998 a group called ADM released the worm that exploited a vulnerability in DNS bind software and Mac's vision whilst on the one hand kind of writing public blog articles about that worm on the other hand developed an imitate that he released into the wild so that nematode would exploit the by Infante ability it would then attempt to download and install a patch for it and I believe it would try and kick off the the malicious worm if it was on the system as well unfortunately Mac's left a backdoor on the systems that were patched by their nematodes that he could access them whenever he wanted and his nematode was a lot of disruption in military networks that his nematode ended up infecting if you haven't heard of him before and you're interested Kevin Poulsen wrote a great book on him and his story called kingpin which describes how he went from kind of a white hat researcher to running a massive carding forum so it's worth a read if you can get hold of a copy
IDO is a really interesting one so this is a good example of a moral nematode it's pretty basic so it was from 2001 it was written in VBS and what Poli pedo did was it would scan your hard drive for images and it would look at the file names of all those images and it would compare those file names using regular expressions to a hard coded list of file names which were associated with child abuse and if it found lien of those images on your hard drive it would send an email to various law enforcement agencies and charities and other organizations attaching the images and kind of reporting it so raising all sorts of really interesting legal and ethical questions about whether or not that's justified Blaster versus welcher
so talking about kind of more recent ones here so that blasts the worm obviously infected exploited a vulnerability in decom RPC well geo was released about a week later and it would download and install a patch of a check the registry to see if a patch had been installed if not here at downloads install it it would try and delete blaster from infected hosts and ended up causing all sorts of problems with network bandwidth and denial of service and that kind of thing anyone read
stealing the network yeah a couple of people so really great book really great collection of stories as a whole series of them they're kind of like connected short stories written by hackers about hacking some of the technology they speak about a little bit dated now but they're really good stories and this particular one the worm turns from 2003 describes the situation very similar to the blaster and Welch year case study so definitely worth a read if you can get hold of that
and then the worm was from 2004 so next guy bagel my doom all of which were at one point trying to kick each other off of infected hosts and the authors were kind of trading insults in the source code of various versions of these worms as well so good examples of of malicious nematodes and then even
more recently Mariah versus Hajime so you will be familiar with Mirai Hajime was here's an IOT nematode that exploits some of the same vulnerabilities that mirrored does in terms of default passwords and things like that includes this message uninfected hosts to let people know that it's infected it and then I think most
interestingly the one that kind of I find most interesting is this one so this is um Bricker bot versus Mirai reaper and various others so in December last year there was a post on paste bin and ghost bin and a few other places by someone calling themselves janitor and they claimed to be the author of the brick' bot worm so brick' bot would permanently disable machines infected by corrupting the firmware overwriting the firmware with a bad image and janitor claims that they did that in order to prevent those devices subsequently being misused by Mariah and Reaper and participating in DDoS attacks so that again raises all sorts of really interesting legal and ethical questions about whether it's preferable for devices to be bricked or preferable to let them remain vulnerable and then have them be used in massive DDoS attacks which end up potentially taking out part of Internet infrastructure
so um the kind of heyday of worms I
guess was probably the mid-2000s you obviously had config her a few years later which is uh you know probably the the biggest one but in recent times traditional kind of network worms have decreased quite a lot so you still get the occasional one one across a good example but generally things like exploit mitigations and better antivirus and security solutions better patching management and incident response generally just better security has meant that those kind of big network based traditional worms have fallen off to a great extent so there were some
previous attempts to try and formalize a kind of nematode framework and make it something that could be used by the security community as something that could be used by organizations to try and protect themselves from from worms
so the first one that I'm aware of is a guy called dr. cyrus Pocari who gave a talk DEFCON 9 back in 2001 and he was coming from the perspective of of immunology and virology and applying that to computer security so his concept was that it might be possible to create a kind of intent attenuated or weakened virus release that in the wild in order to boost the immunity of antivirus systems and security solutions so an interesting concept it pretty much remained a concept it was a just a kind of thought experiment really then Dave Attell from immunity set presented a talk in 2005 where he proposed a framework which would automatically generate nematodes based on exploits so the idea was that you would feed in a recent exploit into his framework and it would then generate a nematode automatically which you could then deploy it unfortunately I've only been able to find the slides of that talk I've been able to find any any source code with demos if anyone knows of where I can find any in power that'd be great and then around the same kind of time HP started something called active countermeasures which is not a lot of data available about it but it was essentially kind of using exploits to protect systems and then in a similar vein Fujitsu was approached may be contracted by the Japanese government in 2012 to do a similar kind of thing so the all of those proposed frameworks suggested a number of benefits so using nematodes on a corporate system so as well as being able to kind of rapidly assess and its high in network for vulnerabilities and if they'd already been affected by worms to disinfect them and patch them some people also suggested that nematodes could be used for things like distributed searching for self discovering networks so discovering things like shadow IT or host which weren't kind of 100 percent up and even potentially vulnerability scanning so consistent vulnerability scanning where every host is a scanner the counter arguments for that are many really so firstly there's a gala tea so just releasing a nematode into the wild in the majority of countries is going to be illegal because you're still accessing and modifying someone else's system without authorization there's also an ethics question to it as well whether it's right to do that whether it's right for someone to kind of take on that role of deciding that they're going to sort out your security for you there's also a trust model so evidence from the the max Vision case study where despite developing a kind of beneficial nematodes you also put a backdoor in it as well so what makes us able to trust nematode developers any more than than a worm developer obvious issues with denial of service and band width as well so because nematodes will be like worms consistently scanning for new hosts to attack and will be replicating that can potentially cause issues with that as well hard to target and control so even if you are only launching a nematode on an internal network may be a fairly small network if that somehow gets onto a removable device and that's then plugged into another machine then that can spread that way potentially and lastly just that worms are difficult to do difficult to do well anyway so it's hard to write an effective and efficient worm which isn't going to crash the hosts that in effects that's not going to generate too much network traffic so of those frameworks none of them kind of really went anywhere none of them have really addressed that that fear factor and combined with the demise of those traditional big network worms it pretty much meant that the concepts died to death really now Nia toads are kind of
new generations of worms possibly could make it worthwhile reopening this debate so if you look at some recent and some
not so recent vulnerabilities and exploits so taking us from the left you have the Phillips hue light bulbs so a black hat talked a couple of years ago described creating a worm using the Philips hue light bulb which could spread across an entire city you've then got broad pone looking at vulnerabilities in Broadcom Wi-Fi chipsets going back a few years malware in RFID tags and readers that could spread from the tag to the reader and then from the reader to every tag that the touch the reader so the proof of concept for that one was SQL injection fairly easy to do blue Bourne vulnerabilities in implementations of Bluetooth the Arduino yawn so that was a paper from a couple of years ago about a were mobile vulnerability in that particular Arduino boards and then at the bottom various IOT devices now these specific devices aren't necessarily vulnerable to two attacks it's just a kind of illustration of the types of devices so particularly interesting there you've got an IP camera and I'll talk about that a bit later on so given that there are potentially a
new generation of worms on the horizon that use different methods for propagation where traditional vulnerability vulnerability management doesn't necessarily apply and applying patches can be very difficult you might be talking about having to have physical access to the device getting firmware updates over-the-air potentially time-consuming to do that as well if you have a big network of IOT devices many export mitigation mechanisms might not be possible depending on what kind of system it is you've also got a proliferation now of Coyote devices in corporate environments so there was a good talk yesterday about some smart speakers by Stephen Hill about how many organizations now just have sauna speakers in their office and also as well if you work in security and you want to demonstrate to a client what you want to demonstrate to supervisors whatever how damaging worms can be nematodes are a really good way to do that potentially okay so I'm going to
run through some demos so the first one
is an example of a true nematode so this is a fairly recent exploit is March this year it's a command injection vulnerability in a web application called clip bucket so I wrote a worm in Python that worm exploits the vulnerability it downloads and runs a copy of itself it puts a web show and the infected machine just to demonstrate and that it can and then it starts to scan for new targets the nematode obviously exploits the same vulnerability it searches for both the malicious worm and for the PHP backdoor deletes both of them it takes the PHP file that contains the vulnerability and renames it and then creates a new version of that PHP file which just warns the user that they have a vulnerability and they need to update and then it will scan and replicate
so I have four virtual machines here they all have clip bucket running as a
web application and you can this is just those kind of show at the moment that there's nothing on the system this is kind of a fresh
install of that on that web app I'll
skip forward a little bit
okay so this is the malicious worm being run so it's running in just a small subnet finds for vulnerable web applications exploits term reports back to a dashboard
so it just tells us that they've been affected if you then look at the
individual machines that's the malicious worm that's now been replicated and you can see there's a shell dot PHP file on there as well so
the shoulder PHP is just a one lion PHP backdoor that's been put on there
so it's just demonstrating this has
happened on on who for the machines this is the back door that's what it looks like it's a very simple example and then
just to demonstrate that does work
okay so you can execute commands with the web show which is great so all those machines have now been infected and then
this is running the nematode so this is doing exactly the same thing it's based on the malicious worm checking the same subnet again reporting back to the dashboard and it should tell us that they've all been disinfected
and then if we have a look at the individual machines you can see it's renamed the vulnerable file which is file underscore uploaded or PHP has put a hat back doc bak file renamed it to that and this is the the new version of file underscore uploaded of PHP which just tells the user that they need to update and it gives them a funner ability reference the nematode also
removes the shoulder PHP so it removes
the back door so that now can't be used
and it's done that for all four machines
so in terms of practically applying that how you would do that one option could be that you you have a feed and a funder ability feed something like exploit DB or something like that and you assess for new vulnerabilities whether or not they are vulnerable and if they are or you start to hear that a worm exists in the wild exploiting that vulnerability then you can launch a nematode on your network that checks for it that removes malicious worms if they're found and tries to perform some kind of patch so you would do this you could either do this with an official patch if one has been released or you can do a kind of temporary workaround okay second demo is an IOT nematode so this is an IP camera manufactured under various brand names there are two vulnerabilities in it that which can be chained together to make it wearable so the first is a pre authentication credential disclosure so you get the username and password to access the camera and then the second is authenticated command injection so the vendors of this camera have tried to address these and some other vulnerabilities so it used to be that you could just tell NIT into these cameras with no user name no past where they get a root prompt they've now disabled Tona by default so you don't have to access users are encouraged to change that default username or password it also randomizes the HT to people that the webserver of the camera which is a kind of I get security through obscurity more than everything else but the underlying vulnerabilities are still there so the worm can retrieve credentials from the web server use those to execute commands as an authenticated user you can then just reenable telnet and still get a root prompt so I was feeling pretty masochistic I guess so I tried to write this worm in bash turns out batch was installed on the camera after many hours so it turned out to be an SH worm instead so what the worm does is it retrieves a dot ini file which contains credentials extracts them uses those for command injection and then replicates so so the demo didn't take hours to show you I've put the cameras on sequential IP addresses with a static HD to people to show so what the worm would do is it will enable telnet again with a root prompt it will also spin the camera round so there's a kind of visual indication that's been infected and then the nematode will run and it will stop the camera from spinning and then disable toneri again
so at the moment you can see that you can't tell knit into any of these cameras so I'm now running the the malicious worm which is going to in effect these three cameras here so you can see it starts um spinning you can see on the screen that you've got username and password as well and that we're replicating on to the web server okay and then you can see there that we can now turn it in and get a root prompt on those cameras sorry
okay so at this point the nematode has been launched and you can see it's going to stop those cameras from spinning is then going to clear up the malicious worm and it is also going to disable toner access so I will now not be able to turn it into these cameras anymore
and then the last demo is the one that I think is the most interesting so I wanted to try and create just for purely educational experimental purposes an improved version of that poly pedo worm so definitely not advocating that anyone do this in the wild or actually put this stuff out there but I thought they were kind of several problems with poly pedo that could be improved on so it wasn't efficient it spread by a mailing list and it determined what was suspicious content by the filename of the image which isn't particularly robust so when you're talking about kind of comparing images obviously cryptographic hashes are the most common way to do that so something like md5 for instance there are kind of floors associated to be using that probably the biggest flaw is that if very very slight edits are made to images it results in a completely different cryptographic hash so the solution is something called perceptual hashing does anyone heard of perceptual hashing before yeah a couple of people so perceptual hashing is a measure of the similarity of two images you can there are various ways that the reverse image searching would tend to use some kind of perceptual hashing algorithm Minds nowhere near as complicated as that but it is a fairly robust in the demos I'm going to show you so essentially what it does is and it's based on some previous work in this area is it will break an image down into 8 by 8 pixels it will then retrieve the pixel values calculate an average pixel value and then for every pixel if the pixel is above the average saina 1/2 a string if it's below it with a sine of 0 so you end up with a 64-bit string of ones and zeros which is a representation of how each pixel differs from the average whether it's higher or lower so you can then just compare that string so just do simple string matching and for what is like a really primitive algorithm I really is pretty tolerant to things like resizing sort of thumbnails of images to minor edits and images and to lie sequential frames or different frames from from the same video so the example nematode I created what it does is it scans a folder for images it would generate perceptual hashes or 64 bit strings of those images and it will compare them to a hard-coded list of hashes for suspicious images and if it's above 90% who will send an email and attach those images replication is over USB so we'll check for attached removable media and he uses a technique that's been seen in the wild before for I think it was KJ worm and jay rat that kind of family so we'll replicate yourself as a hidden file create a visible shortcut with a notepad icon and then the target that
shortcut has a hidden file so the examples that I'm going to use for this demo I this one so you have an image of a plane that's just been resized that's been cut down you have an image where
there's been a very slight modification and then you have two stills from the
same video at different points so obviously visually similar but different images
[Music]
okay so this is the inbox there's notifications that come in - it's empty
at the moment there's a USB Drive attached to this laptop that is also empty at the moment so this is the the
folder of original images and the the corresponding perceptual hash values
and then this is the folder that the nematode is going to check for suspicious images so when the nematode
is run you'll be able to see that it starts to find some matches it indicates what might be a match says that it's sending us an email and at the end it replicates itself so the plane which was the resize was a 95 percent possible match the slight modification 98% and the video still was 93% so we can check in box now we can see that it sent us an email it said I've affected this machine I found this image which matches this reference image here's the similarity score let me know if I got it right and it's done that for all three of those results and then the nematode has also replicated over to the USB Drive so if we have a look at that
so there's now a shortcut file in there which just says my notes and the target for that is a hidden taxi which is the nematode which is also on there so if we refresh the the file listing for the drive you can then see that the hidden executable so there are some refinements
that could in theory be made to that to kind of make it a bit more robust so you could have like a depth count of infections so that you only infect so many machines after initial infection you could also have alternative replication methods as well okay so the
last thing I would talk to you about was antidote so antidote is something that
we're working on at PwC we're in the very very early stages of doing it the goal the the kind of the idea is to create a modular free open-source framework for people to develop and use IOT nematodes nematodes in general but with a focus on IOT on their own networks so the the dream is to have this as a kind of nematode version of Metasploit so you can overcome a lot of those early criticisms of nematodes and nematode frameworks by customizing the exact payloads that are used deciding whether or not you want it to replicate and how much whether you want a delay between scans and exploitation whether you want hosts to reboot once they've been fixed and scanned and whether you want patches to be applied so it is very much in the early stages I'll just show
you kind of a video so you've got an idea of what it might look like so this is a kind of proof of concept but it would be great to get your thoughts on this and your feedback and if you want to get involved in the development or you've got any thoughts it'd be great to hear from you I'll put my contact details up at the end of the talk so this is kind of a just a demo version that just shows the kind of features that it might have so it's kind of a console based framework you can load in various modules according to whether they're web apps or whether they're IP cameras or whatever it is and obviously there would be more kind of IOT devices in those categories you can then load a module in you can see some info about it so whether or not it supports things like disinfection patching replication what data was released obviously what version of software effects and targets and then in order to do some kind of damage control so it doesn't leak out into the wild you can set starting IP address and end IP address how many IP addresses each worm should scan whether or not you want to use disinfection patching replication you can have a time delay in between exploitation attack attempts so that you know you can kind of avoid bandwidth and denial service problems you can have a kill switch as well and you can finally have the nematode if you want the lete itself after it's done its job and then it will support log files as well so writing Lok's of what it's done
so if you do want to get involved in that let me know I've just the sake and we are at the very early stages but it'd be great to have this as a kind of community project we want as many people to get involved as we can my twitter handles there so to sum up nematodes
were a novel idea I think they still are a really novel idea ultimately not successful when they were kind of first discussed and first deployed and because of that demise of the big traditional Network worms they weren't really applicable but I think with the onset of worms that use different methods to propagate replicate and exploit there's potentially an argument to say that near toads could be useful in the future there are obviously still concerns that would affect it but I think that it's potentially an area of promise antidote is are very kind of experimental approach to doing that and if nothing else hopefully it will stimulate some debate and get people talking so there's
lots of references here if you want some some reading about the case studies that I talked about various other bits and pieces Twitter handles there again email
address if you want to email me yeah that's it thank you very much
Feedback