01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

48
Course Syllabus Introduction Mobile Malware Industrial Systems IoT 01-Introduction CYS5120 - Malware Analysis Bahcesehir University Cyber Security Msc Program Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2 1 [email protected] 2 [email protected] 2017-2018 Fall Dr. Ferhat Ozgur Catak 01-Introduction

Transcript of 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Page 1: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

01-IntroductionCYS5120 - Malware Analysis

Bahcesehir UniversityCyber Security Msc Program

Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2

[email protected]

[email protected]

2017-2018 Fall

Dr. Ferhat Ozgur Catak 01-Introduction

Page 2: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 3: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 4: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Syllabus

Expected Syllabus, subject to change

I Week 1: IntroductionI Main conceptsI Malware: definition, aim and

analysis requirementsI General analysis methods

I Week 2: Basic Static AnalysisI Basic Static AnalysisI Static analysis for Windows

and Linux OSI Week 3: Behaviour Analysis

I DefinitionI ToolsI Process

I Week 4: Assembly

I Memory management analysisI Intro to CPU architectureI x86 registersI Instruction sets

I Week 5: Code AnalysisI IDA Pro, GDBI Debuggers

I Week 6: Static AnalysisBlocking Methods

I PackersI Week 7: Dynamic Analysis

Blocking MethodsI Debugger blocking

I ....

Dr. Ferhat Ozgur Catak 01-Introduction

Page 5: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Reference Books

Reference BooksI Practical Malware Analysis : The Hands-On Guide to Dissecting

Malicious Software , Michael Sikorski, Andrew Honig -2012I Malware Analyst’s Cookbook, Michael Hale Ligh, Matthew Richard,

Steven Adair, Blake Hartstein – 2010

Dr. Ferhat Ozgur Catak 01-Introduction

Page 6: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Grading

Grading Policy (Also subect to change)I Midterm %30I 1st Hmw %10I 2nd Hmw %10I Final %50

Dr. Ferhat Ozgur Catak 01-Introduction

Page 7: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 8: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts I

MalwareI Malware, short for malicious software, is an umbrella term used to

refer to a variety of forms of hostile or intrusive softwareI Examples : computer viruses, worms, Trojan horses, ransomware,

spyware, adware, scareware,I It can take the form of executable code, scripts, active content, and

other software.

Trojan (or Trojan horse)

Trojan, is any malicious computer program which misleads users of its trueintent. The term is derived from the Ancient Greek story of the deceptivewooden horse that led to the fall of the city of Troy.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 9: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts II

WormI A computer worm is a standalone malware computer program that

replicates itself in order to spread to other computers.I It uses a computer network to spread itself, relying on security failures

on the target computer to access it.

RansomwareI Ransomware is a type of malicious software from cryptovirology that

threatens to publish the victim’s data or perpetually block access to itunless a ransom is paid.

I While some simple ransomware may lock the system in a way which isnot difficult for a knowledgeable person to reverse, more advancedmalware uses a technique called cryptoviral extortion, in which itencrypts the victim’s files, making them inaccessible, and demands aransom payment to decrypt them.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 10: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts III

RootkitI A rootkit is a collection of computer software, typically malicious,

designed to enable access to a computer or areas of its software thatwould not otherwise be allowed (for example, to an unauthorized user)and often masks its existence or the existence of other software.

I The term rootkit is a concatenation of ”root” (the traditional name of theprivileged account on Unix-like operating systems) and the word ”kit”(which refers to the software components that implement the tool).

BackdoorI A backdoor is a method, often secret, of bypassing normal

authentication or encryption in a computer system, a product, or anembedded device (e.g. a home router), or its embodiment, e.g. as partof a cryptosystem, an algorithm, a chipset.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 11: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts IV

KeyloggerI Keystroke logging, often referred to as keylogging or keyboard

capturing, is the action of recording (logging) the keys struck on akeyboard, typically covertly, so that the person using the keyboard isunaware that their actions are being monitored.

I Data can then be retrieved by the person operating the logging program.I A keylogger can be either software or hardware.

Remote Access Trojan (RAT)I A remote access trojan (RAT) is malware that controls a system via a

network connection as if by physical access.I While desktop sharing and remote administration have many legal uses,

RAT is usually associated with criminal or malicious activity.I RAT is typically installed without the victim’s knowledge, often as

payload of a Trojan horse, and will try to hide its operation from thevictim and from security software.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 12: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts V

Zombie (or Bot)I A zombie is a computer connected to the Internet that has been

compromised by a hacker, computer virus or trojan horse program andcan be used to perform malicious tasks of one sort or another underremote direction.

I Botnets of zombie computers are often used to spread e-mail spamand launch denial-of-service attacks (DOS attacks).

I Most owners of ”zombie” computers are unaware that their system isbeing used in this way. Because the owner tends to be unaware, thesecomputers are metaphorically compared to fictional zombies.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 13: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts VI

C2 Server(Command and Control Server)I command-and-control (C & C) servers are used to remotely send often

malicious commands to a botnet, or a compromised network ofcomputers.

I The term originated from the military concept of a commanding officerdirecting control to his/her forces to accomplish a goal.

I C&C servers were popular for using internet relay chat (IRC) networks,legitimate websites, and dynamic DNS services.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 14: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts VII

Dr. Ferhat Ozgur Catak 01-Introduction

Page 15: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts VIII

Exploit KitI An exploit kit is a software kit designed to run on web servers, with the

purpose of identifying software vulnerabilities in client machinescommunicating with it, and discovering and exploiting vulnerabilities toupload and execute malicious code on the client.

I Exploit kits that have been named include the MPack, Phoenix,Blackhole, Crimepack, RIG, Angler, Nuclear, Neutrino, Magnitude exploitkits.

Zero DayI A zero-day vulnerability is a computer-software vulnerability that is

unknown to those who would be interested in mitigating the vulnerability(including the vendor of the target software).

I Until the vulnerability is mitigated, hackers can exploit it to adverselyaffect computer programs, data, additional computers or a network.

I An exploit directed at a zero-day vulnerability is called a zero-dayexploit, or zero-day attack.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 16: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts IX

ObfuscateI Obfuscation is the deliberate act of creating source or machine code

that is difficult for humans to understand.I Programmers may deliberately obfuscate code to conceal its purpose

(security through obscurity) or its logic or implicit values embedded in it,primarily, in order to prevent

I tampering,I deter reverse engineering,I or even as a puzzle or recreational challenge for someone reading the

source code.

DeobfuscateI To deobfuscate is to convert a program that is difficult to understand into

one that is simple, understandable and straightforward.I There are tools available to deobfuscate a tough code or program into a

simple and understandable form.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 17: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Basic concepts X

Packer

that makes the code fuzzified.

ScarewareI Scareware is a form of malware which uses social engineering to cause

shock, anxiety, or the perception of a threat in order to manipulate usersinto buying unwanted software.

Spam-sending malwareI This type of malicious software in case the user performs the spam

sending after the computer is affected by malicious software.

https://youtu.be/n8mbzU0X2nQ

Dr. Ferhat Ozgur Catak 01-Introduction

Page 18: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Definition and Aim

DefinitionI Malicious Software ⇒ Malware Software ⇒ Malware

AimI Information leakageI distributed denial-of-serviceI To harm the target system

Dr. Ferhat Ozgur Catak 01-Introduction

Page 19: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Target Systems

Malware classification

I Mobile I Industrial systems I IoT devices

Dr. Ferhat Ozgur Catak 01-Introduction

Page 20: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 21: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mobile Malware

Figure: New android malwares per year 1

1https://thenextweb.com/apps/2017/05/04/android-350-malware-apps-hour/Dr. Ferhat Ozgur Catak 01-Introduction

Page 22: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mobile Malware Types

Figure: Distribution of new mobile malware by type in 2015 and 2016 2

2https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction

Page 23: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mobile Malware Geography

Figure: The geography of mobile threats by number of attacked users, 2016 3

3https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction

Page 24: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mobile Malware Top-10

Figure: TOP 10 countries by the percentage of users attacked by mobile malware 4

4https://securelist.com/mobile-malware-evolution-2016/77681/Dr. Ferhat Ozgur Catak 01-Introduction

Page 25: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

InstaAgent

InstaAgentI InstaAgent, an app that connects to Instagram and promises to track

the people that have visited a user’s Instagram account,I It appears to be storing the usernames and passwords of Instagram

users, sending them to a suspicious remote server.I it’s reading Instagram account usernames and passwords, sending them

via clear text to a remote server -

Figure: InstaAgent 5

5https://www.macrumors.com/2015/11/10/malicious-instaagent-instagram-app/Dr. Ferhat Ozgur Catak 01-Introduction

Page 26: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

AceDeceiver

AceDeceiverI AceDeceiver was available on the App Store in the form of several

different applications, including AS Wallpaper and i4picture.I Using a specialized Man-in-the-Middle attack that exploits FairPlay (a

part of Apple’s DRM) AceDeceiver can trick iOS users into installingmalware onto their iOS devices.

Figure: AceDeceiver 6

6https://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infect-any-ios-device/

Dr. Ferhat Ozgur Catak 01-Introduction

Page 27: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

BankBot

BankBotI It was developed to siphon money from bank accounts of the victims, it

gains administrator priv. on the mobile devices in order to control them.

Figure: AceDeceiver 7

7http://securityaffairs.co/wordpress/55586/malware/bankbot-android-malware.htmlDr. Ferhat Ozgur Catak 01-Introduction

Page 28: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Acnetdoor

AcnetdoorI It opens a back door on TCP port 8080 and waits for commands from

remote a site.I It obtains the device’s IP address and sends it to the remote location.I It transfer information to/from the client using 3DES Encryption

encryption.

Figure: Acnetdoor 8

8https://www.symantec.com/security response/writeup.jsp?docid=2012-051611-4258-99&tabid=2

Dr. Ferhat Ozgur Catak 01-Introduction

Page 29: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mitigations

MitigationsI Using Mobile Antivirus SoftwareI Applying Operating System UpdatesI Evaluation of permissions for the applications to be loaded

Dr. Ferhat Ozgur Catak 01-Introduction

Page 30: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 31: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Scada

ScadaI Supervisory control and data acquisition (SCADA) is a system of

software and hardware elements that allows industrial organizations to:I Control industrial processes locally or at remote locationsI Monitor, gather, and process real-time dataI Directly interact with devices such as sensors, valves, pumps, motors, and

more through human-machine interface (HMI) softwareI Record events into a log file

Dr. Ferhat Ozgur Catak 01-Introduction

Page 32: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Scada Attacks

Figure: Industrial control systems attacks over years 9

9https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/Dr. Ferhat Ozgur Catak 01-Introduction

Page 33: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Industrial Systems Malware Types

BusinessIT Systems

FinancialIntegrity

Denial ofService

Loss ofinformation

IndustrialControl

Systems

Loss of view

Loss of control

Chaos

Dr. Ferhat Ozgur Catak 01-Introduction

Page 34: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Shodan I

ShodanI Shodan is a search engine that lets the user find specific types of

computers (web cams, routers, servers, etc.) connected to the internetusing a variety of filters.

I https://www.shodan.io

Dr. Ferhat Ozgur Catak 01-Introduction

Page 35: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Shodan II

Dr. Ferhat Ozgur Catak 01-Introduction

Page 36: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Shodan III

KeywordsI country: find devices in a particular countryI city: find devices in a particular cityI geo: you can pass it coordinatesI hostname: find values that match the hostnameI net: search based on an IP or /x CIDRI os: search based on operating systemI port: find particular ports that are openI before/after: find results within a timeframe

Dr. Ferhat Ozgur Catak 01-Introduction

Page 37: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Modbus I

Modbus

I Modbus is a serial communications protocol originally published by Modicon (nowSchneider Electric) in 1979 for use with its programmable logic controllers (PLCs).

I It has since become a de facto standard communication protocol and is now acommonly available means of connecting industrial electronic devices.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 38: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Modbus II

Some Industrial ProtocolsI MODBUSI FIELDBUSI PROFIBUSI PROFINET

Dr. Ferhat Ozgur Catak 01-Introduction

Page 39: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Modbus III

MODBUS/TCP protocol vulnerabilities 10

I Lack of Confidentiality: All MODBUS messages are transmitted in clear textacross the transmission media.

I Lack of Integrity: There are no integrity checks built into the MODBUSapplication protocol. As a result, it depends on lower layer protocols to preserveintegrity

I Lack of Authentication: There is no authentication at any level of the MODBUSprotocol. One possible exception is some undocumented programmingcommands.

I Simplistic Framing: MODBUS/TCP frames are sent over established TCPconnections. While such connections are usually reliable, they have a significantdrawback. TCP connection is more reliable than UDP but the guarantee is notcomplete.

I Lack of Session Structure: Like many request/response protocols (i.e. SNMP,HTTP, etc.) MODBUS/TCP consists of short-lived transactions where the masterinitiates a request to the slave that results in a single action. When combined withthe lack of authentication and poor TCP initial sequence number (ISN) generationin many embedded devices, it becomes possible for attackers to inject commandswith no knowledge of the existing session.

10https://www.cyberbit.com/ot-security/scada-modbus-protocol-vulnerabilities/Dr. Ferhat Ozgur Catak 01-Introduction

Page 40: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Stuxnet

Stuxnet

Worms are effective for three types of systems.I Windows operating systemI Siemens PCS 7, WinCC and STEP7 WindowsI Siemens S7 PLCs

https://www.youtube.com/watch?v=scNkLWV7jSw

Dr. Ferhat Ozgur Catak 01-Introduction

Page 41: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Duqu

Duqu 11

I Duqu is a collection of computer malware discovered on 1 September2011,

I thought to be related to the Stuxnet worm

11https://cockpitci.itrust.lu/duqu-a-son-of-stuxnext-summary-of-technical-analysis/Dr. Ferhat Ozgur Catak 01-Introduction

Page 42: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Table of Contents

1 Course SyllabusSyllabusReference BooksGrading

2 IntroductionBasic conceptsDefinitionTarget Systems

3 Mobile MalwareMobile MalwareInstaAgentAceDeceiverBankBotAcnetdoor

Mitigations4 Industrial Systems

ScadaScada AttacksIndustrial Systems MalwareShodanModbusStuxnetDuqu

5 IoTDefinitionIoT PlatformsIoT ApplicationsMiraiBashlite

Dr. Ferhat Ozgur Catak 01-Introduction

Page 43: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

The Internet of Things I

The Internet of things (IoT)I IoT is the network of physical devices, vehicles, and other itemsI embedded with electronics, software, sensors, actuators, and network

connectivityI which enable these objects to collect and exchange data.I Experts estimate that the IoT will consist of about 30 billion objects by

30 billion.

Security ConcernsI Concerns have been raised that the IoT is being developed rapidly

without appropriate consideration of the profound securitychallenges involved.

I The firewall, security update and anti-malware systems used for thoseare generally unsuitable for the much smaller, less capable, IoTdevices.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 44: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

IoT Platforms

Platforms

I Raspberry PiI Intel Edison, GalileoI Arduino UNOI Beaglebone Black

I Banana Pi, Orange Pi

I Adafruit

I TI CC3200

Dr. Ferhat Ozgur Catak 01-Introduction

Page 45: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

IoT Applications 12

Smart CitiesI Smart ParkingI Smart LightingI Waste ManagementI Smart Roads

Smart MeteringI Smart GridI Tank levelI Water FlowI Silos Stock Calculation

Smart EnvironmentI Forest Fire DetectionI Air PollutionI Snow Level MonitoringI Earthquake Early Detection

RetailI Supply Chain ControlI NFC PaymentI Intelligent Shopping AppI Smart Product Management

12http://www.libelium.com/resources/top 50 iot sensor applications ranking/Dr. Ferhat Ozgur Catak 01-Introduction

Page 46: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mirai I

Mirai 13

I Internet’s largest ever DDoS attacks of 1 TBPS in which 145,000 hackedwebcams were used.

Dr. Ferhat Ozgur Catak 01-Introduction

Page 47: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Mirai II

Figure: Default passwords 14

13https://www.hackread.com/mirai-botnet-linked-to-dyn-dns-ddos-attacks/14https://intervisablog.wordpress.com/2016/10/26/here-are-the-devices-usernames-and-

passwords-used-in-iot-ddos-attacks/

Dr. Ferhat Ozgur Catak 01-Introduction

Page 48: 01-Introduction - CYS5120 - Malware Analysis Bahcesehir ...

Course Syllabus Introduction Mobile Malware Industrial Systems IoT

Bashlite

BashliteI BASHLITE (also known as Gafgyt, Lizkebab, Qbot, Torlus and

LizardStresser) is malware which infects Linux systems in order tolaunch distributed denial-of-service attacks (DDoS).

I It has been used to launch attacks of up to 400 Gbps.

Figure: Bashlite 15

15https://www.hackread.com/bashlite-malware-linux-iot-ddos-botnet/Dr. Ferhat Ozgur Catak 01-Introduction