>>Hi guys. Uh before we begin my name is Steinthor Bjarnason and I’m from Iceland. Is anyone from Iceland here?
>>Woo
>>Okay [audience chuckles] somewhere over there. Ok so thank you for attending yes um it for some of you you haven’t probably slept yet and you’re sitting here enjoying the course in tears. So this presentation, it’s interesting. Well first of all Jason Jones as you probably see he is not here. Unfortunately he got sick so he’ll staying at home and I’ll be doing his slides but he made them so he will get credit for it. [applause] Okay so this presentation it’s an interesting one because it’s about a security incident which didn’t happen. But it’s an interesting one. And see as we as security professionals we often sit down and think “What could be the worst thing which could possibly happen?” And all those doomsday scenarios where this happens and so on and so on and back in February when uh something called the Mirai Windows Trojan came out, and it’s one of those “oh beep” kind of things because when we saw it was actually a critical component in one of the worst case scenarios which we could possibly think of. Luckily it didn’t happen. So yeah, the purpose of this presentation is to explain what was going on, give you some details about the trojan itself, what it can possibly do if its gets activated, and how to defend against it. So I think this is rather im- important. Some people are saying “Hey you shouldn't be going public with this.” But we are. Fy- people need information and if this happens and I think it actually will then you are prepared, you know what to do. So IoT we’ve all know what IoT is, yes all kinds of wonderful things doing all kinds of magic but it’s it’s just security issues back and forth. Because they’re supposed to be easy to use. They're supposed to- supposed to be easy to deploy should be low cost and so on and so on and of course it leads to all kinds of nice security issues. And I’m really happy to see what’s happening down- downstairs in the IoT workshop where you’re hacking those things because this is what is needed. We need to get people to understand they need to secure those devices. Unfortunately there are still millions of those things out there unsecured. And what happened last year is basically this: large scale weaponization and a vulnerable IoT device. And those IoT devices uh with were weaponized using the Mirai trojan actually were used along with one of the biggest DDoS attacks we’ve ever seen. Up to 800 gigs, some say one terabit against uh them, against private security, OPS and so on and so on. And these devices are being used to launch attacks which are really devastating and hard to stop. Also when we were ll- trying to analyze all these things, we actually deployed a number of honey pots out there, in different areas around the world. And basically built up the end which simulates an IoT device with those vulnerabilities,  placed it out there and then basically tried to see what was going on. And during 2 weeks time, we got about uh back in uh in November we got about 1 hundred thousand unique IP addresses trying to connect to out- our honeypot devices and trying to infect them. And you can actually s- the map shows you the source IP of host devices trying to infect our honey pots. So as you can see it's all over. What’s most important is the number here on the bottom. It takes about one minute for an IoT device when you put it on the internet to get infected. One minute. After that someone else owns it do use it for whatever. Now that’s scary. So what’s the situation today? We have if you have an unprotected IoT device and put onto the internet it’ll get infected within one minute and be used against you. Luckily most of the IoT devices today hide behind a NAT device, firewall or something protecting it against all the scams from the internet. The ratio well some say 5 percent visible, 95 percent are behind the firewalls. And it’s ok this is sort of ok, they can’t be scanned. Some might be breached in some ways but most of them are behind there and relatively secure. We thought. That’s what we thought, basically. Until early 2017. So I’ll come back to this iceberg a little bit later. So Windows-based IoT infection. This is about the trojan which came out in, which was discovered back in February. So before I go into details I’ll let’s give you a little bit of background. 
Malware infecting all of the types of devices,  or basically hopping from one device to another is not something new. We’ve seen this with malware which has infects Windows computers and Mac and Macbooks Mac pros and then infects your telephone your Android phone or your Iphone, eeeerrr your Android phone or the Apple phone. Things would go on and try to break into your two factor authentication so on and so on. But this is I would say as far as we know, this is the first trojan which actually tries to infect IoT devices. So Windows Mirai. Detected early 2017. Uh this is actually this is not a Windows version of Mirai, this is actually a refurbished trojan which was discovered back in 2016. Back in 2016 it was actually used to to probe for and attack Linux machines and try to mess with the SOCKS settings. So it would actually attack those machines. So someone took that trojan and bolted the Mirai code onto it to actually make it now I- infect IoT devices. So basically someone refurbished it and is reusing it to do new interesting things. It appears to be Chinese well the reason why we say that some of the text in the inside the binary, it uh some of the domain names it uses, the command and control service which are hard-coded point towards China and so on. It is not built in a way which would expect a professional organization to do there’s some bugs in it, rather embarrassing bugs in the first versions which then got fixed. But so but again we don’t really know and just guess. 
So the way we actually mapped this back to the older versions is that basically the older versions all contained th- uh inside the executable these properties. Which never changed except for the version numbers. The way it works it spreads to Windows that is when your computer gets infected it actually then st- starts up and tries to f- brute force MySQL and MSSQL databases scans for and it tries to uh find and then if it finds a vulnerable machine it injects stored procedure calls which basically then will download and install that trojan on the machine. Later versions also did RDP attacks and used a WIMS router. Simultaneously, that trojan would also scan for vulnerable Linux, and IoT devices. And this is basically exact same like Mirai used to be. It scans telenet scans SS8 asks the database of commonly used usernames and passwords, tries to log on, and then tries to und- understand what kind of OS its actually eh was able to lock on, and then gets the proper binary for that specific OS. So it’s basically the same way as normal Mirai and it's not using any of the other exploits which we’ve seen more recently; attacks against the web servers and just plain force, like username passwords attacks. 
A little bit more details um the different versions have used dif- uh multiple different command control servers. The interesting thing they were they they when we saw it initially, and then the command and control servers were only active for about a week and then they died. So the later versions actually uh were tra- were pointing towards command and control servers was inactive. Which made it little more difficult to understand how it actually behaves but as I said I’m not sure what was going on. Was someone doing an experiment? Was it a mistake, or whatever? But the C and C servers only active for about a week. Like I said earlier spreads and installs the uh load that we uh we get TFTP. Can uh also use Echo to just push the binary across the Telnet which is interesting. And the interesting thing is how they actually build up the binary, because it actually uses reasoning resourced from part of the executable to install different binaries. It basically has about 9 of them, just puts them in there and is actually a nice way to build to build the trojan itself. So it’s I’d say the programing part is pretty ok. It’s a little more likely structure of the trojan itself. Easy to extend, easy to modify, easy to create new versions. As to say, the Mirai command an- th- command and controls for the Mirai part they are hardcoded to this address. And they were all down, they have never come up. The command and control servers for the trojan itself, those are the ones which are up. For about one week. Ok. And this is just showing you how it’s exactly stored inside the resource file. 
>>[unclear voice of mic]
>>Heh. Ok.
>>[unclear voice of mic]
>>Ok someone is trying to inject something. Scream an injection at the board. [laughs] Um they also stored all the debugging strings inside the binary, which is pretty nice of them, makes it easier for us to understand what’s going on. Also shows us where those debug strings are used in the code which makes it easier to detect what the, which part of the code is doing what and so on and so...thank you. Please continue to do this. Um little bit about how it actually works. So as soon as it has infected your machine it will then try to download a text file. That text file contains two things. One a uh link to a jpeg and then a link to a uh batch, batch file. So and actually they store the executable inside the jpeg. The jpeg it looks perfectly normal, I’ll show it in the next slides. But if you execute it contains it actually contains the executable which can extract from it. It also downloads a version file. So it actually tries to see oh what's the latest version and so on just to keep itself up to sync. So this is the jpeg. Looks like a normal jpeg if you take a look at it or try to see what’s going on. It’s in this place. It’s a nice picture. But inside it you have the actual binary for the executable. Moving on. The bat the batch file downloaded also nothing special except for this part, the one highlighted in green. Which is showing you it actually tries to download the DLL. You have no idea what the DLL is doing, it could be doing anything. But at least it has a hook downloading something extra to do extra things. The it also downloads what we believe to be the configuration file. So first it downloads a file containing the identification of the configuration file, then the configuration file itself, which is encrypted. And because as I said we uh never were not able to do detailed diagnosis of it then we were not able to crack its executable contents. But it probably contains which scanning modules to use, uhhh the subnets to look at, and so on and so on. And also the username and passwords used for brute forcing then those are probably in there. Because they’re not part of the executables. 
So ok now I’ve spend about 10 minutes talking about the trojan which never got active. So what’s new well what people are deploying these creating trojans all the all the time, and what’s so special about this one? Why is our why am I actually up here and talking about this? And that’s because of the iceberg. 5 percent of IoT devices are outside in the open internet and are already being used, 95 percent are behind the firewalls and everyone thought that was perfectly safe. So these things happen. Zombies. So basically a vulnerable computer, a computer containing a virus when it comes into your network it is now capable of actually seeing uh locating and then infecting all those vulnerable IoT things you have behind the firewall. Could be your webcams, could be your DVRs, could be the, well, anything. We have refrigerators and stoves stoves downstairs which could be used as used to uh as ports for some of these. So we’ll actually supplement them and change them all from something innocent and nice into these kind of things. Now, when the attacker has gained control of all those things behind your firewalls he can begin to do interesting things. Like go scan for other devices, launch outgoing attacks, and then also try to attack internal resources. So let's go into more detail about this. What can happen? First of all this is a typical network design for a mid-enterprise network. I’m not going to tell you who created it, because we do need to protect the innocent. But this is a typical design for how to build a secure mid-enterprise network. Here’s the thing: bad guys on the outside then you have some security boxes and then you have this guy. The one who is attacking DEFCON he got infected by something and then tomorrow he comes back to his network probably the depot his branch in Las Vegas, plugs in and then he plugs in his laptop. What can possibly go wrong? [chuckles] Ok, so. First of all, scanning. In this network you have tons of IoT devices but just to make your life easier then these are the ones which we found very quickly. The webcams, our webcams, probably a little bit more high end than the things you buy out on uh BestBuy or somewhere. But probably not been upgraded recently. Well why rec- why upgrade the software of those things? They’re secure, they’re behind the firewalls, right? But what happens is that this guy down here, as soon as he plugs in his computer, could be local could be remote via VPN or whatever, it begins to scan. Scans the local subnet in this case it actually find a webcam in the same branch office. Continues scanning goes to some other s-- to some other devices and then it will probably start to scan other subnets. The version which we got didn’t do that, it only scanned the local subnet, but if the configuration file said “please scan all RFC1918 subnets” that’s easy, to scan some other subnets. And then it continues and continues and continues. But look at this, now there’s a black arrow coming. Because as soon as this webcam got infected, it will also start scanning. So and if it infects other Windows computers it will also those will also start scanning as well. Meaning as the traffic increases, as more devices get infected you will have more and more devices doing scans. The scans themselves are not that risky, but actually the act of performing those scans is what can pose problems. And bi- er the version we’ve seen just sending them out packes try to send send the packet to 10216801 okay that's a that’s a hit 02 someone is responding, someone is actually trying to use- use resources for all those arrows. And try to process them and so on. And what we’ve seen is that just the scanning activity itself is enough to c- to make most normal networks collapse. This happened back in the old days with NIMDA those things this happened actually last year, in Germany, when our last service provider got infected by a Mirai and when the CPU devices began to look for other devices, they actually caused the the access routers and switches to collapse. Meaning the entire user population in Germany, about more- one or two million users got off, cut offline. Just because of the scanning. Also this this scanning stuff sends a lot of small packets. And devices, most IoT devices are not comfortable with having tons of small packets going through. So this could cause a problem. The second thing. Now this guy he suddenly gains control of lots of webcams in different companies. So what will he do with them? Well he will launch DDoS attacks, of course. So first one sends the packet, second one, and third one, fourth one, so on and so on and so on and so on. So basically if he gained control of 100 webcams inside your network then he’ll probably use all of them to launch outbound attacks against someone else. So ok that’s bad for the guy on the internet. But in this case it is actually could cause serious problems inside the network itself because these attacks with Mirai the Mirai code is using could be packet flooding could be ICP UTP TCP, could be some attacks, could be reflexing attacks, could be application level attacks all casual things but most of those things are small packets and what's interesting is that inside the network you have all kinds of devices which have stayed full. And this is important a firewall will actually, when you send a packet to a firewall, any packet, it tries to remember if it remembers the packet. Because you might be setting up a connection which means it's storing information about that specific packet. And when the next packet comes along it stores also information about that packet. And the third one, and the fourth one, and so on. In our experience a firewall when defending against outside attacks will collapse about 50 percent of the time. A firewall which is trans which is actually allow- ascending outbound to be destructed will collapse all the time. It will simply go up in smokes and die. So just the act of launching and outbound DDoS attack will cause most of your firewalls load balancers, switches, routers, and anything else inside your network to go up in flames. The attacker didn’t wasn’t planning to do these things but this is what will happen. Also you have WAN links you're connecting the branch offices back to the headquarters. What will happen those links will fill up. That means the important traffic that is for your commerce systems your phone traffic whatever else, will not get through.  Physically your network is full, check, your boxes are falling down left and right and you’re in a bad state.  The third one. If the attacker is clever, he will probably try to do some kind of reconnaissance. Because well if he has control of devices inside the network let’s why not why not try to find out where he is. So he starts to do probes. Basically he tries the webcam in the data center sends out some packets, listens to some packets and so on and so on and very quickly he finds out he’s inside Evil Corp. Which is an interesting thing because that’s exactly the target he wanted to attack. And because he’s doing reconnaissance he’ll probably find out that uh well the network operation guys they are on the subnet 10 1 1 something. The security operation guys they’re on 10 1 1 2 something and how difficult would it be to inject some kind of a routing packet or a null packet or something to basically shut off the security guys and the operation guys leaving them totally offline and then launch these attacks. That’s basically true. If you're inside the network attacking routing protocols is relatively easy. So he would then launch his ne- new route. Shut off the security guys and then he would start to detox the data center then we start to detox the region data centers and so on and so on basicallyyyy taking everything offline and totally shutting down what’s going on. So this sounds bad and also this could actually lead to something new which is the uh ransom attack mode basically DDoS attack from the inside because this clever guy runs this for 10 minutes then he would send an email saying “Hey please pay me some bitcoins otherwise I’ll continue.” And defending against an insider attack if you’re not prepared to do that is really difficult. You will not be able it’s difficult to start to reconfigure networks into segmentation remove softer devices, put hardened devices on if during the attack. Basic- it’s basically impossible. So and then the question is: “wait a second can a webcam or something thing which cost 100 dollars can it actually take down a half a million dollar Kor Switch  Something huge, from Cisco or someone else with multi terabit this and that and so on and so on. And the answer is: if that device is not secured properly, yes. But to understand that, we need to understand bi- how the anatomy of the typical network device. Most network devices have something called “fast path”. And then they have something called “slow path” and this is where the CPU lives this is where all the A6 and half of the x rated this and that lives and basically shoves packets through it through it on a full wire speed. And the packets going through these are the normal data packets. And this is- in most known situations a network device works. Packet comes in the- the it'll look up where the packet should go. That happen- this happens in hardware takes no time whatsoever. And the packets goes out a different port very quickly. That’s good. Um th- the main CPU load is about 1 percent. And that’s how things should be. But a network device needs to communicate with other devices. Which means it needs to receive information it needs to rec- receive the routing updates. It needs to be able to be managed it needs to send statistics and so on and so on. So there will be some packets going towards the device which it has to process. Then you have the interesting packets, which are called exception packets. Things which should have gone through the device but for some reason need special handling. This could be things like TTL expiry.  You send the packet which expires on the device that means it will have to be sent to the main CPU, the main CPU will have to create an ICMP TTL expiry and then send it back to source. Which means one packet can actually cause the main CPU to analyze and create a new packet, use memory and resources to do that and then send it out. That’s quite a hit. So let’s send 10 billion packets towards that device. And if you managed to do things properly then w- you have problems. One other thing, because a lot of people don’t know about Non-IP packets. If you send a packet which is not IP towards a switch re router, it will have to be sent to the main CPU for special handling. Could be as IoS it could be something else. Again requiring special handling CPU and resources. And if you managed to keep the CPU busy enough it will not be able to do what it’s supposed to be doing. Like receiving routing updates, sending out routing updates, sending hello timers, or something like that. Which basically translates into, this. And this is actually a test I did, I did this about I think 7 years ago for another conference where I was using just a normal tiny little IBM to attack a high end course switch supposed to send 720 be able to sw- sw- do 720 gigs of forwarding and it died in 5 seconds. Because of this because I sent uh, se- just su-300 packets per second specially crafted towards having them sent to the main CPU. And what happened? It got so busy it couldn't send out the the hello timers and basically all the routing information collapsed and it became a black hole and the network just collapsed. It was pretty cool. If you do things correctly. But it was an unsecured device. As soon as I enable the security on that device, no problem. So how can it defend against those type of things? 
So let’s learn from history. This is interesting. Castles. Back in the old times these guys were actually uhh they were trying to defend against attacks. So they built castles. And castles are usually quite- quite difficult to get into. Like in this case if you want to get into the main tower up here where they hide all the goodies the uh jewelry and so on and so on then you need to get through multiple layers of defense. If you take a look at the aerial view of this sorry uh you'd probably not try to go up here. Not. Because these are high cliffs. You’d probably go here and if you look at the aerial view then you'll see this is actually a big area where the- we defend these walls first and if the attackers get through then you basically retreat to the next set of walls. Shorter wall easy to defend. And if that collapses then you move to the next one. So it’s all about delaying the attacker. Seeing what they’re doing. Gaining visibility into how they operate and so on and so on. So it actually makes a lot of sense, because as we know if someone really wants to get though he will get through in the end unless you unplug everything unplug shut down everything in existence. But then he has succeeded. And here’s an interesting fact. Stairways. Who knows why I’m showing this picture? That’s..don’t tell them. OK some of you guessed. The thing is stairways in medieval castles were usually built clockwise and there's a reason for that. So if I’m down here, I’m trying to get up this these stairs and let’s assume it’s circular. I’m standing here with my ax or whatever and this damn thing is in the way. Which means I’ll have to use my left hand. If I’m right handed that’s a problem. If I’m standing up here and I’m right handed, I can really bust the s**t out of him [laughs][audience laughs] and gives giving me an advantage. So just the fact of building a castle with the stair going this way actually gives the defenders an advantage. So it’s a small thing but actually ac- someone thought through these things and thought “This makes sense.” And by the way is anyone from Scotland here? No one? Because the Scots did it the other way around. [crowd laughs] And the reason for that is that the one of the last families in Scotland in the medieval times they were predominantly left handed which so they built the stairway such that it would give them an advantage. Which sort of makes sense, the only problem is by building the stairs that way that made it they made it actually easier for the right handed guys coming up. Ok so this is yeeeah ok not sure if it actually made sense but that’s how they did. So coming back from castles. Layered defenses, building your network so it's suh- in such a way that it can actually withstand attacks, can detect what's doing on,  and so on and so on. The interesting thing is that the service providers have been doing this for the last 20 years because they are in exactly this situation. They cannot uh rely on anyone they cannot trust anyone. They get attacked by the customers they get attacked by other people and so on and so on and they aren’t they need they really need to build the networks so they can survive almost any kind of attack. And the thing is they actually use a 6 phase- 6 phase methodology. The first thing is preparation. You need to harden your network you need to design your network in such a way that it's able to withstand these type of attacks. That means using a lot of time and effort to actually imp- implement security, put segmentation, put axis list and so on and so on, and just that they are in the best way best shape possible to withstand the attacks. Then when things go wrong you have to first of all identify that you’re being attacked. Sometimes you don't you're not able to see that. If it's a if it’s a stealth attack it could be just going on underneath the uh underneath the what’s happening. Someone could launch a big DDoS attack while they’re trying to hack their way into your network. So you need identification. That’s the first thing. Then you need to be able to classify what type of attack this is. Is it this kind or that kind and so on and so on. Then you need to understand where is the attack coming from. And then and only then you do something. The biggest cause of all outages is when people do something. They panic they start pressing buttons and they implement this or that. And they in many cases they are just helping the attacker because they’ve absolutely no clue what's going on. So you need to follow theses steps to actually understand what’s going on. Then when you’re finished with this, before you go to the pub and say hey we did good and we’re good guys and everything is fine, understand what went wrong. Learn from the different phases and then make sure you actually can do things in a better way. So you can also look at it from this this side. Just implement network segmentation understand p- well the process and use flow telemetry and this is actually for free this is NetFlow, uh which almost every device has. And you can take the NetFlow information and it will actually give you understanding of what’s going on. It will detect those scanning attacks it will detect all the attacks it will show you what’s happening. And by the way everything I’m saying here is actually in the white paper which you can download with all the nitty gritty details. And then you should scan for your own services. You don’t want someone to use your own DNS server to launch a reflection attacks a reflection attack against yourself. So find those services which are not secured properly, harden them configure them correctly and basically [clears throat] if if you think that any- everyone is out to get you, that’s the right way to think. Don’t trust anyone. Not your customers, not your employees, anyone. It can all be become some reason to attack you. And there’s all kinds of features which can implement on the network devices which are disabled by default for some interesting reason. Like uh res uh ERPF ETP snopings Moscat and so on most of them will just stop all those things from happening. So summary. The attackers are now inside the house. This hasn't happened yet but someone took the time and effort to write the code to do exactly these things. For some reason they didn't go live. We don't know why. It was the test it was the mistake or just someone having fun we don't know. But the thing is, the binary is out there, anyone can download them it's easy to reverse them. Which means basically anyone an- anyone else can actually now go on and do exactly the same thing. And now as I’ve just presented on about all the threats about these things then yes maybe someone else will actually think “Hey this is cool, let’s do it.” But still the idea is to give you information. So I would say this is real. You need to secure your network before someone actually uses the network against you. And as I said earlier service providers and large enterprises which are really security conscious, then if your company is secured well enough you actually take care of these things. So it can be done but it involves work. The problem is a lot of people want to buy a box with blinking lights because it’ll solve all their problems right? And if it doesn’t solve the problem you go off and buy another box with a lot of blinking lights. [audience chuckles] In this case it's just a matter of engineering. Network engineering, doing the right thing. Making sure that that thing actually is secure. It’s effort but it's worth well doing it. Because if you do it properly, you not only secure yourself against these things but you secure yourself again- against Wanna Cry and basically almost everything out there because you’ve segmented your network you’ve hardened it and you can actually protect yourself against most things. But it requires time and effort. So hopefully this presentation will help people to understand the threat- threats are out there and why they have to do those things. So at that I’ll basically say thank you [crowd applause] and if you have questions, I’ll be outside.