by RSS Axelle Apvrille  |  Jan 27, 2014  |  Filed in: Security Research

Recently, Proofpoint security researchers published two blog entries (part one and part two) that they have been observing a series of spam campaigns originating in more than 25 % of cases by Internet of Things (IoT) devices. The compromised devices which were reported to send spam included "multi-media centers, televisions and at least one refrigerator".

The first blog entry wasn't sufficiently detailed and raised several doubts. The second entry clarifies several points, though not all, so here's my intake on IoT.

IoT 01

Are malware on Internet of Things feasible?

Yes, certainly. And a more reliable proof of this is Linux/Darlloz.

This malware was discovered at the end of November 2013 and notably downloaded several copies of itself for various architectures (ARM, PPC, MIPS...). As those architectures are typically used by Linux-based embedded devices, it sounded like the malware was getting ready to infect IoT devices.

Linux/Darlloz targets ADSL routers and dreamboxes

I therefore had a closer look at Linux/Darlloz. When trying to detect new goats to infect, if necessary it uses the following default passwords:

Darlloz passwd Figure 1. List of userid/passwords to try to compromise new devices

Several of these default passwords are very generic (admin/admin, root/root, admin/1234), but others caught my attention: root/dreambox admin/smcadmin

A search on the net reveals that :

As some German users reported infection, with a C&C serving from hxxp://www.[CENSORED].de/so.de (Germany), and Dreambox is a German based company, we can even speculate this malware was particularly targetting German end-users.

Does Linux/Darlloz run on Android?

ARM architectures also means Android devices, and as many IoT devices actually end up paired or connected to your smartphone, an infected phone could be used to propagate viruses to Internet of Things.

So, I immediately tried Darlloz on an Android emulator... Relief: it does not run as such (segmentation fault):

root@generic:/system/xbin # strace -C -ttT darlloz.elf                     
13:16:09.189387 execve("/system/xbin/darlloz.elf", ["darlloz.elf"], [/* 21 vars */]) = 0 <0.001101>
13:16:09.193762 rt_sigaction(SIGCHLD, {SIG_IGN, [CHLD], SA_NODEFER}, {SIG_DFL, [], 0}, 8) = 17 <0.000194>
13:16:09.195191 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
13:16:09.195755 +++ killed by SIGSEGV +++

Let's however keep an eye on Android in the future for IoT malware...

Has Proofpoint observed a propagation of Linux/Darlloz?

This is what I thought at first, because some things match:

  • the dates: Darlloz was discovered end of November, Proofpoint sees it end of December. Seems plausible.
  • devices: note Proofpoint also mentions Dreamboxes! ... and home routers

However, in their second blog post, Proofpoint denies having seen anything strange left of the devices. Of course, they could have missed it, but as Linux/Darlloz doesn't particularly hide itself (presence of directory named /var/run/.zollard for instance), this is unlikely. Proofpoint's theory is that attackers simply gained access to those unsecure IoTs and used them to relay spam. To do that, they highlight attackers do not need a trojan or a botnet, and can simply script to find IoTs, login and send emails. I agree this is possible, however, for spam campaigns sending 750,000 emails, it would certainly make sense to build one's botnet.

If you were an attacker, you'd probably start off with a few manual attempts: - telnet to port 25 (used for SMTP), and have the device send your email - get root access on the device (as some of these are poorly secured, that's feasible). Then, if you wish to send an email to axelle@blah.com, query the DNS of blah.com for a MX entry (mailer). Connect to it and send the email. Basically, this is what a SMTP server does. Your email might be flagged as spam because of Sender Policy Framework (SPF) systems, but there are chances it will work. - use the device's web interface or exposed API to send an email. For example, webcams are typically capable of sending an email to its owner when motion is detected. In some cases, it might be possible to modify the body and recipient of the email, and thus use this to spam people.

Then, you'd write a script to do that automatically and check it works over a few dozen of devices. However, this technique is both noisy and not scalable to higher volumes, because the attacker's host needs to connect to each device. That's exactly why, on PCs, cyber-criminals don't use this technique for their spam campaigns, and instead use botnets. With botnets, the botmaster no longer needs to connect to each of its slaves (bots) to send emails. It's far simpler to manage, requires less bandwidth, and more difficult to track - especially for peer to peer botnets.

Short answer: uncertain, probably not, but there are chances there's a botnet behind that (or will be in the future).

Has a fridge really been sending spam?

I would like the proof of that one.

In their second blog post, Proofpoint detailed a bit more how they identified devices. They say they "investigated the IP (connected to it over various protocols)" - in other words, they did port scanning ;) - and "in cases where the device replied, the device at the IP identified itself as an IoT-type device [..] the device responded with explicit identification, including well-known, often graphically branded (in the case of web-based UI) interfaces, file structures, and content".

From a legal perspective, it would have perhaps been preferrable not to interact directly with the devices, and try to identify devices through particular email headers (Message-ID, X-Mailer, Received) or HTTP User-Agents (for emails send by HTTP).

Anyway, that's how they identified a DVR, a camera and a VoIP gateway. And the fridge? I have a few doubts on the fridge, because there are so few Internet fridges. Actually, I am only aware of three models (Samsung RF4289, Samsung T9000 and LG's Internet fridge), and the last two aren't released yet.

Could this one be an identification error? or speculation? I'll be looking forward to a screenshot of the spamming fridge ;)

-- the Crypto Girl

PS. My thanks to Guillaume Lovet for his helpful remarks and review on this blog post.

by RSS Axelle Apvrille  |  Jan 27, 2014  |  Filed in: Security Research