1. Little White Theater
Xiao Bai: Brother Dong, I recently saw a news "hundreds of thousands of wireless devices infected by botnets", I feel a little afraid of it, Brother Dong, do you know about this news?
Daito: As a security practitioner who always pays attention to network security news and current affairs, how can you not pay attention?
Xiao Bai: Can Brother Dong take a look at this matter?
Daito: Absolutely.
Xiao Bai: Lift up the small bench and let's get started.
Daito: In a nutshell, IoT Inspector security researchers have found serious vulnerabilities in the software SDK used by chip maker Realtek, and hundreds of thousands of wireless devices (involving 65 vendors) have been infected by vulnerabilities from botnet exploits OEMs.
Xiao Bai: 65 suppliers? Feels good.
Daito: Yes, Realtek offers wireless chips that are used by almost all well-known electronics manufacturers, and the product category covers VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls and other devices with wireless networking capabilities.
Xiao Bai: So there are serious vulnerabilities in the SDK of the software used by Realtek, and many of the suppliers' products will have problems.
Daito: Yeah, 65 suppliers, including AsusTEK, Belkin, D-Link, Edimax, Hama, Netgear, etc., affect hundreds of thousands of devices in 200 models.
Xiao Bai: The impact of this vulnerability is so big, oh, is it now assigned a CVE number?
Daito: This vulnerability is now assigned the number CVE-2021-35395 and is also assigned a severity rating of 9.8/10. We can now query this vulnerability in the official vulnerability library.
(Image from the Internet)
Xiao Bai: Yes, I can look at the official website documentation in a moment. Do you know the disclosure process of this loophole?
Second, talk about the incident
Daito: On May 17, 2021, IoT Inspector asked the Realtek security team about ways to securely send reports. On August 13, 2021, Realtek released its announcement and released a patched version of the vulnerable SDK. 2021.08.16, the 90-day disclosure window ended, and IoT Inspector released the vulnerability and recommendations.
XiaoBai: Heck, Realtek released the patched version only three days before the IoT Inspector release disclosure, so the relevant device owners only had a short time to patch.
Daito: Yes, on August 18, 2021, only two days after the vulnerability was publicly disclosed, hackers began to launch attacks.
Xiao Bai: What equipment is it estimated to affect?
Daito: It is estimated that it will affect many wireless devices exposed to the internet, from home gateways and travel routers to Wi-Fi repeaters, IP cameras and smart lightning gateways or connected toys.
Xiao Bai: Is there a specific model or something?
Daito: Yes, according to statistics, the most common devices targeted by this botnet using the defective Realtek SDK are Netis E1+ extenders, Edimax N150 and N300 Wi-Fi routers, and Repotec RP-WR5444 routers, which are mainly used to enhance Wi-Fi reception.
Xiao bai: Manufacturers and users should quickly verify whether their devices are affected, and then patch the relevant patches.
Daito: Yes, here are screenshots of some of the manufacturers and affected models.
Affected manufacturers and models (image from the network)
Xiao Bai: Hmmm, I figured this out, but, Brother Dong, can you talk about the botnet in passing?
Daito: Of course, I'm also going to use this incident to talk about the botnet.
Xiao Bai: Good, good, good.
Dadong: XiaoBai, what malicious code do you know now?
Xiao Bai: Well, there are viruses, worms, Trojan horses, etc.
Third, the beginning and the end of the big talk
Daito: Botnets are a new form of information security threat that combines virus, Trojan, and worm technologies.
Xiao Bai: It's terrible. Isn't the botnet combining the strengths of each family?
Daito: Yes, botnets are highly spreadable, highly controllable, stealable, and highly harmful. But the most important feature of the botnet is that it behaves like a zombie.
Xiao Bai: How to talk about this?
Dadong: A botnet is a one-to-many control network formed between the controller and the infected host, which uses one or more means of transmission to infect a large number of hosts with bot viruses.
Xiao Bai: It is the attacker who spreads the bot through various channels and infects a large number of hosts on the Internet.
Daito: Yes, the infected master takes command of the attacker by controlling the channel, forming a botnet. Because many infected computers are unknowingly driven and directed by people, they become a tool used by people, just like zombie swarms, so they are called botnets.
Xiao Bai: Haha, this name is quite graphic. So what does a botnet make up?
Daito: As mentioned earlier, a typical botnet consists of a bot server (usually an IRC server) and one or more bot clients.
Xiao Bai: Is there a limitation to the distribution of clients?
Daito: No, because the distribution of zombie clients is not limited to a certain country or region, it is difficult to trace the source, it is likely that the trace process will involve international collaborative investigation and cooperation, compared with the loss of enterprises, institutions or individuals, the investigation of the botnet is too cumbersome, so that in many cases have to terminate the investigation.
Xiao Bai: So from a technical point of view, what is the general composition of botnets?
Dadong: From the technical module, it can be roughly divided into three modules: scanning module, resident module, and function module.
Xiao Bai: What are their respective functions?
Dadong: The scanning module is used to scan and spread botnet viruses, the resident module can hide the resident in the target system, and the function module executes the instructions set by the zombie shepherd after the resident module resides. From the perspective of module composition, it can also be seen as a combination of virus and Trojan module.
Xiao Bai: Is the harm of botnets also combined with viruses, Trojans and other malware?
Daito: That's true, but in addition to that, botnets have different harms than traditional viruses.
Xiao Bai: For example, what is there?
Dadong: For example, infecting other systems to become new zombie clients; DDos attacks, using a large number of zombie clients to launch attacks on the same system/device; ad click spoofing, such as spoofing point companies' ads to earn fees; sending spam and phishing; storing and distributing illegal (pirated) intellectual property information; extortion; data mining (or including keylogger functionality) based on infected zombie clients to obtain valuable information about the client system; and using zombie clients for Bitcoin mining.
Xiao Bai: There are many hazards, and it is worthy of being a combination of viruses.
Daito: And today's botnet technology is also constantly advancing, in addition to the previous use of IRC servers as C&C, there is now the use of domain name resolution as a C&C address; the use of web-based servers as C&C addresses and as a way to interact with instructions; the use of P2P networks to decentralize the management of bot clients and C&C; instant messaging-based botnets; FTP-based botnet C&C.
Xiao Bai: I understand and understand, but these technical details still need to be carefully considered later.
Daito: Good drops, little white, you come on.
Fourth, Xiao Bai said inwardly
Xiao Bai: Brother Dong, does this news show that Internet of Things devices have also become a new generation target of botnet infection?
Dadong: With the rapid development of the Internet of Things and its wider application, the network security of the Internet of Things has become a hot issue in the current research. There was a report that IoT devices have become a new generation of targets for hackers, and routers are the preferred targets for hacker attacks. Moreover, IoT malware is mainly spread through its network security vulnerabilities, and DDoS attacks have become the mainstream function of IoT malware.
Xiao Bai: Because more and more IoT devices are now being connected to the Internet, refrigerators, lamps and other items are also beginning to access the Internet.
Daito: However, IoT devices have difficulty in protecting other devices, as well as neglect of security, making the application body in IoT devices extremely fragile and easy to be discovered and exploited by attackers.
Xiao Bai: It is estimated that people can easily forget their existence. The software is updated frequently.
Dadong: And the Internet of Things devices have problems such as scattered equipment, unclear responsibilities, and inability to upgrade remotely.
Xiao Bai: It's so hard.
Daito: Not only that, but because the computing power of IoT devices is relatively weak, it is more difficult to trace the source of attacks.
Xiao Bai: It's harder than ever.
Daito: The Mirai botnet is a vast network of controllable IoT devices that has paralyzed a widespread network in the United States.
Xiao Bai: What is the specific event?
Daito: The Mirai botnet first appeared in August 2016 when it launched a massive DDoS attack against Krebs. On October 21, 2016, the Mirai botnet led to the disconnection of the United States. Since then, Mirai has launched a series of DDoS attacks against Singapore, Liberia, and Germany.
Xiao Bai: What is the situation of disconnection in the United States?
Dadong: Dyn, a U.S. domain resolution service provider, was hit by a serious DDoS attack, causing a large area of network downtime in the eastern United States, and many U.S. websites, including Twitter and Facebook, could not be accessed through domain names.
Xiao Bai: The botnet is so terrible, how to prevent it?
Daito: You can detect whether you have received an attack from a botnet through security detection. Anomaly-based detection, DNS flow-based detection, and honeypot-based detection.
Xiao Bai: Oh oh, what measures should the Internet of Things take to prevent infection?
Daito: First, double-check all the IoT devices connected to its network. Second, change the default password. Also make sure that every device connected to the web is adding the latest patches.
Xiao Bai: Good drops, thanks to Dongge, today I gained a lot of knowledge.
Resources:
1. Amazing! Hundreds of thousands of wireless devices involving 65 were infected by botnets exploiting OEM vulnerabilities
https://mp.weixin.qq.com/s/4nlVqRe2drS5vFWxaARHmA
2. Botnet Baidu Encyclopedia
https://baike.baidu.com/item/%E7%BD%91%E7%BB%9C%E5%83%B5%E5%B0%B8/8190722
3. Mirai Botnet
https://blog.csdn.net/zheng_zmy/article/details/106769690
Source: Institute of Information Engineering, Chinese Academy of Sciences