Attackers have problems too: Attacks against "Internet of Things" (IoT) devices are simple (as in "log in..."), but the attacker never knows what kind of architecture they may hit. IoT devices often go beyond the standard x86 architecture we are used to on our servers and workstations. What I typically see is the attempt to launch multiple binaries, compiled for different architectures, to see "what runs". For example, this was the "#1" malware in our honeypot today: After logging in, the attacker is running the following commands (comments and linebreaks added) rm -rf /tmp/* /var/*; # clean out /tmp... ouch. /var ? that can break stuff. # download via http, ftp or tftp . whatever works The binary downloaded looks like (here the wget version) cp /bin/busybox ./; so essentially, the standard "busybox" binary is replaces with one of the other binaries. In this case, an ARM, MIPS and MIPS Little Ending version is retrieved. The "sad" part about this: These attackers appear to go through some length to compile these scripts for various platforms, but the don't appear to do much at all, or are just broken. This is probably another indication of how simple it is to go after the IoTs. FWIW: If you use a Raspberry Pi, make sure to change the default password!!!! I am seeing a LOT of attempts to use the default credentials. --- |
Johannes 4072 Posts ISC Handler Feb 15th 2016 |
Thread locked Subscribe |
Feb 15th 2016 5 years ago |
Since the attacker has already logged in, why try to guess the right binary? It's easier to detect the architecture and OS...
-M. |
Anonymous |
Quote |
Feb 16th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!