Hunting advanced IoT malware

GenShen Ye/360NetLab

The Anglerfish Honeypot is one of the main honeypot systems 360Netlab runs. The system tracks network scans on a large scale, all the TCP|UDP ports are supported, and a large number of IoT and server environments can be simulated.

Over the years, we have been gathering tons of network scan Payload data and the corresponding malwares, and we selectively disclosed some of our findings, including: http81, Mykings, DDG, Hajime, TheMoon, IoT_reaper, Satori, Muhstik, HNS, Fbot, MikroTik, GhostDNS, Linux.Ngioweb, Godlua, Gwmndy, etc.

The data we gathered also have some interesting insides that we have not talked about, for example, a specific APT campaign targeting some IoT routers for surveillance.

In addition, the system helps us to discover some 0days, for example, the CVE-2017-17215 vulnerability exploited by Satori Botnet, the Gpon Home Routers RCE vulnerability exploited by TheMoon Botnet, and the XiongMai DVRIP protocol vulnerability exploited by Fbot.

In this talk, I will go through in details the main components of this honeypot and the tricks we use to analyze the captured data and ELF samples, I will also give details on how we extract and pinpoint the interesting IoT malware threats.

November 7 at 12:00 - 12:30, Stage B

GenShen Ye has 4 years of network security work experience. Currently, he is a network security researcher at 360Netlab, designing and developing the Anglerfish honeypot, and hunting advanced IoT malware.