A fun project I worked on in my early career was tracking DDoS attacks. A lot of DDoS attacks come from infected IoT devices. But most IoT devices use ramdisks, meaning any modifications to the main filesystem gets erased upon reboot, removing the malware along with it. 1/? - ThreadSky

malwaretech.com • 5 days ago

A fun project I worked on in my early career was tracking DDoS attacks. A lot of DDoS attacks come from infected IoT devices. But most IoT devices use ramdisks, meaning any modifications to the main filesystem gets erased upon reboot, removing the malware along with it. 1/?

Comments

joocifer.bsky.social•5 days ago

What kind of IoT devices were you usually dealing with?

malwaretech.com•5 days ago

Lot of NVRs and consumer routers

artlatl1.bsky.social•5 days ago

NVRs… 😆
You can find an army of them in every Airport, every business in Las Vegas, hotel clusters by airports, warehouse districts on small cities.

Consumer routers varied on how savvy the homeowner or SOHO was but you could scoop up NVRs everywhere. & they almost never get reset.

syntacticsinc.bsky.social•5 days ago

Nice!

drwhofan1.bsky.social•4 days ago

You lost me at DDoS...

hex720.net•5 days ago

I don't let any of my IOT devices access the internet, so at least I'm hopefully not contributing. Everything connects to home assistant.

jackmott.bsky.social•5 days ago

in this case it would be good to contribute

hex720.net•5 days ago

Yeah, good point, but I'm still not letting my IOT devices access the internet.

countnathrakh.bsky.social•5 days ago

IoT is evil

dogs-4.bsky.social•5 days ago

Bud, what you said is way OVER my head, but I'm impressed, as long as you're truthful!

misty013.bsky.social•5 days ago

Please hold sir, your IT specialist is in India and is just waking up.
Reading on would lull me to sleep and I am busy mucking off at work and foraging for food.

annroberts54.bsky.social•5 days ago

Maybe the toxic nature of the communications flow there has finally corroded the platform and made it inoperable.

lemonsama.bsky.social•4 days ago

90% of ddos attacks were arranged via zombie botnet accounts. Meaning they paid someone else to attack a target, the larger the target, the more isolated sources (meaning more zombies) required. None of them are actually "red hat" hackers, they run scripts. Black industry wise they're very low.

lemonsama.bsky.social•4 days ago

Industry professionals don't even consider a ddos attack a hack attempt anymore. Bigger companies like Amazon or MS get wide scale attacks multiple times a day, costing the attacker many times more than it costs to simply target and block the attacks.

malwaretech.com•5 days ago

Most hackers targeted the same pool of devices, and after installing malware on them, the malware would lock down the device so no one else can get in. It was basically a giant turf war fighting over control of millions of unsecured IoT devices. Once a device rebooted, it was a race to hack it. 2/?

malwaretech.com•5 days ago

Because the hackers would use the hacked devices to hack other devices, we built a network of 65,000 fake devices, which would track which device tried to hack us, and which malware it tried to install. Using this we could track most IoT malware in general, but more importantly 3/?

malwaretech.com•5 days ago

we could approximate which specific malware an IoT device was infected with at any given time. So if a website got DDoSed, and they gave us a list of IP addresses involved in the DDoS, we could usually figure out which specific botnet was responsible. 4/?

malwaretech.com•5 days ago

Most fun I had was this one dude who was threatening to DDoS a major target on a specific date. Using our tracking, we were able to identify which botnet was his based on small test attacks launched a week prior. We waited until an hour before his deadline, then wiped out all his infrastructure. 5/?

malwaretech.com•5 days ago

I think somewhere I have a screenshot of the absolutely hilarious level of embarrassment he went through when he tweeted that the DDoS attack was about to start, went to hit the button, then nothing happened. I doubt he ever even figured out what it was we did, only that his botnet was gone. 6/6

totoole.bsky.social•5 days ago

that's awesome, well done. fuck those ddossers!

cv-danes.com•5 days ago

Well played, Sir. Well played :-)

kaitensatsuma.bsky.social•5 days ago

Hypothetically that also sounds like a good way to set up false avenues that end up going absolutely fucking nowhere for hackers to penetrate, get caught, and potentially even back traced - though that last thing is getting a little too Cyberpunk even by my only semi-tech literate ass.

secretsquirre1.bsky.social•5 days ago

Never got to use my S+ and it expires this year. Peripheral neuropathy and CES (cauda equina syndrome aka paralysis of the quad muscles)♿️
I went for my PenTest and I was pissed. I didn’t pass (Jason Dion didn’t do a good job lol)
I went for my

theguy9900.bsky.social•5 days ago

I call this "sort of thing" a time release joke.

I know it's coming, but you don't. And I get to giggle the whole time.

davidcdean.com•5 days ago

I assume these are mostly bought/rented c&c of compromised devices? Like, I can’t help laugh at the idea of someone trying to get a dark web refund when their botnet of crappy thermostats doesn’t work as advertised.

patr10tic.bsky.social•3 days ago

Years ago I found an undisclosed 0day that would reboot infected Mirai bots with a single packet

I tried so hard getting anyone to take it seriously. I wanted to have the devices mass-patched, but could never get authorization for such an unprecedented operation

Things are so much worse now

furcalor.net•5 days ago

Never was anything that big, but back in the day hijacking IRC based botnets was fun "white/grey" hat thing to do...

vessonsecurity.bsky.social•5 days ago

How did you wipe the infrastructure? I mean, how did you get access to it? Was there a flaw in the protocol that let you issue commands on his behalf?

pty.bsky.social•3 days ago

Pure speculation on my part, Marcus & co. most likely reverse-engineered the malware that the botnet ran on, identified some exploitable vulns in it, and... well, malware writers aren't the most careful programmers.

escctrl.bsky.social•5 days ago

Dang that sounds fun as heck

d1ngbat.bsky.social•5 days ago

Splatoon got that new IoT DLC

69rob.bsky.social•5 days ago

Here you will find more info

https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/DARKSTORMTEAM/DarkStormTeam-EN.pdf

effecient.bsky.social•5 days ago

*stands outside your window
"If my clients could read they'd be very upset at my pricing" 😂

petrock4real.bsky.social•5 days ago

This fascinates me my kids were ddos’ed constantly as kids gaming til we got a vpn

hegiman.bsky.social•5 days ago

Idk what your kids did but that’s not normal. That tends to only happen to people being extremely rude during game play or people who are griefing (cause other players grief) in an online game.

petrock4real.bsky.social•5 days ago

Yup In hind sight and discussing with my kids now a bit older, it seemed to be slightly older kids running power trips gaming with younger kids on xbox and executing ddos attacks when getting arses kicked

fullofdata.bsky.social•5 days ago

Awesome post than you!

scottklair.bsky.social•5 days ago

you should take a look at that nsa catalog snowden leaked. lot of persistent payloads from those guys.

malwaretech.com•5 days ago

Not sure there’s a single person in cybersecurity who hasn’t looked at that

scottklair.bsky.social•5 days ago

would hope so, but it’s 15 years old now . . . so i’d assume there’s more methods to circumvent restarts.

malwaretech.com•5 days ago

NSA grade implants and kiddy DDoS malware are very different things

sparkyl.bsky.social•5 days ago

Still a problem using SSD? It's not perfect, but I love that my iPad uses non-volatile storage at 512 GB.

I'm not up to date, but would something like that possibly leave temporary ghost files you could find even after power off?

outofmemory.bsky.social•5 days ago

SSD costs real money and is modern. Marcus was specifically talking about cheap IoT devices a few years back and none of those had SSDs.

sparkyl.bsky.social•5 days ago

Thanks. Just curious!

neilio6.bsky.social•5 days ago

Forgive my ignorance Marcus, how do the threat actor's find their victims? Shodan? 🙏

savage-t.bsky.social•5 days ago

They just do the same thing Shodan does. Scan a range of IP addresses looking for open ports that may have vulnerable services listening on them. To avoid detection, They can distribute the scanning activity among a diverse set of hosts, often earlier victims of compromise.

neilio6.bsky.social•5 days ago

Thank you. 🙏

lisajohnson.bsky.social•5 days ago

ah, I don’t think I quite realized before this thread botnets are limited by a) available IoT devices that b) aren’t locked down by others. There’s a capacity limit on size of attack based on available hardware (yes?)

savage-t.bsky.social•5 days ago

1) It's a matter of scale. If only 1% of smart-bulbs were compromised, that's still millions of attack sources.

2) There are techniques to amplify attacks. So the compromised devices may not even represent the bulk of the resources being deployed in the assault.

lisajohnson.bsky.social•5 days ago

Thank you, appreciate the context

neilio6.bsky.social•5 days ago

Iot devices are our achilles heel, and there are no shortages of the plug and play mentality. Respectfully

lisajohnson.bsky.social•5 days ago

I was thinking from the threat perspective of really large DDoS attacks and how that could be accomplished, it feels like we’ve figured out how to handle just about anything. One of my first meetings when I started in cyber was meeting with the CEO of Dyn. They walked us through that day.

savage-t.bsky.social•5 days ago

On point and insightful. And although they bear some responsibility, it's hardly the consumer's fault when they've been pitched a device as an appliance. We wouldn't hold a buyer liable if their new oven had a defect that injured random strangers through its expected and advertised usage.

sequencedlife.bsky.social•5 days ago

when I was young I downloaded LOIC because I was stupid

cgordi.bsky.social•5 days ago

LOL

ptinstructor.bsky.social•5 days ago

That brings out memories of fun times!

merthyr1831.bsky.social•5 days ago

what a flashback

foxthingsup.bsky.social•5 days ago

We all did

bonagrok.bsky.social•5 days ago

Jesus, memory unlocked.

genxjared.bsky.social•5 days ago

This is why all of our IoT devices are on their own subnet firewalled from the rest of our home network.

However many of them do communicate with remote servers (via NAT) and with the bluetooth devices, so I have to assume it is still possible for some to become infected and I have no way to know.

therealdonniedarko.bsky.social•5 days ago

How long ago was this? Seems like a fun database to dump into ML to see how well it would categorize the date set.

spunquee.bsky.social•5 days ago

no. thats a terrible idea.

pmzyox.bsky.social•5 days ago

As someone else in secops, without knowing many details, I would say to pull this off: the call was coming from inside the house.

theconstantwriter.bsky.social•5 days ago

lol awesome

billyslang.bsky.social•5 days ago

Any commonly used IoT devices that would surprise us?

gemmasbooks.bsky.social•5 days ago

I hope Teslas are on the list 😂

coolingjets.bsky.social•5 days ago

The malware may re-establish on reboot because in can reside elsewhere, as in a recent case I worked-on where the malware would reside in the BIOS, then reload. It also used the backup partition table so you wouldn't normally see it, since the primary partition table would not address the malware.

malwaretech.com•5 days ago

No, none of the DDoS botnets do that.

jaiden-a.bsky.social•5 days ago

Not a cyber security researcher, but couldn't this be true for embedded Linux devices? I used to work on a 3D printer with an sbc running Linux. Obviously this doesn't apply to simpler microcontrollers you might find in a iot thermostat

malwaretech.com•5 days ago

There is no standardized bios model or version between devices, nor is there a standardized means of updating the bios code. In fact, for many devices it's not possible from within the OS. Even if it were, we're talking about developing and maintaining bios malware for thousands of bios versions.

coolingjets.bsky.social•5 days ago

True, but, if the device is an important one, such as a widely used router.. There are hackers that specialize in such projects, usually as a pen test problem.

malwaretech.com•5 days ago

Dude, I literally do this for a living. If you read the full thread you'll see the context in the first post is relevant to the story. It was put there for a reason, not as an invitation to educate me about edge cases that I already know about and aren't relevant to the story.

coolingjets.bsky.social•5 days ago

I guess if it was real simple like booting to a rom on power-up. I've designed controllers like that, but if it's a flash rom and the device is connected to the internet and the flash could be accessed remotely, new code could be written. There are plenty of devices like that that can be remotely UG

coolingjets.bsky.social•5 days ago

The BIOS boots before the main memory, so if the controller or whatever uses the same setup, sure it could infect them too. Something has to boot on power-up to decide who boots next.

coolingjets.bsky.social•5 days ago

It's out there, ignore it at your peril.

malwaretech.com•5 days ago

Russell’s teapot

crash.bsky.social•5 days ago

Wait so which smart bulbs do I have to buy, specifically, to contribute to DDoSing twitter?

bjorndal.net•5 days ago

You don’t have to go that far. You can google auto refresh url. Pick one of the many pages offering it. Enter https://x.com and refresh time of 1 second. Open a few tabs of that and there you go. :) If enough do that it is a major headache. Denial of service is not hijacking. Breaking in to their servers

bjorndal.net•5 days ago

however is. And that’s unacceptable. Especially with regard to the security of the users with regard to password hashes and email addresses.

voidmayne.bsky.social•5 days ago

Amazon Basics

amyowl73.bsky.social•5 days ago

The irony

clayndwoods.bsky.social•5 days ago

Never got into IoT much, did a bit of assembly programming in Atmel devices, and some one-off asynch applications. None of them IP connected (usually RS422, commercial automation). Long ago used to amuse myself in Yahoo chat using old DOS tricks (i.e. send con con).

Comments

Posting Rules

Reply