Hackers openly sharing malware with others has led to one hacker being identified by the Skype ID he used.
According to a blog post by Ankit Anubhav, principal researcher at NewSky Security, the IoT threat landscape differs from conventional malware in terms of code sharing.
“While many windows malware authors are reluctant to share their source code (for free), IoT botnet source modules are available publicly on darknet hacking forums which makes the code reuse much easier. Most of IoT malware threats have been aided heavily by code sharing and reuse,” he said.
Anubhav said that he had observed one such dump site Daddyhackingteam, which hosts a lot of malware source code and tutorials, and this has now shifted completely to the dark side as now it is also a command and control server for an IoT botnet variant of Gr1n.
The website contains an archive of several IoT botnet source codes available publicly. The website also features contact details of the site owner, which helped New Sky Security track the owner's activity. According to Anubhav, by tracking the listed Skype ID, he observed that this person made three posts on a hackers' forum on questions related to set up a QBot of his own, and trying to get information to hack CCTVs to make his own botnet.
Later, it was deduced that the hacker got the code he was looking for as it was observed by researchers in-the-wild samples where the same daddyhackingteam website known for containing archives is used as a callback to download a shellscript. This shellscript further downloads and runs botnet binaries from the same website.
But the Skype ID was also used in the hunt for a job. “We found it either bold or immature of a malware author to use the same contact information for job hunting as well as for malicious activities. However, in his job search attempt, he mentions that he is 13 years old, which pretty much explains the dual use,” said Anubhav.
Anubhav went undercover to chat with the malware author, they admitted that they had a botnet of just 300 devices, but had failed to hack any CCTV cameras. The hacker confirmed they were 13 years old.
“When we told him that doing such illegal activities can land him in trouble, he was confident that he was immune because he was young. While various laws do have less harsh sentences for juveniles, in this case, we see this person taking advantage of that,” said Anubhav.
Anubhav added that with much IoT botnet source code dumped publicly along with tutorials, “its literally child's play to set up a botnet by attacking IoT devices”.
“We've seen similar sharing of code for a long time, for example, a simple search on github will uncover a lot of malware ready to use such as ransomware,” he said.
He added that the addition of the line, “This is for educational purposes” or similar, is an oft-misguided attempt at the author or host to distance themselves from any issues. Other similar messages include, “not to be used for illegal purposes”.
“It's unlikely any such messages will hold up as evidence of innocence in a legal capacity,” added Malik.
“In terms of stopping bad guys from sharing malicious code, there is little that can be done. However, organisations can take the same tricks and use it against the attackers. By sharing threat data with each other, organisations can quickly and collaboratively build up a rich profile of the common code used in different attacks and build up defences against it.”
Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC Media UK that information sharing is a key to success in almost any industry, “and the bad guys understood this much earlier than the white hats – various cyber-gangs have been closely cooperating for years already”.
“Information, code and experience sharing in IoT is actually nothing new, but just an adjustment of tactics to cover the IoT market. Organisations should follow simple but indispensable steps when implementing their cyber-security strategy, such as continuous digital asset inventory, holistic risk/threat assessment and a risk-based mitigation plan,” he said.
The case also highlights the issue of what do we do with bright young hackers who dabble in illegality. In a different context, responding to Brian Krebs detailed report on the youthful hacking past of Malwaretech, aka Marcus Hutchins, where he too notes on one post that he is just 15, Lee Munson, security researcher at Comparitech.com emailed SC to comment, "Whether or not he [Hutchins] has committed any crimes is not for me to decide but his future career prospects will, quite rightfully I believe, hinge on how he is viewed by the security community.
"In a field where integrity is important in more ways than one, Hutchins' career path will likely be determined by how he is perceived by hiring managers, who care little for how some security researchers hone their skills long before they consider the colour of the hat they will later wear."