DeepSec 2016 – Where Should I Host My Malware?
iSpeech.org
At DeepSec 2016 Attila Marosi (Sophos) held a presentation explaining where malicious software hosts its code:
"Malicious actors always try to abuse badly configured devices, since this is the "cheapest" solution. Day by day, more and more home devices become linked to the internet (IoT) such as feature-full routers and NAS systems providing their users, and maybe some others, with data sharing services.
Recently we found interesting threats which are useing FTP services to spread. Most users trust their own devices and the files on them. They don't think that their systems could host malware inside their private network, just because default settings and handy automatic services like UPnP are used. Typically users do not even know that they're running, using services like FTP, and especially they do not know that this protocol has a built-in anonymous account.
In other cases malicious actors just put server scripts into the shared folder, hoping that the FTP folder and the web root folder are the same, and so infect the system in this very easy way. Very often they succeed.
So, what is the current state of the (open) FTP services overall?
Recently I developed a very flexible testing framework (called ScanR) to be able to answer this question:
We tested 3 million IP addresses which were released to FTP services, to get a clear picture of the state of these services and the devices which are behind them. The results are quite shocking in some aspects, and worse then we expected.
In this lecture I will present the details of this test, where the initial data and IP addresses came from, what the test system looked like, and especially the threats and hacking activities we found."
Attila Marosi has always been working in the information security field since he started to work in IT. As a lieutenant of active duty he worked for almost a decade on special information security tasks occurring within the Special Service for National Security. Later he was transferred to the newly established GovCERT-Hungary, which is an additional national level in the internationally known system of CERT offices. Now he works for the SophosLab as a Senior Threat Researcher in the Emerging Thread Team to provide novel solutions to the newest threats.
Attila has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he is reading trade journals and does some teaching on different levels; on the top level he teaches white hat hackers. He has given talks at many security conferences including hack.lu, DeepSEC, AusCERT, Hacktivity, Troopers, HackerHalted and NullCon.
source
Gloss