ArduWorm: A Malware for Your Arduino Yun

We’ve been waiting for this one. A worm was written for the Internet-connected Arduino Yun that gets in through a memory corruption exploit in the ATmega32u4 that’s used as the serial bridge. The paper (as PDF) is a bit technical, but if you’re interested, it’s a great read. (Edit: The link went dead. Here is our local copy.)

The crux of the hack is getting the AVR to run out of RAM, which more than a few of us have done accidentally from time to time. Here, the hackers write more and more data into memory until they end up writing into the heap, where data that’s used to control the program lives. Writing a worm for the AVR isn’t as easy as it was in the 1990’s on PCs, because a lot of the code that you’d like to run is in flash, and thus immutable. However, if you know where enough functions are located in flash, you can just use what’s there. These kind of return-oriented programming (ROP) tricks were enough for the researchers to write a worm.

In the end, the worm is persistent, can spread from Yun to Yun, and can do most everything that you’d love/hate a worm to do. In security, we all know that a chain is only as strong as its weakest link, and here the attack isn’t against the OpenWRT Linux system running on the big chip, but rather against the small AVR chip playing a support role. Because the AVR is completely trusted by the Linux system, once you’ve got that, you’ve won.

Will this amount to anything in practice? Probably not. There are tons of systems out there with much more easily accessed vulnerabilities: hard-coded passwords and poor encryption protocols. Attacking all the Yuns in the world wouldn’t be worth one’s time. It’s a very cool proof of concept, and in our opinion, that’s even better.

Thanks [Dave] for the great tip!

Hajime, Yet Another IoT Botnet

Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.

Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.

Looking closely at the data, there was evidence of a second botnet that was significantly more sophisticated. Right now, they’re calling this worm Hajime.

Continue reading “Hajime, Yet Another IoT Botnet”

Single Motor Lets This Robot Do the Worm

With more and more research in the field of autonomous robotics, new methods of locomotion are coming on the scene at a rapid pace. Forget wheels and tracks, forget bi-, quad-, hexa- and octopods, and forget fancy rolling BB-8 clones. If you want to get a mini robot moving, maybe you should teach it to do the worm.

Neither the Gizmodo article nor the abstract of [David Zarrouk]’s paper gives too many details on the construction of this vermiform robot, but there are some clues to be gleaned from the video below. At the 1:41 mark we see the secret of the design – a long corkscrew in the center of the 3D-printed linkages.
Continue reading “Single Motor Lets This Robot Do the Worm”

Robot Does the Worm to Get Around

Walking, jumping, rolling, flying, swimming – robotic locomotion is limited only by the imagination of the inventor. [Roger Rabbit] apparently has a pretty vivid imagination, because he’s building robots that move like worms.

2823251454881775155inchworm-robot-thumbnailVersion 1 of [Roger]’s robot is only semi-vermiform and is more of tube climber. It has a pair of 3D-printed pantographs that expand and contract with servos and move along the robot’s axis on a stepper-driven lead screw. An Arduino reads sensors and coordinates the expansion of the pantographs to grip the internal diameter of a pipe and push the worm-bot along. It’s a slow but effective way to get around in the limited confines of a pipe.

The next iteration, dubbed [Wolly],  is much more worm-like and not restricted to pipe-running. It has four expandable triangular frames connected to each other with rack-and-pinion backbones. The first frame contracts, the racks push it forward, it expands, the next contracts, and soon it’s doing the worm across the floor. Still slow, but pretty neat to watch, and you can see how it can be steered. It might even be able to roll around its long axis, and it’d make a decent tube climber as well.

This creepy autonomous worm-bot seems very similar to [Wolly], but aside from that we haven’t covered too many robots like these. There’s a lot of thought and effort in these worm-bots, and we’re keen to see where [Roger] takes this unique robot body plan.

Continue reading “Robot Does the Worm to Get Around”

Best robot demos from ICRA 2013

best-robots-from-2013-ICRA

The 2013 IEEE International Conference of Robotics and Automation was held early in May. Here’s a video montage of several robots shown off at the event. Looks like it would have been a blast to attend, but at least you can draw some inspiration from such a wide range of examples.

We grabbed a half-dozen screenshots that caught our eye. Moving from the top left in clockwise fashion we have a segmented worm bot that uses rollers for locomotion. There’s an interesting game of catch going on in the lobby with this sphere-footed self balancer. Who would have thought about using wire beaters as wheels? Probably the team that developed the tripod in the upper right. Just below there’s one of the many flying entries, a robot with what looks like a pair of propellers at its center. The rover in the middle is showing off the 3D topography map it creates to find its way. And finally, someone set up a pool of water for this snake to swim around in.

Continue reading “Best robot demos from ICRA 2013”

Careless with your Jailbreak? You’ll get Rickrolled

iKee-Rickrolling-iPhone-Worm

Here’s further proof that you should understand what it is you’re doing when you go to hack your handheld. Jailbreaking an iPhone has been made quite easy to the point that a lot of folks do it without reading any of the accompanying documentation. Those who didn’t heed the warning to change the default SSH password on a Jailbroken phone might get a bit of a surprise. A worm has been unleashed that finds Jailbroken iPhones and changes the background image to a picture of [Rick Astley]. That’s right, they’ve been Rickrolled.

It’s a clever little devil that propagates by grabbing the IP address of the iPhone it is currently on, then testing all of the IP address in that family to find other devices using the default password. Luckily this worm’s activities are not what we’d call malicious. It doesn’t format the root or create a cell based bot-net (that we know of). This would be akin to the antics of searching Google for unprotected installations of MythWeb and setting some poor schmuck’s MythTV to record every infomercial ever. The point is, this could have been a lot worse, but the attack is predicated on stupidity. In our digital age, why are people leaving default passwords in place?

Containing Conficker

conficker

With all the noise about Conficker turning your computer into liquid hot magma on April 1st, there’s actually some positive news. Researchers from the HoneyNet Project have been following the worm since infections started in late 2008. They recently discovered an easy way to identify infected systems remotely. Conficker attempts to patch the MS08-067 vulnerability during infection. A flaw in the patch causes the machine to respond differently than both an unpatched system and an officially patched system. Using this knowledge, the team developed a proof of concept network scanner in python to find infected machines. You can find it in [Rich Mogull]’s initial post. [Dan Kaminisky] has packaged it as an EXE and has instructions for how to build the SVN version of Nmap, which includes the new signature. Other network scanner vendors are adding the code as well.

In conjunction with this detection code, the team has also released the whitepaper Know Your Enemy: Containing Conficker. It discusses ways to detect, contain, and remove Conficker. They’ve combined this with a tool release that covers Conficker’s dynamic domain generation among other things.