Step by step knowledge about MIRAI [Mirai botnet and Mirai botnet download ]

MIRAI

what is mirai botnet ?

Mirai (Japanese for "the future", 未来) is malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.


#ref-menu
On September 30, the story saw another development when a HackForum user by the name of ‘Anna-senpai’ leaked the source code for Mirai—the botnet malware behind the attacks. It was speculated that in doing so the perpetrator was trying to hide his tracks, rightfully concerned about the repercussions of taking a swing at Brian.
Since the source code was published, the Imperva Incapsula security team has been digging deep to see what surprises Mirai may hold. In this post we’ll share:
  • Our own encounters with Mirai botnets
  • The results of our investigation of Mirai’s source code

Update:
New Mirai scanner released: We developed a scanner that can check whether one or more devices on your network is infected by or vulnerable to Mirai. You can find the beta of the Mirai Scanner here.
If you missed out “Deep Dive into the Mirai Botnet” hosted by Ben Herzberg check out our video recording of the event.

Close Encounters of the Third Kind

A thorough review of Mirai’s source code allowed us to create a strong signature with which we could identify Mirai’s activity on our network. We then turned to our logs and examined recent assaults to see if any of them carried Mirai’s fingerprints.
Sure enough, we found the Mirai botnet was responsible for a slew of GRE floods that were mitigated by our service on August 17. Using a hit-and-run tactic, the attack peaked at 280 Gbps and 130 Mpps, both indicating a very powerful botnet.
Mirai-powered GRE floods
Figure 1: Mitigating a slew of Mirai-powered GRE floods, peaking at 280 Gbps/130 Mpps
Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers.
Overall, IP addresses of Mirai-infected devices were spotted in 164 countries. As evidenced by the map below, the botnet IPs are highly dispersed, appearing even in such remote locations as Montenegro, Tajikistan and Somalia.
Geo-locations of all Mirai-infected devices
Figure 2: Geo-locations of all Mirai-infected devices uncovered so far
Country% of Mirai botnet IPs
Vietnam12.8%
Brazil11.8%
United States10.9%
China8.8%
Mexico8.4%
South Korea6.2%
Taiwan4.9%
Russia4.0%
Romania2.3%
Colombia1.5%
Figure 3: Top countries of origin of Mirai DDoS attacks
Interestingly, since the source code was made public, we’ve also seen a few new Mirai-powered assaults. This time they took the form of low-volume application layer HTTP floods, one of which was even directed against our domain (www.incapsula.com).
Characterized by relative low requests per second (RPS) counts and small numbers of source IPs, these looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available. Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future.
 Mirai botnet HTTP flood
Figure 4: Mirai botnet launching a short-lived HTTP flood against incapsula.com

Source Code Analysis

Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks. Mirai’s C&C (command and control) code is coded in Go, while its bots are coded in C.
Like most malware in this category, Mirai is built for two core purposes:
  • Locate and compromise IoT devices to further grow the botnet.
  • Launch DDoS attacks based on instructions received from a remote C&C.
To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).
Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks based on the following list:
root     xc3511
root     vizxv
root     admin
admin    admin
root     888888
root     xmhdipc
root     default
root     juantech
root     123456
root     54321
support  support
root     (none)
admin    password
root     root
root     12345
user     user
admin    (none)
root     pass
admin    admin1234
root     1111
admin    smcadmin
admin    1111
root     666666
root     password
root     1234
root     klv123
Administrator admin
service  service
supervisor supervisor
guest    guest
guest    12345
guest    12345
admin1   password
administrator 1234
666666   666666
888888   888888
ubnt     ubnt
root     klv1234
root     Zte521
root     hi3518
root     jvbzd
root     anko
root     zlxx.
root     7ujMko0vizxv
root     7ujMko0admin
root     system
root     ikwb
root     dreambox
root     user
root     realtek
root     00000000
admin    1111111
admin    1234
admin    12345
admin    54321
admin    123456
admin    7ujMko0admin
admin    1234
admin    pass
admin    meinsm
tech     tech
mother   f**er [censored]
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP floods, Mirai bots hide behind the following default user-agents:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Mira also seems to possess some bypass capabilities, which allow it to circumvent security solutions:
#define TABLE_ATK_DOSARREST                     45  // "server: dosarrest"
#define TABLE_ATK_CLOUDFLARE_NGINX      46  // "server: cloudflare-nginx"
 
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
                        conn->protection_type = HTTP_PROT_CLOUDFLARE;
 
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
                        conn->protection_type = HTTP_PROT_DOSARREST;

While this may seem like a standard source code, Mirai also has a few quirks that we found especially intriguing…

No comments: