MIRAI
what is mirai botnet ?
Mirai (Japanese for "the future", 未来) is malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.
#ref-menu
what is mirai botnet ?
Mirai (Japanese for "the future", 未来) is malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.
#ref-menu
On September 30, the story saw another development when a HackForum user by the name of ‘Anna-senpai’ leaked the source code for Mirai—the botnet malware behind the attacks. It was speculated that in doing so the perpetrator was trying to hide his tracks, rightfully concerned about the repercussions of taking a swing at Brian.
Since the source code was published, the Imperva Incapsula security team has been digging deep to see what surprises Mirai may hold. In this post we’ll share:
- Our own encounters with Mirai botnets
- The results of our investigation of Mirai’s source code
Update:
New Mirai scanner released: We developed a scanner that can check whether one or more devices on your network is infected by or vulnerable to Mirai. You can find the beta of the Mirai Scanner here.
If you missed out “Deep Dive into the Mirai Botnet” hosted by Ben Herzberg check out our video recording of the event.
Close Encounters of the Third Kind
A thorough review of Mirai’s source code allowed us to create a strong signature with which we could identify Mirai’s activity on our network. We then turned to our logs and examined recent assaults to see if any of them carried Mirai’s fingerprints.
Sure enough, we found the Mirai botnet was responsible for a slew of GRE floods that were mitigated by our service on August 17. Using a hit-and-run tactic, the attack peaked at 280 Gbps and 130 Mpps, both indicating a very powerful botnet.
Figure 1: Mitigating a slew of Mirai-powered GRE floods, peaking at 280 Gbps/130 Mpps
Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. As previously reported, these were mostly CCTV cameras—a popular choice of DDoS botnet herders. Other victimized devices included DVRs and routers.
Overall, IP addresses of Mirai-infected devices were spotted in 164 countries. As evidenced by the map below, the botnet IPs are highly dispersed, appearing even in such remote locations as Montenegro, Tajikistan and Somalia.
Figure 2: Geo-locations of all Mirai-infected devices uncovered so far
Country | % of Mirai botnet IPs |
Vietnam | 12.8% |
Brazil | 11.8% |
United States | 10.9% |
China | 8.8% |
Mexico | 8.4% |
South Korea | 6.2% |
Taiwan | 4.9% |
Russia | 4.0% |
Romania | 2.3% |
Colombia | 1.5% |
Figure 3: Top countries of origin of Mirai DDoS attacks
Interestingly, since the source code was made public, we’ve also seen a few new Mirai-powered assaults. This time they took the form of low-volume application layer HTTP floods, one of which was even directed against our domain (www.incapsula.com).
Characterized by relative low requests per second (RPS) counts and small numbers of source IPs, these looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available. Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future.
Figure 4: Mirai botnet launching a short-lived HTTP flood against incapsula.com
Source Code Analysis
Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks. Mirai’s C&C (command and control) code is coded in Go, while its bots are coded in C.
Like most malware in this category, Mirai is built for two core purposes:
- Locate and compromise IoT devices to further grow the botnet.
- Launch DDoS attacks based on instructions received from a remote C&C.
To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).
Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks based on the following list:
root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech mother f**er [censored]
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP floods, Mirai bots hide behind the following default user-agents:
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7
For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Mira also seems to possess some bypass capabilities, which allow it to circumvent security solutions:
#define TABLE_ATK_DOSARREST 45 // "server: dosarrest" #define TABLE_ATK_CLOUDFLARE_NGINX 46 // "server: cloudflare-nginx" if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1) conn->protection_type = HTTP_PROT_CLOUDFLARE; if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1) conn->protection_type = HTTP_PROT_DOSARREST;
While this may seem like a standard source code, Mirai also has a few quirks that we found especially intriguing…
No comments:
Post a Comment