Mirai and IoT Botnet Analysis Robert Graham - - PowerPoint PPT Presentation

mirai and iot botnet analysis
SMART_READER_LITE
LIVE PREVIEW

Mirai and IoT Botnet Analysis Robert Graham - - PowerPoint PPT Presentation

Jan 01, 2023 329 likes •964 views

#RSAC SESSION ID: SESSION ID: HTA-W10 Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob #RSAC What this talk will cover? Brief overview of Mirai The cameras themselves Step by step from infection to attacks

slide-1
SLIDE 1

SESSION ID: SESSION ID:

#RSAC

Robert Graham

Mirai and IoT Botnet Analysis

HTA-W10

http://blog.erratasec.com @ErrataRob

slide-2
SLIDE 2

Robert Graham

#RSAC

What this talk will cover?

Brief overview of Mirai The cameras themselves Step by step from infection to attacks The Dyn attack How to protect yourself How tech details fit into government policy debate

slide-3
SLIDE 3

Robert Graham

#RSAC

Mirai botnet

Terabit scale attacks end of 2016

~600mbps against Brian Krebs ~1 terabit against OVH ~1.2 terabit against DYn

Infects cameras

Most cameras Also printers, routers

Hundreds of thousands of devices

slide-4
SLIDE 4

Robert Graham

#RSAC

Where the botnet resides

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

slide-5
SLIDE 5

Robert Graham

#RSAC

CnC servers

192.227.222.73 192.227.222.74 192.227.222.75 192.227.222.76 188.166.65.12 188.166.189.189 185.25.51.115 185.144.29.7 118.89.41.125 93.158.216.170 54.187.144.227 52.163.49.59 46.166.185.34 46.183.223.229 45.119.127.190 35.162.249.35 5.249.154.190

slide-6
SLIDE 6
slide-7
SLIDE 7
slide-8
SLIDE 8

Robert Graham

#RSAC

Ordering camera

slide-9
SLIDE 9

Robert Graham

#RSAC

JideTech

from Jose Pagliary at CNN

slide-10
SLIDE 10

Robert Graham

#RSAC

Packaging from Shenzhen

slide-11
SLIDE 11

Robert Graham

#RSAC

What do the cameras look like?

slide-12
SLIDE 12

Robert Graham

#RSAC

HiSilicon HI3518 CPU

slide-13
SLIDE 13

Robert Graham

#RSAC

Which ports are listening

slide-14
SLIDE 14

Robert Graham

#RSAC

What does the camera look like?

23: Telnet 80: HTTP 554: RTSP 9527: some weird shell with no auth 8899: some other web interface

slide-15
SLIDE 15
slide-16
SLIDE 16
slide-17
SLIDE 17
slide-18
SLIDE 18

Robert Graham

#RSAC

0f539bd5d3ab8a

slide-19
SLIDE 19

Robert Graham

#RSAC

0f539bd5d3ab8a

slide-20
SLIDE 20

Robert Graham

#RSAC

0f539bd5d3ab8a

slide-21
SLIDE 21

Robert Graham

#RSAC

0f539bd5d3ab8a

slide-22
SLIDE 22

Robert Graham

#RSAC

Camera/Phone firewalled

AWS

12:3 8

54.163.237.146 ec2-54-163-237-146.compute-1.amazonaws.com

slide-23
SLIDE 23

Robert Graham

#RSAC

slide-24
SLIDE 24

Robert Graham

#RSAC

Configure firewall

Use RaspberryPi-class device as NAT/firewall to create an isolated subnet

http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html

slide-25
SLIDE 25

Robert Graham

#RSAC

98 seconds to infection!

slide-26
SLIDE 26

Robert Graham

#RSAC

Infection process

slide-27
SLIDE 27

Robert Graham

#RSAC

The ECHI trick

Generates error message It’s how the bot recognizes that the output is done Different devices have different command-prompts, so it’s harder parsing output for a command prompt

slide-28
SLIDE 28

Robert Graham

#RSAC

What is busybox?

Most common shell on IoT devices

slide-29
SLIDE 29

Robert Graham

#RSAC

Find out CPU: x86, ARM, MIPS, PowerPC

slide-30
SLIDE 30

Robert Graham

#RSAC

Download bot

slide-31
SLIDE 31

Robert Graham

#RSAC

Download bot

slide-32
SLIDE 32

Robert Graham

#RSAC

Now run the bot

slide-33
SLIDE 33

Robert Graham

#RSAC

Kills Telnet

/bin/busybox telnetd –p 2323

slide-34
SLIDE 34

Robert Graham

#RSAC

Kills rival bots

slide-35
SLIDE 35

Robert Graham

#RSAC

Connect to command/control

slide-36
SLIDE 36

Robert Graham

#RSAC

slide-37
SLIDE 37

Robert Graham

#RSAC

List of possible attacks

slide-38
SLIDE 38

Robert Graham

#RSAC

Attack on Google Project Shield

130 million SYN per second 450 million HTTP queries per second

From 175,000 IP addresses

4 million ACK flood GRE floods UDP floods

https://arstechnica.com/security/2017/02/how-google-fought-back-against-a- crippling-iot-powered-botnet-and-won/

slide-39
SLIDE 39

Robert Graham

#RSAC

DYN DDoS

Classic “hit the root name servers”

…except one layer down

Port 53 UDP flood

~600gpbs to ~1.2tbps

Amplified by failed DNS lookups

No cached failed response

slide-40
SLIDE 40

Robert Graham

#RSAC

slide-41
SLIDE 41

Robert Graham

#RSAC

Dyn uses ‘anycast’

http://dyn.com/dns/network-map/

slide-42
SLIDE 42

Robert Graham

#RSAC

Atlanta -> North Virginia

slide-43
SLIDE 43

Robert Graham

#RSAC

Add own second DNS

slide-44
SLIDE 44

Robert Graham

#RSAC

Add Amazon DNS

slide-45
SLIDE 45

Robert Graham

#RSAC

Drop DYN

slide-46
SLIDE 46

Robert Graham

#RSAC

All eggs in one basket

slide-47
SLIDE 47

Robert Graham

#RSAC

BGP changes

https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16

slide-48
SLIDE 48

Robert Graham

#RSAC

Increase TTLs

slide-49
SLIDE 49

Robert Graham

#RSAC

Resolver caching

Resolvers cache responses Drops records after TTL seconds

And get a new one

Change: if you can’t get a new one, don’t drop record

slide-50
SLIDE 50

Robert Graham

#RSAC

Everybody’s doing it

No persistence in botnet Many fight to take control of the devices Many splintered botnets rather than one large botnet

slide-51
SLIDE 51

Robert Graham

#RSAC

Conclusion

The same attack won’t work again

slide-52
SLIDE 52

Robert Graham

#RSAC

https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

slide-53
SLIDE 53

Robert Graham

#RSAC

Complicated

Paras Jha, 20 year old student Minecraft server maintainer, then anti-DDoS company Way to drive customers from other anti-DDoS companies Complicated interactions with the underground

slide-54
SLIDE 54

Robert Graham

#RSAC

Source code

Amateurish, like that of 20 year old students Doesn’t mean “stupid”, just not features of professional coders. Multiple coders https://github.com/jgamblin/Mirai-Source-Code

slide-55
SLIDE 55

Robert Graham

#RSAC

Apply: How to protect yourself?

You probably don’t have cameras

Vuln scanning for it on your network is probably pointless

You need a DNS strategy You need a DDoS strategy You need a UPnP strategy

slide-56
SLIDE 56

Robert Graham

#RSAC

DNS server strategy

Use redundant servers One should be a server than can handle DDoS Set longer TTLs

56

slide-57
SLIDE 57

Robert Graham

#RSAC

DNS client strategy

Setup your own resolver Disable discarding stale records after TTL if no response Make sure services can keep running if DNS fails

The DNS supply chain

57

slide-58
SLIDE 58

Robert Graham

#RSAC

Apply: Policy question

For government policy makers crafting laws/regulations What can government do to ward off IoT botnets.

slide-59
SLIDE 59

Robert Graham

#RSAC

It’s a complicated answer

Only 10.9% are in the United States Unbranded grey market, where they ignore regulation anyway IoT is behind firewall, cameras are exposed.

This was not an IoT botnet

Cameras need remote reset (aka. Backdoor) Dyn fixed itself, without government help

slide-60
SLIDE 60

Robert Graham

#RSAC

An IoT threat model, part 1

No user interaction

Clicking on links/emails is how you infect your desktop/laptop But not iPhones, mostly Not IoT

No exposed ports

At least, as the norm So no direct vulnerable services, OWASP, etc.

60

slide-61
SLIDE 61

Robert Graham

#RSAC

An IoT threat model, part 2

Cross Site Request Forgery

Clicking on links/emails

Cloud service

Phishing of username/password Cloud provider gets owned

— IoT autoupdate considered harmful

Local WiFi UPnP etc. for inbound

61

slide-62
SLIDE 62

Robert Graham

#RSAC

An IoT threat model, part 3

Vendors demand inbound connection

Old IoT like medical devices, HVAC, etc.

IoT on non-private networks

Hospitals, bars, universities, etc.

IPv4 vs IPv6

IPv4 for IoT increasingly costly, moving to IPv6

62

slide-63
SLIDE 63

Robert Graham

#RSAC

Summary

63

Details on how Mirai works

Means knowing how cameras work

How to protect yourself from Mirai

No Mirai itself, but the attacks it does Fix your DNS

What is the future?

What’s the threat model? How can regulations help?