Only post comments made by the speakers or panelists Do not post - - PowerPoint PPT Presentation

only post comments made by the speakers or panelists do
SMART_READER_LITE
LIVE PREVIEW

Only post comments made by the speakers or panelists Do not post - - PowerPoint PPT Presentation

Dec 04, 2023 168 likes •826 views

Social Media Posting Allowed Tweeter, Facebook, LinkedIn, other social media posts are welcomed in this session if you: Only post comments made by the speakers or panelists Do not post comments or questions from the

slide-1
SLIDE 1

– Social Media Posting Allowed –


Tweeter, Facebook, LinkedIn, other social media posts 
 are welcomed in this session if you:


  • Only post comments made by the speakers or panelists
  • Do not post comments or questions from the audience 


(but you can share the speakers’ responses to questions)

  • Do not post the name, position or company of other meeting attendees
  • Do not post conversations with attendees
  • M3AAWG is not a deliverability conference; we are:
  • An industry working group meeting
  • An anti-abuse conference, or
  • A gathering of security experts
  • All of the M3AAWG Membership, Trademarks and Logo guidelines apply

(https://www.m3aawg.org/members/how-promote-m3aawg#TrademarkGuidelines)

  • Appreciate a shout out to @maawg and #m3aawg42

M3AAWG 42nd General Meeting | San Francisco | February 2018

slide-2
SLIDE 2

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

2

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱ Jaime Cochran△, Michalis Kallitsis●, Damian Menscher✱, Zakir Durumeric‡ Deepak Kumar★, Chad Seaman◆, J. Alex Halderman‡, Luca Invernizzi✱, Chaz Lever✝ Zane Ma★, Joshua Mason★, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network ★University of Illinois Urbana-Champaign, ‡University of Michigan

slide-3
SLIDE 3

Understanding the Mirai Botnet ▪︎ Zane Ma 3

Internet of Things

2020 ~30 Billion 2016 6 - 9 Billion

slide-4
SLIDE 4

Understanding the Mirai Botnet ▪︎ Zane Ma 4

IoT Botnets

2012 Carna Botnet 420,000 devices 2015 BASHLITE / gafgyt 1,000,000 devices

slide-5
SLIDE 5

Understanding the Mirai Botnet ▪︎ Zane Ma 5

Mirai

slide-6
SLIDE 6

Understanding the Mirai Botnet ▪︎ Zane Ma 6

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Fast, stateless port-scanning:

SYN w/ TCP seq # = dest IP

  • Check for SYN-ACKs where

TCP seq # = src IP + 1

  • Raw socket, requires root
  • If port open, brute force telnet

login credentials

slide-7
SLIDE 7

Understanding the Mirai Botnet ▪︎ Zane Ma 7

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Reports successful IP:port,

username:password

  • Report server aggregates

results

slide-8
SLIDE 8

Understanding the Mirai Botnet ▪︎ Zane Ma 8

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Asynchronous from scanning

+ reporting

  • Supports building up potential

“hit list”

slide-9
SLIDE 9

Understanding the Mirai Botnet ▪︎ Zane Ma 9

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Determines architecture,

wget/tftp 1 out of 9 archs.

  • Defensive - kills competing

Mirai, and any processes listening on HTTP/Telnet/SSH

  • Obfuscates process name

and removes executable - does not survive reboots

slide-10
SLIDE 10

Understanding the Mirai Botnet ▪︎ Zane Ma 10

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Simple attack API -

configurable duration, attack size (# bots), IP spoofing

  • Supports 10 attack types,

volumetric/TCP/application

slide-11
SLIDE 11

Understanding the Mirai Botnet ▪︎ Zane Ma 11

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • C&C resolves domains,

issues attacks on IPs

slide-12
SLIDE 12

Understanding the Mirai Botnet ▪︎ Zane Ma 12

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

  • Attacks do not interrupt

scanning

  • Fingerprintable application

level packets

  • Configurable reflection /

amplification attacks

slide-13
SLIDE 13

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

13

Measurement

Data Source Size Network Telescope 4.7M unused IPs

  • 0.1% of IPv4 address space
  • 1.1M packets / min
  • Look for Mirai fingerprint
slide-14
SLIDE 14

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

14

Measurement

Data Source Size Network Telescope 4.7M unused IPs

  • 0.1% of IPv4 address space
  • 1.1M packets / min
  • Look for Mirai fingerprint
  • Handling IP churn: look for active

concurrent scans

slide-15
SLIDE 15

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

15

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans

  • Application protocol banners

(telnet, FTP, HTTP, etc.)

  • Device attribution: NMap service

probes, manual labeling

slide-16
SLIDE 16

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

16

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans

  • Application protocol banners

(telnet, FTP, HTTP, etc.)

  • Device attribution: NMap service

probes, manual labeling

  • Future work: Individual device

fingerprinting

slide-17
SLIDE 17

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

17

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries

  • Busybox shell that accepts any

telnet login credentials

  • Used collected binaries to

generate YARA rules

slide-18
SLIDE 18

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

18

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries

  • Found VirusTotal binaries

matching YARA rules

slide-19
SLIDE 19

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

19

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs

  • Active = Thales DNS monitoring

system, using zone files, domain lists

  • Passive = Resource Records from

large US ISP

slide-20
SLIDE 20

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

20

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks

  • C&C doesn’t authenticate /

validate connecting bots

slide-21
SLIDE 21

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

21

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks Krebs DDoS Attack 170K attacker IPs

slide-22
SLIDE 22

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

22

Measurement

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks Krebs DDoS Attack 170K attacker IPs Dyn DDoS Attack 108K attacker IPS

slide-23
SLIDE 23

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

23

Measurement

July 2016 - February 2017

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks Krebs DDoS Attack 170K attacker IPs Dyn DDoS Attack 108K attacker IPS

slide-24
SLIDE 24

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

24

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned
slide-25
SLIDE 25

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

25 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

slide-26
SLIDE 26

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Population

26

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

slide-27
SLIDE 27

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Population

27

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

1:42 AM Single Scanner

slide-28
SLIDE 28

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Population

28

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

3:59 AM Botnet Expands

slide-29
SLIDE 29

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Population

29

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

23:59 PM 64,500 bots

slide-30
SLIDE 30

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

30 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

slide-31
SLIDE 31

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

31 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23 TCP/2323

“IoT Telnet” TCP/2323

slide-32
SLIDE 32

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

32 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/7547

CWMP TCP/7547 600K peak

slide-33
SLIDE 33

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

33 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80

9 Additional Protocols

slide-34
SLIDE 34

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

34 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80 TCP/23 TCP/2323 TCP/7547

Steady state

slide-35
SLIDE 35

Understanding the Mirai Botnet ▪︎ Zane Ma

Geography

35

Mirai TDSS/TDL4

South America + Southeast Asia = 50% of Infections North America + Europe = 94% of Infections

slide-36
SLIDE 36

Understanding the Mirai Botnet ▪︎ Zane Ma

Composition

36

Targeted Default Passwords

slide-37
SLIDE 37

Understanding the Mirai Botnet ▪︎ Zane Ma

Composition

37

Infected Devices

slide-38
SLIDE 38

Understanding the Mirai Botnet ▪︎ Zane Ma

Composition

38

Infected Devices

slide-39
SLIDE 39

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

39

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned
slide-40
SLIDE 40

Understanding the Mirai Botnet ▪︎ Zane Ma

Ownership

40

dmim.ir bklan.ru angoshtarkhatam.ir youporn.wf dibamovie.biz dibamovie.site ip-51-255-103.eu xex-pass.com diamondhax.com piratetorrents.net anabolika.bz elektro-engel.de strongconnection.cc moreoverus.com namlimxanh.net.vn kleverfood.vn tamthat.com amgauto.vn ngot.net dacsanthitchua.com herokids.vn santasbigcandycane.cx irisstudio.vn joomlavision.com alexander-block.ru lr-top.ru infonta.ru avtotyn.ru sert-cgb.ru igm-shop.ru
  • sinniki-tatu.ru
food-syst.ru taylor-lautner.ru upfarm.ru dardiwaterjet.ru general-city.ru titata.ru video-girle.ru hotelkhiva.ru firstclaz-shop.ru pornopokrovitel.ru sl22.ru childrens-health.ru poliklinikasp.ru videostrannik.ru domisto.ru pavelsigal.ru russianpotatoes.ru wwrf.ru sims-4.ru daf-razbor.ru tomlive.ru stt-spb.ru mp3impulse.ru securityupdates.us kia-moskva.ru kiditema.ru avtoatelie-at.ru dom-italia39.ru shokwave.ru vkladpodprocenti.ru 5153030.ru hyrokumata.com polycracks.com absentvodka.com mufoscam.org analianus.com rutrax.ru voxility.org voxility.com voxility.ro voxility.net voxility.mobi investor-review.com xf0.pw gramtu.pl q5f2k0evy7go2rax9m4g.ru bebux.net ip-149-202-144.eu 69speak.eu apkmarket.mobi steamcoin24.ru keycoins.ru keygolds.ru skincoin.ru walletzone.ru playerstore.ru skinplat.ru skincoin24.ru keyzet.ru muplay.ru tradewallet24.ru gamewallet.ru keydealer.ru steamon.ru gowars.ru boatnetswootnet.xyz tradewallet.ru teamcoin.ru gameshoper.ru gamegolds.ru sillycatmouth.us kernelorg.download disabled.racing lateto.work
  • ccurelay.net
dopegame.su sipa.be bitcoinstats.com bluematt.me bitnodes.io elyricsworld.com emp3world.com boost-factory.com infoyarsk.ru aodxhb.ru qlrzb.ru zogrm.ru zosjoupf.ru txocxs.ru nrzkobn.ru mehinso.ru fastgg.net alexandramoore.co.uk infobusiness-eto-prosto.ru timeserver.host party-bar66.ru aaliya.ru jealousyworld.ru sony-s.ru agrohim33.ru wapud.ru kinosibay.ru gam-mon.ru svoibuhgalter.ru udalenievmiatin.ru kopernick.ru 5d-xsite-cinema.ru bocciatime.ru kvartplata1.ru receptprigotovlenia.ru kunathemes.com chiviti.com intervideo.top intervideo.online smsall.pk dyndn-web.com checkforupdates.online myfootbalgamestoday.xyz srrys.pw tr069.online novotele.online soplya.com tr069.support kciap.pw kedbuffigfjs.online mziep.pw binpt.pw jgop.org xpknpxmywqsrhe.online zugzwang.me nuvomarine.com gettwrrnty.us rippr.club netwxrk.org servdiscount-customer.com layerjet.com proht.us middlechildink.com zeldalife.com playkenogamesonline.com brendasaviationplans.xyz thcrcz.top stbenedictschoolbx.org hexacooperation.com e3ybt.top grotekleinekerkstraat.nl critical-damage.org zvezdogram.com 3200138.com ipeb.biz blockquadrat.de my2016mobileapplications.tech nerafashion.com centurystyleantiques.com madlamhockeyleague.com realsaunasuit.com cloudtechaz.net dumpsterrentalwestpalmbeachfl....
  • k6666.net
happy-hack.ru germanfernandez.cl kcgraphics.co.uk thqaf.com addsow.top semazen.com.tr doki.co kentalmanis.info rencontreadopoursitedetours.xyz nextorrent.net 2ws.com.br geroncioribeiro.com gideonneto.com drogamedic.com.br pontobreventos.com.br expertscompany.com woodpallet.com.br pontobreventos.com acessando.com.br 2world.com.br escolavitoria.com.br controluz.com.br sistematitanium.com bigdealsfinder.online megadealsdiscounter.online superpriceshopper.online bestpricecastle.online bestsavingfinder.online starpricediscounted.online greatdealninja.online megadealsfinder.online topdealdiscounted.online superpriceshopping.online eduk-central.net hightechcrime.club cheapkittensspecial.win yellowpuppyspecial.pw cheapestdogspecial.pw 33catspecials.pw finddogdeal.win yellowcatdeal.win cheapestdoggyspecial.pw findcatspecial.win 33puppiesspecials.win yellowpetsspecials.pw greendoggyspecial.pw 33catsdeal.pw cheapestdogspecials.win 33kittensspecials.pw bluepuppiesdeals.pw greenbirdsspecials.win greenkittensdeal.pw bluepuppyspecial.pw findbirdsspecials.pw nfoservers.com icmp.online xn----7sbhguokj.xn--p1ai transfer.club admin-vk.ru favy.club xn--b1acdqjrfck3b7e.xn--p1ai xn--80aac5cct.xn--80aswg ta-bao.com dopegame.ru dolgoprud.top
  • calhost.host
alcvid.com
  • usquadrant.com
protopal.club tr069.pw 6969max.com serverhost.name as62454.net spevat.net mwcluster.com edhelppro.bid secure-limited-accounts.com mediaforetak.com lottobooker.ru postrader.eu robositer.com postrader.it siterhunter.com postrader.org secure-payment.online secure-support.services ssldomainerrordisp2003.com clearsignal.com ip-151-80-27.eu avac.io ip-137-74-49.eu

Cluster 2 Cluster 6 Cluster 23 Cluster 7 Cluster 1 Cluster 0

  • Extract C2 domains from binaries
  • Find coinciding C2s through

active and passive DNS data

10,000 20,000 30,000 40,000 50,000 60,000 70,000 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 Daily C2 DNS Lookups Date Cluster ID 1 2 6 4 5 7 11 13 15 24
slide-41
SLIDE 41

Understanding the Mirai Botnet ▪︎ Zane Ma

Ownership

41

dmim.ir bklan.ru angoshtarkhatam.ir youporn.wf dibamovie.biz dibamovie.site ip-51-255-103.eu xex-pass.com diamondhax.com piratetorrents.net anabolika.bz elektro-engel.de strongconnection.cc moreoverus.com namlimxanh.net.vn kleverfood.vn tamthat.com amgauto.vn ngot.net dacsanthitchua.com herokids.vn santasbigcandycane.cx irisstudio.vn joomlavision.com alexander-block.ru lr-top.ru infonta.ru avtotyn.ru sert-cgb.ru igm-shop.ru
  • sinniki-tatu.ru
food-syst.ru taylor-lautner.ru upfarm.ru dardiwaterjet.ru general-city.ru titata.ru video-girle.ru hotelkhiva.ru firstclaz-shop.ru pornopokrovitel.ru sl22.ru childrens-health.ru poliklinikasp.ru videostrannik.ru domisto.ru pavelsigal.ru russianpotatoes.ru wwrf.ru sims-4.ru daf-razbor.ru tomlive.ru stt-spb.ru mp3impulse.ru securityupdates.us kia-moskva.ru kiditema.ru avtoatelie-at.ru dom-italia39.ru shokwave.ru vkladpodprocenti.ru 5153030.ru hyrokumata.com polycracks.com absentvodka.com mufoscam.org analianus.com rutrax.ru voxility.org voxility.com voxility.ro voxility.net voxility.mobi investor-review.com xf0.pw gramtu.pl q5f2k0evy7go2rax9m4g.ru bebux.net ip-149-202-144.eu 69speak.eu apkmarket.mobi steamcoin24.ru keycoins.ru keygolds.ru skincoin.ru walletzone.ru playerstore.ru skinplat.ru skincoin24.ru keyzet.ru muplay.ru tradewallet24.ru gamewallet.ru keydealer.ru steamon.ru gowars.ru boatnetswootnet.xyz tradewallet.ru teamcoin.ru gameshoper.ru gamegolds.ru sillycatmouth.us kernelorg.download disabled.racing lateto.work
  • ccurelay.net
dopegame.su sipa.be bitcoinstats.com bluematt.me bitnodes.io elyricsworld.com emp3world.com boost-factory.com infoyarsk.ru aodxhb.ru qlrzb.ru zogrm.ru zosjoupf.ru txocxs.ru nrzkobn.ru mehinso.ru fastgg.net alexandramoore.co.uk infobusiness-eto-prosto.ru timeserver.host party-bar66.ru aaliya.ru jealousyworld.ru sony-s.ru agrohim33.ru wapud.ru kinosibay.ru gam-mon.ru svoibuhgalter.ru udalenievmiatin.ru kopernick.ru 5d-xsite-cinema.ru bocciatime.ru kvartplata1.ru receptprigotovlenia.ru kunathemes.com chiviti.com intervideo.top intervideo.online smsall.pk dyndn-web.com checkforupdates.online myfootbalgamestoday.xyz srrys.pw tr069.online novotele.online soplya.com tr069.support kciap.pw kedbuffigfjs.online mziep.pw binpt.pw jgop.org xpknpxmywqsrhe.online zugzwang.me nuvomarine.com gettwrrnty.us rippr.club netwxrk.org servdiscount-customer.com layerjet.com proht.us middlechildink.com zeldalife.com playkenogamesonline.com brendasaviationplans.xyz thcrcz.top stbenedictschoolbx.org hexacooperation.com e3ybt.top grotekleinekerkstraat.nl critical-damage.org zvezdogram.com 3200138.com ipeb.biz blockquadrat.de my2016mobileapplications.tech nerafashion.com centurystyleantiques.com madlamhockeyleague.com realsaunasuit.com cloudtechaz.net dumpsterrentalwestpalmbeachfl....
  • k6666.net
happy-hack.ru germanfernandez.cl kcgraphics.co.uk thqaf.com addsow.top semazen.com.tr doki.co kentalmanis.info rencontreadopoursitedetours.xyz nextorrent.net 2ws.com.br geroncioribeiro.com gideonneto.com drogamedic.com.br pontobreventos.com.br expertscompany.com woodpallet.com.br pontobreventos.com acessando.com.br 2world.com.br escolavitoria.com.br controluz.com.br sistematitanium.com bigdealsfinder.online megadealsdiscounter.online superpriceshopper.online bestpricecastle.online bestsavingfinder.online starpricediscounted.online greatdealninja.online megadealsfinder.online topdealdiscounted.online superpriceshopping.online eduk-central.net hightechcrime.club cheapkittensspecial.win yellowpuppyspecial.pw cheapestdogspecial.pw 33catspecials.pw finddogdeal.win yellowcatdeal.win cheapestdoggyspecial.pw findcatspecial.win 33puppiesspecials.win yellowpetsspecials.pw greendoggyspecial.pw 33catsdeal.pw cheapestdogspecials.win 33kittensspecials.pw bluepuppiesdeals.pw greenbirdsspecials.win greenkittensdeal.pw bluepuppyspecial.pw findbirdsspecials.pw nfoservers.com icmp.online xn----7sbhguokj.xn--p1ai transfer.club admin-vk.ru favy.club xn--b1acdqjrfck3b7e.xn--p1ai xn--80aac5cct.xn--80aswg ta-bao.com dopegame.ru dolgoprud.top
  • calhost.host
alcvid.com
  • usquadrant.com
protopal.club tr069.pw 6969max.com serverhost.name as62454.net spevat.net mwcluster.com edhelppro.bid secure-limited-accounts.com mediaforetak.com lottobooker.ru postrader.eu robositer.com postrader.it siterhunter.com postrader.org secure-payment.online secure-support.services ssldomainerrordisp2003.com clearsignal.com ip-151-80-27.eu avac.io ip-137-74-49.eu

Cluster 2 Cluster 6 Cluster 23 Cluster 7 Cluster 1 Cluster 0

10,000 20,000 30,000 40,000 50,000 60,000 70,000 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 Daily C2 DNS Lookups Date Cluster ID 1 2 6 4 5 7 11 13 15 24

Cluster Notes 1 Original botnet, attacked Krebs, OVH 2 Scans CWMP, adds DGA 6 Attacked Dyn, gaming related sites

slide-42
SLIDE 42

Understanding the Mirai Botnet ▪︎ Zane Ma

Evolution

42

Source code release 48 unique password dictionaries

slide-43
SLIDE 43

Understanding the Mirai Botnet ▪︎ Zane Ma

Evolution

43

DGA Packing New protocols

slide-44
SLIDE 44

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

44

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned
slide-45
SLIDE 45

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

45

Attack Count % Class HTTP 2,736 18.0% Application UDP-PLAIN 2,542 16.7% Volumetric UDP 2,440 16.1% Volumetric ACK 2,173 14.3% TCP State SYN 1,935 12.7% TCP State GRE-IP 994 6.5% Application ACK-STOMP 830 5.5% TCP State VSE 809 5.3% Application DNS 417 2.7% Application GRE-ETH 318 2.1% Application

  • Broad distribution across

attack types, compared to Arbor report 65% volumetric, 18% TCP state, 18% app

  • VSE = Valve Source Engine,

popular game server

  • Little reflection/amplification:

2.8% reflection attacks, compared to 74% for booters

slide-46
SLIDE 46

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

46

slide-47
SLIDE 47

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

47

slide-48
SLIDE 48

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

48

slide-49
SLIDE 49

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

49

slide-50
SLIDE 50

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

50

slide-51
SLIDE 51

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attack

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

51

slide-52
SLIDE 52

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attack

52

Targeted IP rDNS Passive DNS 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net 198.107.156.219 service.playstation.net ns05.playstation.net 216.115.91.57 service.playstation.net ns06.playstation.net

  • Top targets are linked

to Sony PlayStation

  • Attacks on Dyn

interspersed among attacks on other game services

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

slide-53
SLIDE 53

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned

53

slide-54
SLIDE 54

Understanding the Mirai Botnet ▪︎ Zane Ma

Post-Mirai

  • 1. “Reaper” - vendor specific RCEs, 10-20K infections [1]
  • integrated LUA execution environment, 100+ DNS open resolvers
  • 2. “Satori” - Huawei HG532 routers vulnerable to SOAP exploits [2]
  • 100K infections
  • 3. “Okiru” - ARC processors [3]
  • 4. “Masuta” - Home Network Administration Protocol [4]

[1] https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/ [2] https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time/ [3] http://securityaffairs.co/wordpress/67742/malware/mirai-okiru-botnet.html [4] https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/

54

slide-55
SLIDE 55

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned

55

slide-56
SLIDE 56

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

  • 1. Security Hardening
  • 2. Automatic Updates
  • 3. Device Attribution
  • 4. Defragmentation
  • 5. End-of-life

56

  • Enforce strong passwords
  • Default open —> default closed ports
  • Limit network access
  • ASLR, isolation boundaries, least

privilege

slide-57
SLIDE 57

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

  • 1. Security Hardening
  • 2. Automatic Updates
  • 3. Device Attribution
  • 4. Defragmentation
  • 5. End-of-life

57

  • Established practice in desktop and

mobile OSes

  • Requires cryptographic capabilities

and infrastructure

  • Active policing: bug bounties have

proven to be effective

  • Deutsche Telekom case study is

encouraging

slide-58
SLIDE 58

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

  • 1. Security Hardening
  • 2. Automatic Updates
  • 3. Device Attribution
  • 4. Defragmentation
  • 5. End-of-life

58

  • Required for attack diagnosis,

notification, and response

  • Need a standardized mechanism for

identifying model/firmware

  • Perhaps MAC address encoding?
slide-59
SLIDE 59

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

  • 1. Security Hardening
  • 2. Automatic Updates
  • 3. Device Attribution
  • 4. Defragmentation
  • 5. End-of-life

59

  • Found many implementations of

different protocols: FTP/HTTP/telnet

  • New implementations yield old bugs
  • Some convergence towards Android

Thing, RIOT OS, Tock, Windows for IoT

slide-60
SLIDE 60

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

  • 1. Security Hardening
  • 2. Automatic Updates
  • 3. Device Attribution
  • 4. Defragmentation
  • 5. End-of-life

60

  • Huge volume of IoT devices /

manufacturers

  • What happens when companies

dissolve? Or devices become

  • utdated?
slide-61
SLIDE 61

Understanding the Mirai Botnet ▪︎ Zane Ma

Aftermath

61

  • Arrest of perpetrators
  • Mirai authors / Deutsche Telekom attackers / vDOS “attack for

hire” company

slide-62
SLIDE 62

Understanding the Mirai Botnet ▪︎ Zane Ma

Aftermath

62

  • Arrest of perpetrators
  • Mirai authors / Deutsche Telekom attackers / vDOS “attack for

hire” company

  • Limited actions regarding manufacturers
  • FTC complaint against D-Link
slide-63
SLIDE 63

Understanding the Mirai Botnet ▪︎ Zane Ma

Aftermath

63

  • Arrest of perpetrators
  • Mirai authors / Deutsche Telekom attackers / vDOS “attack for

hire” company

  • Limited actions regarding manufacturers
  • FTC complaint against D-Link
  • Need to facilitate / incentivize white hats
  • Internet of Things (IoT) Cybersecurity Improvement Act of 2017
  • Bounty programs
slide-64
SLIDE 64

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

64

  • 1. Growth & Composition
  • 2. Ownership & Evolution
  • 3. Attacks
  • 4. Post-Mirai
  • 5. Lessons Learned
  • 6. Questions? zanema2@illinois.edu