[PPT] - Understanding the Mirai Botnet Manos Antonakakis , Tim April , PowerPoint Presentation

SLIDE 1

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

1

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱ Jaime Cochran△, Michalis Kallitsis●, Damian Menscher✱, Zakir Durumeric‡ Deepak Kumar★, Chad Seaman◆, J. Alex Halderman‡, Luca Invernizzi✱, Chaz Lever✝ Zane Ma★, Joshua Mason★, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network ★University of Illinois Urbana-Champaign, ‡University of Michigan

SLIDE 2

Understanding the Mirai Botnet ▪︎ Zane Ma 2

Internet of Things

2020 ~30 Billion 2016 6 - 9 Billion

SLIDE 3

Understanding the Mirai Botnet ▪︎ Zane Ma 3

IoT Botnets

2012 Carna Botnet 420,000 devices 2015 BASHLITE / gafgyt 1,000,000 devices

SLIDE 4

Understanding the Mirai Botnet ▪︎ Zane Ma 4

Mirai

SLIDE 5

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

5

Measurement

July 2016 - February 2017

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks Krebs DDoS Attack 170K attacker IPs Dyn DDoS Attack 108K attacker IPS

SLIDE 6

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

1. Growth & Composition
2. Ownership & Evolution
3. Attacks
4. Lessons Learned

6

SLIDE 7

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

7 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

SLIDE 8

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Population

8

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

23:59 PM 64,500 scanners 1:42 AM Single Scanner 3:59 AM Botnet Expands

SLIDE 9

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

9 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23 TCP/2323

“IoT Telnet” TCP/2323

SLIDE 10

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

10 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/7547

CWMP TCP/7547 600K peak

SLIDE 11

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

11 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80

9 Additional Protocols

SLIDE 12

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

12 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80 TCP/23 TCP/2323 TCP/7547

Steady state

SLIDE 13

Understanding the Mirai Botnet ▪︎ Zane Ma

Geography

13

Mirai TDSS/TDL4

South America + Southeast Asia = 50% of Infections North America + Europe = 94% of Infections

SLIDE 14

Understanding the Mirai Botnet ▪︎ Zane Ma

Composition

14

Targeted Default Passwords

SLIDE 15

Understanding the Mirai Botnet ▪︎ Zane Ma

Composition

15

Infected Devices

SLIDE 16

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

1. Growth & Composition
2. Ownership & Evolution
3. Attacks
4. Lessons Learned

16

SLIDE 17

Understanding the Mirai Botnet ▪︎ Zane Ma

Ownership

17

dmim.ir bklan.ru angoshtarkhatam.ir youporn.wf dibamovie.biz dibamovie.site ip-51-255-103.eu xex-pass.com diamondhax.com piratetorrents.net anabolika.bz elektro-engel.de strongconnection.cc moreoverus.com namlimxanh.net.vn kleverfood.vn tamthat.com amgauto.vn ngot.net dacsanthitchua.com herokids.vn santasbigcandycane.cx irisstudio.vn joomlavision.com alexander-block.ru lr-top.ru infonta.ru avtotyn.ru sert-cgb.ru igm-shop.ru

sinniki-tatu.ru

food-syst.ru taylor-lautner.ru upfarm.ru dardiwaterjet.ru general-city.ru titata.ru video-girle.ru hotelkhiva.ru firstclaz-shop.ru pornopokrovitel.ru sl22.ru childrens-health.ru poliklinikasp.ru videostrannik.ru domisto.ru pavelsigal.ru russianpotatoes.ru wwrf.ru sims-4.ru daf-razbor.ru tomlive.ru stt-spb.ru mp3impulse.ru securityupdates.us kia-moskva.ru kiditema.ru avtoatelie-at.ru dom-italia39.ru shokwave.ru vkladpodprocenti.ru 5153030.ru hyrokumata.com polycracks.com absentvodka.com mufoscam.org analianus.com rutrax.ru voxility.org voxility.com voxility.ro voxility.net voxility.mobi investor-review.com xf0.pw gramtu.pl q5f2k0evy7go2rax9m4g.ru bebux.net ip-149-202-144.eu 69speak.eu apkmarket.mobi steamcoin24.ru keycoins.ru keygolds.ru skincoin.ru walletzone.ru playerstore.ru skinplat.ru skincoin24.ru keyzet.ru muplay.ru tradewallet24.ru gamewallet.ru keydealer.ru steamon.ru gowars.ru boatnetswootnet.xyz tradewallet.ru teamcoin.ru gameshoper.ru gamegolds.ru sillycatmouth.us kernelorg.download disabled.racing lateto.work

ccurelay.net

dopegame.su sipa.be bitcoinstats.com bluematt.me bitnodes.io elyricsworld.com emp3world.com boost-factory.com infoyarsk.ru aodxhb.ru qlrzb.ru zogrm.ru zosjoupf.ru txocxs.ru nrzkobn.ru mehinso.ru fastgg.net alexandramoore.co.uk infobusiness-eto-prosto.ru timeserver.host party-bar66.ru aaliya.ru jealousyworld.ru sony-s.ru agrohim33.ru wapud.ru kinosibay.ru gam-mon.ru svoibuhgalter.ru udalenievmiatin.ru kopernick.ru 5d-xsite-cinema.ru bocciatime.ru kvartplata1.ru receptprigotovlenia.ru kunathemes.com chiviti.com intervideo.top intervideo.online smsall.pk dyndn-web.com checkforupdates.online myfootbalgamestoday.xyz srrys.pw tr069.online novotele.online soplya.com tr069.support kciap.pw kedbuffigfjs.online mziep.pw binpt.pw jgop.org xpknpxmywqsrhe.online zugzwang.me nuvomarine.com gettwrrnty.us rippr.club netwxrk.org servdiscount-customer.com layerjet.com proht.us middlechildink.com zeldalife.com playkenogamesonline.com brendasaviationplans.xyz thcrcz.top stbenedictschoolbx.org hexacooperation.com e3ybt.top grotekleinekerkstraat.nl critical-damage.org zvezdogram.com 3200138.com ipeb.biz blockquadrat.de my2016mobileapplications.tech nerafashion.com centurystyleantiques.com madlamhockeyleague.com realsaunasuit.com cloudtechaz.net dumpsterrentalwestpalmbeachfl....

k6666.net

happy-hack.ru germanfernandez.cl kcgraphics.co.uk thqaf.com addsow.top semazen.com.tr doki.co kentalmanis.info rencontreadopoursitedetours.xyz nextorrent.net 2ws.com.br geroncioribeiro.com gideonneto.com drogamedic.com.br pontobreventos.com.br expertscompany.com woodpallet.com.br pontobreventos.com acessando.com.br 2world.com.br escolavitoria.com.br controluz.com.br sistematitanium.com bigdealsfinder.online megadealsdiscounter.online superpriceshopper.online bestpricecastle.online bestsavingfinder.online starpricediscounted.online greatdealninja.online megadealsfinder.online topdealdiscounted.online superpriceshopping.online eduk-central.net hightechcrime.club cheapkittensspecial.win yellowpuppyspecial.pw cheapestdogspecial.pw 33catspecials.pw finddogdeal.win yellowcatdeal.win cheapestdoggyspecial.pw findcatspecial.win 33puppiesspecials.win yellowpetsspecials.pw greendoggyspecial.pw 33catsdeal.pw cheapestdogspecials.win 33kittensspecials.pw bluepuppiesdeals.pw greenbirdsspecials.win greenkittensdeal.pw bluepuppyspecial.pw findbirdsspecials.pw nfoservers.com icmp.online xn----7sbhguokj.xn--p1ai transfer.club admin-vk.ru favy.club xn--b1acdqjrfck3b7e.xn--p1ai xn--80aac5cct.xn--80aswg ta-bao.com dopegame.ru dolgoprud.top

calhost.host

alcvid.com

usquadrant.com

protopal.club tr069.pw 6969max.com serverhost.name as62454.net spevat.net mwcluster.com edhelppro.bid secure-limited-accounts.com mediaforetak.com lottobooker.ru postrader.eu robositer.com postrader.it siterhunter.com postrader.org secure-payment.online secure-support.services ssldomainerrordisp2003.com clearsignal.com ip-151-80-27.eu avac.io ip-137-74-49.eu

Cluster 2 Cluster 6 Cluster 23 Cluster 7 Cluster 1 Cluster 0

Extract C2 domains from binaries
Find coinciding C2s through

active and passive DNS data

10,000 20,000 30,000 40,000 50,000 60,000 70,000 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 Daily C2 DNS Lookups Date Cluster ID 1 2 6 4 5 7 11 13 15 24

SLIDE 18

Understanding the Mirai Botnet ▪︎ Zane Ma

Ownership

18

dmim.ir bklan.ru angoshtarkhatam.ir youporn.wf dibamovie.biz dibamovie.site ip-51-255-103.eu xex-pass.com diamondhax.com piratetorrents.net anabolika.bz elektro-engel.de strongconnection.cc moreoverus.com namlimxanh.net.vn kleverfood.vn tamthat.com amgauto.vn ngot.net dacsanthitchua.com herokids.vn santasbigcandycane.cx irisstudio.vn joomlavision.com alexander-block.ru lr-top.ru infonta.ru avtotyn.ru sert-cgb.ru igm-shop.ru

sinniki-tatu.ru

food-syst.ru taylor-lautner.ru upfarm.ru dardiwaterjet.ru general-city.ru titata.ru video-girle.ru hotelkhiva.ru firstclaz-shop.ru pornopokrovitel.ru sl22.ru childrens-health.ru poliklinikasp.ru videostrannik.ru domisto.ru pavelsigal.ru russianpotatoes.ru wwrf.ru sims-4.ru daf-razbor.ru tomlive.ru stt-spb.ru mp3impulse.ru securityupdates.us kia-moskva.ru kiditema.ru avtoatelie-at.ru dom-italia39.ru shokwave.ru vkladpodprocenti.ru 5153030.ru hyrokumata.com polycracks.com absentvodka.com mufoscam.org analianus.com rutrax.ru voxility.org voxility.com voxility.ro voxility.net voxility.mobi investor-review.com xf0.pw gramtu.pl q5f2k0evy7go2rax9m4g.ru bebux.net ip-149-202-144.eu 69speak.eu apkmarket.mobi steamcoin24.ru keycoins.ru keygolds.ru skincoin.ru walletzone.ru playerstore.ru skinplat.ru skincoin24.ru keyzet.ru muplay.ru tradewallet24.ru gamewallet.ru keydealer.ru steamon.ru gowars.ru boatnetswootnet.xyz tradewallet.ru teamcoin.ru gameshoper.ru gamegolds.ru sillycatmouth.us kernelorg.download disabled.racing lateto.work

ccurelay.net

dopegame.su sipa.be bitcoinstats.com bluematt.me bitnodes.io elyricsworld.com emp3world.com boost-factory.com infoyarsk.ru aodxhb.ru qlrzb.ru zogrm.ru zosjoupf.ru txocxs.ru nrzkobn.ru mehinso.ru fastgg.net alexandramoore.co.uk infobusiness-eto-prosto.ru timeserver.host party-bar66.ru aaliya.ru jealousyworld.ru sony-s.ru agrohim33.ru wapud.ru kinosibay.ru gam-mon.ru svoibuhgalter.ru udalenievmiatin.ru kopernick.ru 5d-xsite-cinema.ru bocciatime.ru kvartplata1.ru receptprigotovlenia.ru kunathemes.com chiviti.com intervideo.top intervideo.online smsall.pk dyndn-web.com checkforupdates.online myfootbalgamestoday.xyz srrys.pw tr069.online novotele.online soplya.com tr069.support kciap.pw kedbuffigfjs.online mziep.pw binpt.pw jgop.org xpknpxmywqsrhe.online zugzwang.me nuvomarine.com gettwrrnty.us rippr.club netwxrk.org servdiscount-customer.com layerjet.com proht.us middlechildink.com zeldalife.com playkenogamesonline.com brendasaviationplans.xyz thcrcz.top stbenedictschoolbx.org hexacooperation.com e3ybt.top grotekleinekerkstraat.nl critical-damage.org zvezdogram.com 3200138.com ipeb.biz blockquadrat.de my2016mobileapplications.tech nerafashion.com centurystyleantiques.com madlamhockeyleague.com realsaunasuit.com cloudtechaz.net dumpsterrentalwestpalmbeachfl....

k6666.net

happy-hack.ru germanfernandez.cl kcgraphics.co.uk thqaf.com addsow.top semazen.com.tr doki.co kentalmanis.info rencontreadopoursitedetours.xyz nextorrent.net 2ws.com.br geroncioribeiro.com gideonneto.com drogamedic.com.br pontobreventos.com.br expertscompany.com woodpallet.com.br pontobreventos.com acessando.com.br 2world.com.br escolavitoria.com.br controluz.com.br sistematitanium.com bigdealsfinder.online megadealsdiscounter.online superpriceshopper.online bestpricecastle.online bestsavingfinder.online starpricediscounted.online greatdealninja.online megadealsfinder.online topdealdiscounted.online superpriceshopping.online eduk-central.net hightechcrime.club cheapkittensspecial.win yellowpuppyspecial.pw cheapestdogspecial.pw 33catspecials.pw finddogdeal.win yellowcatdeal.win cheapestdoggyspecial.pw findcatspecial.win 33puppiesspecials.win yellowpetsspecials.pw greendoggyspecial.pw 33catsdeal.pw cheapestdogspecials.win 33kittensspecials.pw bluepuppiesdeals.pw greenbirdsspecials.win greenkittensdeal.pw bluepuppyspecial.pw findbirdsspecials.pw nfoservers.com icmp.online xn----7sbhguokj.xn--p1ai transfer.club admin-vk.ru favy.club xn--b1acdqjrfck3b7e.xn--p1ai xn--80aac5cct.xn--80aswg ta-bao.com dopegame.ru dolgoprud.top

calhost.host

alcvid.com

usquadrant.com

protopal.club tr069.pw 6969max.com serverhost.name as62454.net spevat.net mwcluster.com edhelppro.bid secure-limited-accounts.com mediaforetak.com lottobooker.ru postrader.eu robositer.com postrader.it siterhunter.com postrader.org secure-payment.online secure-support.services ssldomainerrordisp2003.com clearsignal.com ip-151-80-27.eu avac.io ip-137-74-49.eu

Cluster 2 Cluster 6 Cluster 23 Cluster 7 Cluster 1 Cluster 0

10,000 20,000 30,000 40,000 50,000 60,000 70,000 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 Daily C2 DNS Lookups Date Cluster ID 1 2 6 4 5 7 11 13 15 24

Cluster Notes 1 Original botnet, attacked Krebs, OVH 2 Scans CWMP, adds DGA 6 Attacked Dyn, gaming related sites

SLIDE 19

Understanding the Mirai Botnet ▪︎ Zane Ma

Evolution

19

Source code release 48 unique password dictionaries

SLIDE 20

Understanding the Mirai Botnet ▪︎ Zane Ma

Evolution

20

DGA Packing New protocols

SLIDE 21

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

1. Growth & Composition
2. Ownership & Evolution
3. Attacks
4. Lessons Learned

21

SLIDE 22

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

22

Attack Count % Class HTTP 2,736 18.0% Application UDP-PLAIN 2,542 16.7% Volumetric UDP 2,440 16.1% Volumetric ACK 2,173 14.3% TCP State SYN 1,935 12.7% TCP State GRE-IP 994 6.5% Application ACK-STOMP 830 5.5% TCP State VSE 809 5.3% Application DNS 417 2.7% Application GRE-ETH 318 2.1% Application

Broad distribution across

attack types, compared to Arbor report 65% volumetric, 18% TCP state, 18% app

VSE = Valve Source Engine,

popular game server

Little reflection/amplification:

2.8% reflection attacks, compared to 74% for booters

SLIDE 23

Understanding the Mirai Botnet ▪︎ Zane Ma

Attacks

23

SLIDE 24

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attack

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

24

SLIDE 25

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attack

25

Targeted IP rDNS Passive DNS 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net 198.107.156.219 service.playstation.net ns05.playstation.net 216.115.91.57 service.playstation.net ns06.playstation.net

Top targets are linked

to Sony PlayStation

Attacks on Dyn

interspersed among attacks on other game services

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

SLIDE 26

Understanding the Mirai Botnet ▪︎ Zane Ma

Roadmap

1. Growth & Composition
2. Ownership & Evolution
3. Attacks
4. Lessons Learned

26

SLIDE 27

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

1. Security Hardening
2. Automatic Updates
3. Device Attribution
4. Defragmentation
5. End-of-life

27

SLIDE 28

Understanding the Mirai Botnet ▪︎ Zane Ma

REAL Lessons Learned

28

1. 19 authors?!

SLIDE 29

Understanding the Mirai Botnet ▪︎ Zane Ma

REAL Lessons Learned

29

1. 19 authors?!
2. Report server visibility

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

SLIDE 30

Understanding the Mirai Botnet ▪︎ Zane Ma

REAL Lessons Learned

30

1. 19 authors?!
2. Report server visibility
3. Scandemonium

Stateless, Internet-wide scanning is increasing Benevolent and malicious

SLIDE 31

Understanding the Mirai Botnet ▪︎ Zane Ma

REAL Lessons Learned

31

1. 19 authors?!
2. Report server visibility
3. Scandemonium
4. Device identification is hard

Telnet banner (none) login: Only ~20% of devices identified to any extent

SLIDE 32

Understanding the Mirai Botnet ▪︎ Zane Ma

REAL Lessons Learned

32

1. 19 authors?!
2. Report server visibility
3. Scandemonium
4. Device identification is hard
5. Especially for good guys

Internet of Things (IoT) Cybersecurity Improvement Act of 2017! https://www.congress.gov/bill/115th- congress/senate-bill/1691/text Cannot use the same techniques as bad guys

SLIDE 33

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

33

1. Growth & Composition
2. Ownership & Evolution
3. Attacks
4. Lessons Learned
5. Questions? zanema2@illinois.edu

SLIDE 34

Understanding the Mirai Botnet ▪︎ Zane Ma

Future Research Directions

1. Automatic detection of new protocols - universal honeypot
2. Improved IoT device identification / fingerprinting
3. IoT device identification system

34