[PPT] - Understanding the Mirai Botnet Manos Antonakakis , Tim April , PowerPoint Presentation

SLIDE 1

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

1

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network ★University of Illinois Urbana-Champaign, ‡University of Michigan

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱ Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱ Michalis Kallitsis●, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★ Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

SLIDE 2

Understanding the Mirai Botnet ▪︎ Zane Ma 2

Mirai

SLIDE 3

Understanding the Mirai Botnet ▪︎ Zane Ma 3

2020 ~30 Billion 2016 6 - 9 Billion

Growing IoT Threat

SLIDE 4

Understanding the Mirai Botnet ▪︎ Zane Ma

Research Goals

Snapshot the IoT botnet phenomenon Reconcile a broad spectrum of botnet data perspectives Understand Mirai’s mechanisms and motives

4

SLIDE 5

Understanding the Mirai Botnet ▪︎ Zane Ma 5

Lifecycle

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

SLIDE 6

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control Loader Report Server

Devices Infrastructure Attacker DDoS Target

Send command Dispatch Attack Report Scan Load Relay

Victim Bots

6

Measurement

July 2016 - February 2017

Data Source Size Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Telnet Honeypots 434 binaries Malware Repository 594 binaries Active/Passive DNS 499M daily RRs C2 Milkers 64K issued attacks Krebs DDoS Attack 170K attacker IPs Dyn DDoS Attack 108K attacker IPS

SLIDE 7

Understanding the Mirai Botnet ▪︎ Zane Ma 7

What is the Mirai botnet?

SLIDE 8

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

8 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

SLIDE 9

Understanding the Mirai Botnet ▪︎ Zane Ma 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans 9

40,000 60,000 80,000 100,000 120,000 140,000 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 # network telescope scans Date Mirai TCP/23 scans Non-Mirai TCP/23 scans

23:59 PM 64,500 scanners

Rapid Emergence

1:42 AM Single Scanner 3:59 AM Botnet Expands

SLIDE 10

Understanding the Mirai Botnet ▪︎ Zane Ma

Many Ports of Entry

10 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23 TCP/2323

“IoT Telnet” TCP/2323

SLIDE 11

Understanding the Mirai Botnet ▪︎ Zane Ma 11 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/7547

CWMP TCP/7547 600K peak

Many Ports of Entry

SLIDE 12

Understanding the Mirai Botnet ▪︎ Zane Ma 12 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/7547

CWMP TCP/7547 ~1 month = 6.7K

Many Ports of Entry

SLIDE 13

Understanding the Mirai Botnet ▪︎ Zane Ma 13 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80

9 Additional Protocols

Many Ports of Entry

SLIDE 14

Understanding the Mirai Botnet ▪︎ Zane Ma

200K-300K Mirai Bots

14 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80 TCP/23 TCP/2323 TCP/7547

Steady state

SLIDE 15

Understanding the Mirai Botnet ▪︎ Zane Ma

Modest Mirai

15 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans

Mirai botnet Carna botnet

SLIDE 16

Understanding the Mirai Botnet ▪︎ Zane Ma

Global Mirai

16

Mirai TDSS/TDL4

South America + Southeast Asia = 50% of Infections North America + Europe = 94% of Infections

SLIDE 17

Understanding the Mirai Botnet ▪︎ Zane Ma 17

Targeted Devices

Device Type # Targeted Passwords Examples Camera / DVR 26 (57%) dreambox, 666666 Router 4 (9%) smcadmin, zte521 Printer 2 (4%) 00000000, 1111 VOIP Phone 1 (2%) 54321 Unknown 13 (28%) password, default

Infected Devices

Device Type # HTTPS banners Camera / DVR 36.8% Router 6.3% NAS 0.2% Firewall 0.1% Other 0.2% Unknown 56.4%

Source Code Password List

Cameras, DVRs, Routers

HTTPS banners

SLIDE 18

Understanding the Mirai Botnet ▪︎ Zane Ma

Who ran Mirai?

18

SLIDE 19

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

19

48 unique password dictionaries Source code release

SLIDE 20

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

20

Source code release 48 unique password dictionaries

SLIDE 21

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

21

Source code release 48 unique password dictionaries DGA Binary Packing

SLIDE 22

Understanding the Mirai Botnet ▪︎ Zane Ma

How was Mirai used?

22

SLIDE 23

Understanding the Mirai Botnet ▪︎ Zane Ma

KrebsOnSecurity

23

SLIDE 24

Understanding the Mirai Botnet ▪︎ Zane Ma

Largest Reported DDoS

24

SLIDE 25

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attacker Motives

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

25

SLIDE 26

Understanding the Mirai Botnet ▪︎ Zane Ma 26

Targeted IP rDNS Passive DNS 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net 198.107.156.219 service.playstation.net ns05.playstation.net 216.115.91.57 service.playstation.net ns06.playstation.net

Top targets are linked

to Sony PlayStation

Attacks on Dyn

interspersed among attacks on other game services

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

Dyn Attacker Motives

SLIDE 27

Understanding the Mirai Botnet ▪︎ Zane Ma

Games: Minecraft, Runescape, game commerce site Politics: Chinese political dissidents, regional Italian politician Anti-DDoS: DDoS protection service Misc: Russian cooking blog

27

Booter-like Targets

SLIDE 28

Understanding the Mirai Botnet ▪︎ Zane Ma

Arbor Networks global DDoS report 65% volumetric, 18% TCP state, 18% application attacks Mirai 33% volumetric, 32% TCP state, 34% application attacks Valve Source Engine game server attack Limited reflection/amplification 2.8% reflection attacks, compared to 74% for booters

28

Unconventional DDoS Behavior

SLIDE 29

Understanding the Mirai Botnet ▪︎ Zane Ma

Overview

29

200,000 - 300,000 globally distributed IoT devices compromised by default Telnet credentials Evidence of multiple operators releasing new strains of Mirai Mirai follows a booter-like pattern of behavior that is capable of launching some of the largest attacks on record

SLIDE 30

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

30

SLIDE 31

Understanding the Mirai Botnet ▪︎ Zane Ma

Security Hardening

31 Username Password

root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin

Username Password

root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech mother fucker

Username Password

admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko

SLIDE 32

Understanding the Mirai Botnet ▪︎ Zane Ma

Automatic Updates

32 100,000 200,000 300,000 400,000 500,000 600,000 700,000 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 # network telescope scans Date Total Mirai Scans TCP/7547

CWMP TCP/7547 600K peak CWMP TCP/7547 ~1 month = 6.7K

SLIDE 33

Understanding the Mirai Botnet ▪︎ Zane Ma

Device Attribution

33

55.4M Scanning IP addresses 1.8M Protocol Banners 587K Identifying Labels

SLIDE 34

Understanding the Mirai Botnet ▪︎ Zane Ma

End-of-life

34

2020 ~30 Billion 2016 6 - 9 Billion

SLIDE 35

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

35

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱ Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱ Michalis Kallitsis●, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★ Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network ★University of Illinois Urbana-Champaign, ‡University of Michigan

zanema2@illinois.edu