Overview
The Mirai botnet seeks out poorly secured Internet of Things(IoT) devices. IoT refers to any consumer or business smart device that can connect to the internet. When found they are infected with its virus. They then become a part of the botnet. Mirai was discovered by the white hat research group MalwareMustDie in 2016[1]. The source code was released by its author in late 2016[2].
Mirai has exploited IP security cameras, routers, and DVRs. This list will grow as more devices are sold every day and new connected devices enter the market. One Gartner report claims 20.4 billion IoT devices will be in use by 2020[1].
Mirai has become so prevalent that it’s actively being monitored and tracked by a number of websites. For example, the IoT search engine Shodan.io provides many statistics that include Top Countries, Top Services, and Top Organizations, Figure 1. It even provides live views from Mirai infected devices.
Figure 1, source- https://www.shodan.io/search?query=mirai.
Statistics are impressive and great talking points during meetings, but at the end of the day victims should be concerned about their vulnerable devices becoming hijacked by a botnet. Unlike ransomware or a trojan, your personal files won’t become encrypted nor will your online banking credentials get stolen; however botnets are an even greater menace. They provide operational infrastructure to threat actors and have the potential to wreak havoc on many aspects of society including communication grids, mass transit, and even emergency services.
Discovery and Infection
Botnet are comprised of two components, the C2 servers and the bots. In the case of Mirai, C2 servers constantly seek new bots scanning the internet for IoT devices listening on telnet ports. When found, Mirai launches a brute force password attack that iterates through a pre-loaded table of commonly used default and factory logins, see Table 1 below. Upon successful access, malicious executables are installed and the device becomes part of the botnet.
Figure 2 below shows a code snippet from Mirai’s build.sh file. It’s used to infect IoT devices. The code can be compiled and run on many different CPU architectures, to include x86, Mips, ARM, and a number of other OSes that are also targeted.
Figure 2
Attack Capabilities
Mirai bots are designed to launch a variety of distributed denial of service (DDoS) flood attacks. Each targets a different layer of the TCP/IP stack but share the same goal which is to disrupt normal operations of a targeted network resource. Listed below are a sample of the attack types, a brief description of each, and source code illustrating functionality.
- UDP Flood
UDP packets flood random ports on a target causing resources to be consumed unnecessarily, Figure 3.
Figure 3
- Domain Naming Service (DNS)
Spoofed UDP packets target the host’s DNS service, Figure 4.
- Plain UDP
UDP packets saturate the target’s network and consume bandwidth, Figure 5.
Figure 5.
- TCP SYN
Exploits the TCP handshake by not replying to SYN/ACK responses, Figure 6.
Figure 6.
- TCP ACK
Spoofed packets are sent without containing sessionless ids, Figure 7.
Figure 7
- Simple Text Oriented Messaging Protocol (STOMP) Flood
STOMP requests are sent to target in order to saturate network resources, Figure 8.
Figure 8
- Generic Routing Encapsulation (GRE) IP
Packets target tunneling and VPN protocols, Figure 9.
Figure 9
- HTTP
GET, POST or other HTTP requests are aimed at disabling target web services, Figure 10.
Figure 10
Propagation
In addition to launching attacks, bots are also tasked with searching for new victims. They take their cue from the file scanner.c. A quick walk through of the file shows TCP/IP packet assembly, network scanning, and IP address selections.
Setup up TCP/IP headers and load the payload, Figure 11.
Figure 11
Read packets and get SYN/ACKs, Figure 12.
Figure 12
Choose a random IP address to attack. Exclude certain IP ranges, such as General Electric Company, Hewlett-Packard Company, US Postal Service, and IANA, Figure 13.
Figure 13
Exclusion
Mirai likes to keep what it kills. After it has compromised a device it enables security to lock out other botnets. Killer.c’s code disables port 23 and stops processes such as telnet, SSH, and HTTP, Figures 14 and 15.
Figure 14
Figure 15
Detection
RSA NetWitness Packets can be used to detect Mirai. Its C2 servers use the telnet protocol, default port 23, to fingerprint remote ip addresses, Figure 16.
Figure 16
Pivoting into the sessions provides more details, Figure 17.
Figure 17
Successfully locating an IoT device with an open telnet port results in a system login prompt, Figure 18.
Figure 18
Next, Mirai attempts to login. Using its login credentials table, see the Discovery and Infection section above, it iterates through each userid/password pair. For example root/xc3511 worked on this device, Figure 19.
Figure 19
Mirai is now logged in as the root user. The Busybox prompt awaits its next instructions. Busybox is a stripped down version of Linux utilities that’s commonly run on embedded systems, Figure 20.
Figure 20
After gaining access to the device, Mirai executes a series of steps that will ensure it has sole ownership of it. For example, it will escalate its privileges, disable SSH, block remote administration ports, and search for any competing botnets. If any are found, they are killed. The final step is to download and install the bot virus.
RSA NetWitness feeds are capable of detecting Mirai[4]. Both the Malware IP List (nwmalwareiplist) and Malware Domain List (nwmalwaredomainlist) contain Mirai IOCs.
- Malware IP List
Description: List of IP addresses commonly associated with malware sourced from www.malwaredomainlist.com.
Medium: log, packet
Live Tags: threat, malware
Index/Trigger Meta Key: ip.addr
Registered Meta Keys: threat.category, threat.desc, threat.source
- Malware Domain List
Description: List of domains commonly associated with malware sourced from www.malwaredomainlist.com.
Medium: log, packet
Live Tags: threat, malware
Index/Trigger Meta Key: alias.host
Registered Meta Keys: threat.category, threat.desc, threat.source
Summary
The IoT is a double edged sword. For every new convenience it provides, another device has potentially become the newest member of a botnet. Getting a text message from the refrigerator when the egg supply is low or one from the fish tank when the filter needs changing helps many of us stay on top of our hectic, daily lives. The same IoT software that enables these types of notifications also presents an attack vector. The Mirai botnet was designed to attack and exploit it, the goal being to seize complete control of a device. When successful, it's then leveraged for nefarious purposes such as DDoS attacks. More often than not, all of this happens without its owner being aware. Changing a device's default password, installing software patches, and periodically rebooting it are ways to combat the spread of Mirai.
Thanks to Kevin Stear and Jim Ward for their contributions to this blog post.
PCAP
https://github.com/ixiacom/ATI/blob/master/PCAPS/Mirai_command_and_control.pcap
Tracking
https://www.shodan.io/search?query=mirai
https://twitter.com/MiraiAttacks
https://intel.malwaretech.com/botnet/mirai
References
[1]http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
[2]https://github.com/jgamblin/Mirai-Source-Code
[3] http://www.gartner.com/newsroom/id/3598917
[4]https://community.rsa.com/docs/DOC-76076
Additional reading
https://community.rsa.com/community/products/netwitness/blog/2017/06/09/an-introduction-to-botnets
https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mirai-botnet/
https://www.corero.com/blog/793-untangling-the-dark-web-behind-mirai-iot-botnet-ddos-attacks.html
