Robert Conley

Getting to Know Mirai

Blog Post created by Robert Conley Employee on Aug 30, 2017

Overview

The Mirai botnet seeks out poorly secured Internet of Things(IoT) devices. IoT refers to any consumer or business smart device that can connect to the internet. When found they are infected with its virus. They then become a part of the botnet. Mirai was discovered by the white hat research group MalwareMustDie in 2016[1]. The source code was released by its author in late 2016[2].

Mirai has exploited IP security cameras, routers, and DVRs. This list will grow as more devices are sold every day and new connected devices enter the market. One Gartner report claims 20.4 billion IoT devices will be in use by 2020[1].

Mirai has become so prevalent that it’s actively being monitored and tracked by a number of websites. For example, the IoT search engine Shodan.io provides many statistics that include Top Countries, Top Services, and Top Organizations, Figure 1. It even provides live views from Mirai infected devices.

 Figure 1, source- https://www.shodan.io/search?query=mirai.

 

 

Statistics are impressive and great talking points during meetings, but at the end of the day victims should be concerned about their vulnerable devices becoming hijacked by a botnet. Unlike ransomware or a trojan, your personal files won’t become encrypted nor will your online banking credentials get stolen; however botnets are an even greater menace. They provide operational infrastructure to threat actors and have the potential to wreak havoc on many aspects of society including communication grids, mass transit, and even emergency services.

 

 

Discovery and Infection

Botnet are comprised of two components, the C2 servers and the bots. In the case of Mirai, C2 servers constantly seek new bots scanning the internet for IoT devices listening on telnet ports. When found, Mirai launches a brute force password attack that iterates through a pre-loaded table of commonly used default and factory logins, see Table 1 below. Upon successful access, malicious executables are installed and the device becomes part of the botnet.

 

 

Figure 2 below shows a code snippet from Mirai’s build.sh file. It’s used to infect IoT devices. The code can be compiled and run on many different CPU architectures, to include x86, Mips, ARM, and a number of other OSes that are also targeted.  

Figure 2

 

 

Attack Capabilities

Mirai bots are designed to launch a variety of distributed denial of service (DDoS) flood attacks. Each targets a different layer of the TCP/IP stack but share the same goal which is to disrupt normal operations of a targeted network resource. Listed below are a sample of the attack types, a brief description of each, and source code illustrating functionality.

  • UDP Flood 

                  UDP packets flood random ports on a target causing resources to be consumed unnecessarily, Figure 3.

Figure 3

 

 

  • Domain Naming Service (DNS)

                 Spoofed UDP packets target the host’s DNS service, Figure 4.

Figure 4

 

 

  • Plain UDP

                  UDP packets saturate the target’s network and consume bandwidth, Figure 5.

Figure 5.

 

 

  • TCP SYN

                  Exploits the TCP handshake by not replying to SYN/ACK responses, Figure 6.

Figure 6.

 

 

  • TCP ACK

                     Spoofed packets are sent without containing sessionless ids, Figure 7.

Figure 7

 

 

  • Simple Text Oriented Messaging Protocol (STOMP) Flood

                  STOMP requests are sent to target in order to saturate network resources, Figure 8.

Figure 8

 

 

  • Generic Routing Encapsulation (GRE) IP

                    Packets target tunneling and VPN protocols, Figure 9.

Figure 9

 

 

  • HTTP

                     GET, POST or other HTTP requests are aimed at disabling target web services, Figure 10.

Figure 10

 

 

 

Propagation

In addition to launching attacks, bots are also tasked with searching for new victims. They take their cue from the file scanner.c. A quick walk through of the file shows TCP/IP packet assembly, network scanning, and IP address selections.

 

Setup up TCP/IP headers and load the payload, Figure 11.

Figure 11

 

Read packets and get SYN/ACKs, Figure 12.

Figure 12

 

Choose a random IP address to attack. Exclude certain IP ranges, such as General Electric Company, Hewlett-Packard Company, US Postal Service, and IANA, Figure 13.

Figure 13

 

 

Exclusion

Mirai likes to keep what it kills. After it has compromised a device it enables security to lock out other botnets. Killer.c’s code disables port 23 and stops processes such as telnet, SSH, and HTTP, Figures 14 and 15.

Figure 14

 

Figure 15

 

 

 

Detection

RSA NetWitness Packets can be used to detect Mirai. Its C2 servers use the telnet protocol, default port 23, to fingerprint remote ip addresses, Figure 16.

Figure 16

 

Pivoting into the sessions provides more details, Figure 17.

Figure 17

 

Successfully locating an IoT device with an open telnet port results in a system login prompt, Figure 18.

Figure 18

 

Next, Mirai attempts to login. Using its login credentials table, see the Discovery and Infection section above, it iterates through each userid/password pair. For example root/xc3511 worked on this device, Figure 19.

Figure 19

 

Mirai is now logged in as the root user. The Busybox prompt awaits its next instructions. Busybox is a stripped down version of Linux utilities that’s commonly run on embedded systems, Figure 20.

Figure 20

 

After gaining access to the device, Mirai executes a series of steps that will ensure it has sole ownership of it. For example, it will escalate its privileges, disable SSH, block remote administration ports, and search for any competing botnets. If any are found, they are killed. The final step is to download and install the bot virus.

 

RSA NetWitness feeds are capable of detecting Mirai[4]. Both the Malware IP List (nwmalwareiplist) and Malware Domain List (nwmalwaredomainlist) contain Mirai IOCs.

 

 

  • Malware IP List

Description: List of IP addresses commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: ip.addr

Registered Meta Keys: threat.category, threat.desc, threat.source

  • Malware Domain List

Description: List of domains commonly associated with malware sourced from www.malwaredomainlist.com.

Medium: log, packet

Live Tags: threat, malware

Index/Trigger Meta Key: alias.host

Registered Meta Keys: threat.category, threat.desc, threat.source

 

 

 

Summary

The IoT is a double edged sword. For every new convenience it provides, another device has potentially become the newest member of a botnet. Getting a text message from the refrigerator when the egg supply is low or one from the fish tank when the filter needs changing helps many of us stay on top of our hectic, daily lives. The same IoT software that enables these types of notifications also presents an attack vector. The Mirai botnet was designed to attack and exploit it, the goal being to seize complete control of a device. When successful, it's then leveraged for nefarious purposes such as DDoS attacks. More often than not, all of this happens without its owner being aware. Changing a device's default password, installing software patches, and periodically rebooting it are ways to combat the spread of Mirai.

 

 

Thanks to Kevin Stear and Jim Ward for their contributions to this blog post.

 

 

PCAP

https://github.com/ixiacom/ATI/blob/master/PCAPS/Mirai_command_and_control.pcap

 

 

 

Tracking

https://www.shodan.io/search?query=mirai

https://twitter.com/MiraiAttacks

https://intel.malwaretech.com/botnet/mirai

https://tracker.h3x.eu/c2/680

 

 

 

References

[1]http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html

[2]https://github.com/jgamblin/Mirai-Source-Code

[3] http://www.gartner.com/newsroom/id/3598917

[4]https://community.rsa.com/docs/DOC-76076

 

 

 

Additional reading

https://community.rsa.com/community/products/netwitness/blog/2017/06/09/an-introduction-to-botnets

https://community.rsa.com/community/products/netwitness/blog/2016/10/13/rsa-firstwatch-mirai-and-all-things-iot

https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

https://blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot/

https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/mirai-botnet/

https://www.corero.com/blog/793-untangling-the-dark-web-behind-mirai-iot-botnet-ddos-attacks.html

Outcomes