mirai and iot botnet analysis
play

Mirai and IoT Botnet Analysis Robert Graham - PowerPoint PPT Presentation

Jan 01, 2023 •329 likes •962 views

#RSAC SESSION ID: SESSION ID: HTA-W10 Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob #RSAC What this talk will cover? Brief overview of Mirai The cameras themselves Step by step from infection to attacks

  1. #RSAC SESSION ID: SESSION ID: HTA-W10 Mirai and IoT Botnet Analysis Robert Graham http://blog.erratasec.com @ErrataRob

  2. #RSAC What this talk will cover? Brief overview of Mirai The cameras themselves Step by step from infection to attacks The Dyn attack How to protect yourself How tech details fit into government policy debate Robert Graham

  3. #RSAC Mirai botnet Terabit scale attacks end of 2016 ~600mbps against Brian Krebs ~1 terabit against OVH ~1.2 terabit against DYn Infects cameras Most cameras Also printers, routers Hundreds of thousands of devices Robert Graham

  4. #RSAC Where the botnet resides https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html Robert Graham

  5. #RSAC CnC servers 192.227.222.73 192.227.222.74 192.227.222.75 192.227.222.76 188.166.65.12 188.166.189.189 185.25.51.115 185.144.29.7 118.89.41.125 93.158.216.170 54.187.144.227 52.163.49.59 46.166.185.34 46.183.223.229 45.119.127.190 35.162.249.35 5.249.154.190 Robert Graham

  8. #RSAC Ordering camera Robert Graham

  9. #RSAC JideTech from Jose Pagliary at CNN Robert Graham

  10. #RSAC Packaging from Shenzhen Robert Graham

  11. #RSAC What do the cameras look like? Robert Graham

  12. #RSAC HiSilicon HI3518 CPU Robert Graham

  13. Which ports are listening #RSAC Robert Graham

  14. #RSAC What does the camera look like? 23: Telnet 80: HTTP 554: RTSP 9527: some weird shell with no auth 8899: some other web interface Robert Graham

  18. 0f539bd5d3ab8a #RSAC Robert Graham

  19. #RSAC 0f539bd5d3ab8a Robert Graham

  20. #RSAC 0f539bd5d3ab8a Robert Graham

  21. #RSAC 0f539bd5d3ab8a Robert Graham

  22. #RSAC Camera/Phone firewalled 12:3 8 AWS 54.163.237.146 ec2-54-163-237-146.compute-1.amazonaws.com Robert Graham

  23. #RSAC Robert Graham

  24. #RSAC Configure firewall Use RaspberryPi-class device as NAT/firewall to create an isolated subnet http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html Robert Graham

  25. #RSAC 98 seconds to infection! Robert Graham

  26. #RSAC Infection process Robert Graham

  27. #RSAC The ECHI trick Generates error message It’s how the bot recognizes that the output is done Different devices have different command-prompts, so it’s harder parsing output for a command prompt Robert Graham

  28. #RSAC What is busybox? Most common shell on IoT devices Robert Graham

  29. Find out CPU: #RSAC x86, ARM, MIPS, PowerPC Robert Graham

  30. #RSAC Download bot Robert Graham

  31. Download bot #RSAC Robert Graham

  32. #RSAC Now run the bot Robert Graham

  33. #RSAC Kills Telnet /bin/busybox telnetd –p 2323 Robert Graham

  34. #RSAC Kills rival bots Robert Graham

  35. #RSAC Connect to command/control Robert Graham

  36. #RSAC Robert Graham

  37. #RSAC List of possible attacks Robert Graham

  38. #RSAC Attack on Google Project Shield 130 million SYN per second 450 million HTTP queries per second From 175,000 IP addresses 4 million ACK flood GRE floods UDP floods https://arstechnica.com/security/2017/02/how-google-fought-back-against-a- crippling-iot-powered-botnet-and-won/ Robert Graham

  39. #RSAC DYN DDoS Classic “hit the root name servers” …except one layer down Port 53 UDP flood ~600gpbs to ~1.2tbps Amplified by failed DNS lookups No cached failed response Robert Graham

  40. #RSAC Robert Graham

  41. #RSAC Dyn uses ‘anycast’ Robert Graham http://dyn.com/dns/network-map/

  42. #RSAC Atlanta -> North Virginia Robert Graham

  43. #RSAC Add own second DNS Robert Graham

  44. #RSAC Add Amazon DNS Robert Graham

  45. #RSAC Drop DYN Robert Graham

  46. #RSAC All eggs in one basket Robert Graham

  47. #RSAC BGP changes https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16 Robert Graham

  48. #RSAC Increase TTLs Robert Graham

  49. #RSAC Resolver caching Resolvers cache responses Drops records after TTL seconds And get a new one Change: if you can’t get a new one, don’t drop record Robert Graham

  50. #RSAC Everybody’s doing it No persistence in botnet Many fight to take control of the devices Many splintered botnets rather than one large botnet Robert Graham

  51. #RSAC Conclusion The same attack won’t work again Robert Graham

  52. #RSAC https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/ Robert Graham

  53. #RSAC Complicated Paras Jha, 20 year old student Minecraft server maintainer, then anti-DDoS company Way to drive customers from other anti-DDoS companies Complicated interactions with the underground Robert Graham

  54. #RSAC Source code Amateurish, like that of 20 year old students Doesn’t mean “stupid”, just not features of professional coders. Multiple coders https://github.com/jgamblin/Mirai-Source-Code Robert Graham

  55. #RSAC Apply: How to protect yourself? You probably don’t have cameras Vuln scanning for it on your network is probably pointless You need a DNS strategy You need a DDoS strategy You need a UPnP strategy Robert Graham

  56. #RSAC DNS server strategy Use redundant servers One should be a server than can handle DDoS Set longer TTLs Robert Graham 56

  57. #RSAC DNS client strategy Setup your own resolver Disable discarding stale records after TTL if no response Make sure services can keep running if DNS fails The DNS supply chain Robert Graham 57

  58. #RSAC Apply: Policy question For government policy makers crafting laws/regulations What can government do to ward off IoT botnets. Robert Graham

  59. #RSAC It’s a complicated answer Only 10.9% are in the United States Unbranded grey market, where they ignore regulation anyway IoT is behind firewall, cameras are exposed. This was not an IoT botnet Cameras need remote reset (aka. Backdoor) Dyn fixed itself, without government help Robert Graham

  60. #RSAC An IoT threat model, part 1 No user interaction Clicking on links/emails is how you infect your desktop/laptop But not iPhones, mostly Not IoT No exposed ports At least, as the norm So no direct vulnerable services, OWASP, etc. Robert Graham 60

  61. #RSAC An IoT threat model, part 2 Cross Site Request Forgery Clicking on links/emails Cloud service Phishing of username/password Cloud provider gets owned — IoT autoupdate considered harmful Local WiFi UPnP etc. for inbound Robert Graham 61

  62. #RSAC An IoT threat model, part 3 Vendors demand inbound connection Old IoT like medical devices, HVAC, etc. IoT on non-private networks Hospitals, bars, universities, etc. IPv4 vs IPv6 IPv4 for IoT increasingly costly, moving to IPv6 Robert Graham 62

  63. #RSAC Summary Details on how Mirai works Means knowing how cameras work How to protect yourself from Mirai No Mirai itself, but the attacks it does Fix your DNS What is the future? What’s the threat model? How can regulations help? Robert Graham 63

Recommend

Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian Brunlein

Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian Brunlein

Next-Gen Mirai Balthasar Martin <balthasar@srlabs.de> Fabian Brunlein <fabian@srlabs.de> SRLabs Template v12 Mirai and IoT Reaper botnets exploited open Telnet and other known vulnerabilities Mirai botnet Reaper botnet Known

306 views • 26 slides
Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi Michalis Kallitsis ,

709 views • 35 slides
Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey ,

Understanding the Mirai Botnet Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein Jaime Cochran , Michalis Kallitsis , Damian Menscher , Zakir Durumeric Deepak Kumar , Chad

628 views • 34 slides
Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of Thousands of Internet Businesses and Millions of Users in October 2016 William Favre Slater, III, M.S. MBA, PMP, CISSP, CISA Sr. Cybersecurity

1.36k views • 53 slides
Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi

Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi

Look Into The Future - Analyzing Mirai botnet - Mauritius 2016 FIRST TC Minoru Kobayashi Internet Initiative Japan Inc. Who am I ? Minoru Kobayashi I work for Internet Initiative Japan Inc.. IIJ is a Japanese ISP (We are the

418 views • 19 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect

Linux IoT Botnet Wars and the Lack of Security Hardening Drew Moseley Solutions Architect Mender.io Session overview Case-studies of 3 botnets Mirai (August 2016) Hajime (October 2016) BrickerBot (March 2017) Common security

902 views • 28 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018

Runtime Security Lab Michael Schwarz Friday 31 st August, 2018 Graz Security Week 2018 https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html www.tugraz.at Large IoT Incidents September 21, 2016 > 600 Gbps on Brian Krebs

1.19k views • 71 slides
FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by

FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by

FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by Christopher Patrick Lee In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Electrical and Computer

1.09k views • 106 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems Rise of IoT Botnets

569 views • 52 slides
Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal,

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal,

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal, M. Draar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense EC2ND

691 views • 50 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by

Introduction to Mirai Luis Espinoza lespinoz@akamai.com Hardcoded list of user/pass used by Mirai https://krebsonsecurity.com/wp-content/uploads/2016/10/IoTbadpass-Sheet1.pdf loader/src/headers/includes.h loader/src/headers/binary.h

835 views • 17 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Present status of the MIRAI Program; towards a persistent 1.3 GHz NMR and DC feeder cables H.

Present status of the MIRAI Program; towards a persistent 1.3 GHz NMR and DC feeder cables H.

IEEE CSC & ESAS SUPERCONDUCTIVITY NEWS FORUM (global edition), February 2020. Plenary presentation PT-4 given at ACASC/Asian-ICMC/CSSJ Joint Conference, 6-9 January 2020, Okinawa, Japan. Present status of the MIRAI Program; towards a

910 views • 45 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides

More recommend