Understanding the Mirai Botnet Manos Antonakakis ✝ , Tim April ◆ , Michael Bailey ★ , Matthew Bernhard ‡ , Elie Bursztein ✱ Jaime Cochran △ , Zakir Durumeric ‡ , J. Alex Halderman ‡ , Luca Invernizzi ✱ Michalis Kallitsis ● , Deepak Kumar ★ , Chaz Lever ✝ , Zane Ma ★ , Joshua Mason ★ Damian Menscher ✱ , Chad Seaman ◆ , Nick Sullivan △ , Kurt Thomas ✱ , Yi Zhou ★ ◆ Akamai Technologies, △ Cloudflare, ✝ Georgia Institute of Technology, ✱ Google, ● Merit Network ★ University of Illinois Urbana-Champaign , ‡ University of Michigan Understanding the Mirai Botnet ▪︎ Zane Ma 1
Mirai Understanding the Mirai Botnet ▪︎ Zane Ma 2
Growing IoT Threat 2016 2020 6 - 9 Billion ~30 Billion Understanding the Mirai Botnet ▪︎ Zane Ma 3
Research Goals Snapshot the IoT botnet phenomenon Reconcile a broad spectrum of botnet data perspectives Understand Mirai’s mechanisms and motives Understanding the Mirai Botnet ▪︎ Zane Ma 4
Lifecycle Attacker �� Send command Command Report �� Dispatch Loader & Control Server Infrastructure �� Relay ��� Load � � Report Devices �� Scan Victim Bots � Attack DDoS Target Understanding the Mirai Botnet ▪︎ Zane Ma 5
Measurement Attacker Data Source Size �� Send command Network Telescope 4.7M unused IPs Active Scanning 136 IPv4 scans Command Report �� Dispatch Loader & Control Server Infrastructure Telnet Honeypots 434 binaries �� Relay ��� Load � Malware Repository 594 binaries � Report Active/Passive DNS 499M daily RRs Devices �� Scan Victim C2 Milkers 64K issued attacks Bots Krebs DDoS Attack 170K attacker IPs � Attack Dyn DDoS Attack 108K attacker IPS DDoS Target July 2016 - February 2017 Understanding the Mirai Botnet ▪︎ Zane Ma 6
What is the Mirai botnet? Understanding the Mirai Botnet ▪︎ Zane Ma 7
Population 700,000 Total Mirai Scans # network telescope scans 600,000 500,000 400,000 300,000 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 8
Rapid Emergence 140,000 120,000 # network telescope scans 700,000 1:42 AM Single Scanner Total Mirai Scans # network telescope scans 600,000 100,000 500,000 23:59 PM 64,500 scanners 80,000 400,000 60,000 300,000 3:59 AM Botnet Expands 40,000 200,000 Mirai TCP/23 scans Non-Mirai TCP/23 scans 100,000 0 08-01 00:00 08/01 06:00 08/01 12:00 08/01 18:00 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 08/03 06:00 08/03 12:00 08/03 18:00 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Date Understanding the Mirai Botnet ▪︎ Zane Ma 9
Many Ports of Entry 700,000 Total Mirai Scans # network telescope scans 600,000 TCP/23 TCP/2323 500,000 “IoT Telnet” TCP/2323 400,000 300,000 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 10
Many Ports of Entry CWMP TCP/7547 700,000 600K peak Total Mirai Scans # network telescope scans 600,000 TCP/7547 500,000 400,000 300,000 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 11
Many Ports of Entry CWMP TCP/7547 700,000 ~1 month = 6.7K Total Mirai Scans # network telescope scans 600,000 TCP/7547 500,000 400,000 300,000 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 12
Many Ports of Entry 700,000 Total Mirai Scans TCP/443 # network telescope scans 600,000 TCP/23231 TCP/5555 TCP/22 TCP/6789 500,000 TCP/2222 TCP/8080 TCP/37777 TCP/80 400,000 300,000 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 9 Additional Protocols Understanding the Mirai Botnet ▪︎ Zane Ma 13
200K-300K Mirai Bots 700,000 Total Mirai Scans TCP/6789 # network telescope scans 600,000 TCP/23231 TCP/8080 TCP/22 TCP/80 500,000 TCP/2222 TCP/23 TCP/37777 TCP/2323 TCP/443 TCP/7547 400,000 TCP/5555 300,000 Steady state 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 14
Modest Mirai 700,000 Total Mirai Scans # network telescope scans 600,000 500,000 Carna botnet 400,000 300,000 Mirai botnet 200,000 100,000 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet ▪︎ Zane Ma 15
Global Mirai Mirai TDSS/TDL4 South America + North America + Southeast Asia = Europe = 50% of Infections 94% of Infections Understanding the Mirai Botnet ▪︎ Zane Ma 16
Cameras, DVRs, Routers Targeted Devices Infected Devices Source Code Password List HTTPS banners # Targeted Device Type # HTTPS banners Device Type Examples Passwords Camera / DVR 36.8% Camera / DVR 26 (57%) dreambox, 666666 Router 6.3% Router 4 (9%) smcadmin, zte521 NAS 0.2% Printer 2 (4%) 00000000, 1111 Firewall 0.1% VOIP Phone 1 (2%) 54321 Other 0.2% Unknown 13 (28%) password, default Unknown 56.4% Understanding the Mirai Botnet ▪︎ Zane Ma 17
Who ran Mirai? Understanding the Mirai Botnet ▪︎ Zane Ma 18
Divergent Evolution 48 unique password dictionaries Source code release Understanding the Mirai Botnet ▪︎ Zane Ma 19
Divergent Evolution 48 unique password dictionaries Source code release Understanding the Mirai Botnet ▪︎ Zane Ma 20
Divergent Evolution 48 unique password dictionaries Source code release Binary Packing DGA Understanding the Mirai Botnet ▪︎ Zane Ma 21
How was Mirai used? Understanding the Mirai Botnet ▪︎ Zane Ma 22
KrebsOnSecurity Understanding the Mirai Botnet ▪︎ Zane Ma 23
Largest Reported DDoS ��� ��� ���� ����� ��� ���������������� ���� ��� ��� ���� ��� ��� ���� ��� ��� ���� ������� ���� �������� ���� ��� ���� ��� ������������ ���� ��� � �������� �������� �������� �������� �������� �������� �������� ���� Understanding the Mirai Botnet ▪︎ Zane Ma 24
Dyn Attacker Motives “It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.” Understanding the Mirai Botnet ▪︎ Zane Ma 25
Dyn Attacker Motives “It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.” • Top targets are linked Targeted IP rDNS Passive DNS to Sony PlayStation 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net • Attacks on Dyn 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net interspersed among 198.107.156.219 service.playstation.net ns05.playstation.net attacks on other game 216.115.91.57 service.playstation.net ns06.playstation.net services Understanding the Mirai Botnet ▪︎ Zane Ma 26
Booter-like Targets Games : Minecraft, Runescape, game commerce site Politics : Chinese political dissidents, regional Italian politician Anti-DDoS : DDoS protection service Misc : Russian cooking blog Understanding the Mirai Botnet ▪︎ Zane Ma 27
Unconventional DDoS Behavior Arbor Networks global DDoS report 65% volumetric, 18% TCP state, 18% application attacks Mirai 33% volumetric, 32% TCP state, 34% application attacks Valve Source Engine game server attack Limited reflection/amplification 2.8% reflection attacks, compared to 74% for booters Understanding the Mirai Botnet ▪︎ Zane Ma 28
Overview 200,000 - 300,000 globally distributed IoT devices compromised by default Telnet credentials Evidence of multiple operators releasing new strains of Mirai Mirai follows a booter-like pattern of behavior that is capable of launching some of the largest attacks on record Understanding the Mirai Botnet ▪︎ Zane Ma 29
New Dog, Old Tricks Understanding the Mirai Botnet ▪︎ Zane Ma 30
Recommend
More recommend
