Weekly Executive Summary for Week September 15, 2017

What is it? Botnet

What has it been dubbed? Mirai

What does it do?

The malware was designed to infect vulnerable IoT devices, which would later be used to launch enormous DDoS attacks. Mirai launches large scans of IP addresses to detect which IoT devices are internet accessible. Mirai uses dictionary attacks to gain admin access to devices, from a hardcoded list in its source code, these combinations are usually factory or default username and password combinations.

The botnet has the ability to launch HTTP floods, and numerous attacks in both the Transport and Network layers of the OSI model. Mirai contains a hardcoded list of IPs that Mirai bots will avoid when performing IP scans, these addresses belong to organizations like the US Postal Service, the Department of Defense, Internet Assigned Numbers Authority(IANA), HP, and General Electric.

Mirai contains a function to search for and destroy other worms or Trojans that may exist on infected infected devices, like the Anime malware which also infects IoT devices.

The largest attacks due to the malware include the DDoS(Distributed Denial of Service) on September 20, 2016 on security journalist Brian Krebs website, and the attack on October 21, 2016 that was targeted at DNS provider Dyn. The Dyn attacks resulted in an array of large corporations being affected like Amazon, HBO, Netflix, Twitter, Verizon Communications, and much more.

How does it do it?

Mirai scans for random IP addresses on the internet in an attempt to connect and take control of vulnerable IoT devices that use default credentials. The malware will use a brute force attempt (dictionary attack), to gain admin control of infected devices.

Default credentials list (username – password)

These attempted connections are through ports 7547/5555(TCP/UDP), 22(SSH), and 23(Telnet). Once the malware has infected enough device to create it’s botnet, which many of these infections in 2016 were seen from countries like Vietnam, Brazil, United States, China, etc. the malware has the ability to launch a number of DDoS attacks.

Mirai has the ability to launch HTTP flood attacks, which is a type of DDoS attack which exploits HTTP GET and POST requests to attack a web server or application, this is done through a flood of the web requests. Another type of attack that Mirai utilizes is a SYN-ACK flood attack, which involves sending a spoofed SYN-ACK packet at a high rate to a targeted server.

The botnet also uses STOMP (Simple Text Oriented Message Protocol) floods, this is a simple text-based protocol, very similar to HTTP. The attack works by first opening an authenticated TCP handshake with a targeted device, then a spoofed STOMP TCP request, then a flood of fake STOMP request leads to network instability.  

Mirai bots are programmed to not scan a hardcoded list of IP addresses, these addresses belong to companies like General Electric, HP, IANA, DoD, and the US Postal Service.

List of unscanned IPs

Source: incapsula

Mirai also attempts to search for and destroy any other Trojans and worms that may be infecting the targeted system. It will locate and kill any processes from memory that are known to be used by other botnets. One of these well known IoT targeted malware “Anime”, is searched for and destroyed using the following function.

Function used to locate and kill anime malware

Conclusion:

Though this botnet has become a bit aged, it is worth noting that IoT devices remain just as vulnerable as they have been in the past. Many vendors release these devices with hardcoded credentials(embedded in firmware), that may never be updated. Recent attack vector “Bluebourne” could allow attackers to exploit bluetooth vulnerabilities to run remote code, which could allow for further spreading of malware.

The source code of the Mirai botnet was released on a well known hacker forum, and researchers say that attackers will do this to “muddy the waters” and try and lead researchers away from their trail. With the code publicly available other attackers could make changes/variants and it is harder to detect the origin of original infection.

IoT devices aren’t going away, and more and more devices are popping up every day. Though, through the rapid increase in the development of these devices, security seems to be lackluster, to say the least. This type of attack is done with little to no awareness from infected users, and we’ve actually seen the devastating effects these types of botnets can have on a company’s infrastructure.

Sources:

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (incapsula)

http://www.zdnet.com/article/mirai-botnet-attack-hits-thousands-of-home-routers-throwing-users-offline/ (zdnet)

https://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks (symantec)