Identifying and Disrupting Mirai Botnets. Chuck McAuley

Transcription

1 Identifying and Disrupting Mirai Botnets Chuck McAuley

2 Who me? Chuck McAuley Principal Threat Researcher at Ixia s Application Threat Intelligence team Talks to all the people Goes to all the places Does all the I ve been called Chief Pie Finger Poker

3 Mirai - A brief background Last year krebsonsecurity.com got taken down by stressers 600 Gigabit DDoS

4 Increased scanning on port 23/2323 Scanning intensified the day of the attack on Krebs Later discovered to be related to Mirai based scans [1] [1]

5 A week or two later and the plot thickens

6 Source Code Released! Unique chance to see how this stuff works from the inside out Treasure trove of data released to play with Some helpful soul already had taken source code and uploaded to github (thanks jgamblin whoever you are!) But the source code was incomplete, did not have a build script that worked, was machine dependent, and generally was readable but not buildable. I wanted my own botnet

7

8 Enter Vagrant Build Environment FTW Vagrant is a VM based tool that allows separation of development (editors, operating system, etc) and build and operational environment. Like docker, but heavier It provided many advantages for building and analysis Platform agnostic build and run on trusty64 in VM, develop on mac Can easily destroy and recreate if need be without a new git fetch Easily isolate on independent network segment Separate analysis from execution This is how real developers do it

9 Build Environment Setup

10 Compile & Build

11 Point, Click, Botnet Operator!!!

12 Highlevel - Four pieces in motion Bot Infected device Multi-architecture POSIX C MIPS, ARM, x86, SPARC, PPC Website hosting bot malware Independent Web Server Hosts Mirai bot binaries Probably compromised server Loader Harvests successful logins/ip pairs Connects back to new devices Fingerprints and loads binaries Very minimal code C2 Server Serves as head end for bots Operator panel Works over telnet Written in Go

13 Infected IoT Stuff Report Results Telnet Brute Force Loader Log In, Fingerprint, Load Binary Binary Hosting Web C2 Server My Stuff Fetch Binary Join The Borg (port 23)

14 Let s focus on the bot code first

15 Bot Execution Path Deletes itself off disk Sets signal trap to change code execution Rewrites function pointers Forks, changes process name Connects to CNC server and waits for connections Starts scanning for new hosts to infect and reports back

16 Bespoke name resolver Hardcoded requests to Sends 5 requests before timeout If DNS fails, will not connect to CNC and Harvester

17 Bot Table Obfuscation Bot has an obfuscated table that is XOR d Table entries need to be encrypted with XOR encryption tools XOR key looks like it s 4 bytes long (0xdeadbeef)

18 Bot Table Encryption Bug The XOR key is actually only one byte 0xDEADBEEF = 0x22 1 Byte XOR key table a lot easier to brute force

19 LMTFY XOR Key

20 Execution Obfuscation Mirai has execution obfuscation Anna-Senpai made a shout out to malwaremustdie He thought it was pretty cool Let s see if he was right!

21 Code execution prevent part 1 Sets a signal Raises Signal if TRUE Compares Filename to Buffer maps function to new function

22 Code execution prevention part 2

23 LMFTFY: String matching with a side of math

24 Bot Scanning Technique Bot comes with a telnet brute forcer Used to discover other devices that might be vulnerable Utilizes a two stage approach Raw socket TCP port scanner Brute forcers hosts that respond to raw socket port scanner Very effective scanner, can send thousands of packets a second

25 Mirai SYN Cookies scanner.c Sets TCP Sequence number = destination IP address Then checks later on if ACK is equal to destination IP + 1

26 Bot Scanner Second Stage Brute forces any listening telnet servers discovered by first stage After login, fingerprints system as a busybox system If successful reports back IP, Port, and User/Pass combo that worked to loader (more on that shortly)

27 Scanner reports back to harvester harvester location is defined in lookup table as TABLE_SCAN_CB_DOMAIN Message signal is packed like this:

28 Scanner Report

29 Loader

30 Let s look at the harvester/loader Harvester (called scanlisten) tools/scanlisten.go Written in go collector of logins Binds to port Writes login information out to STDOUT format is aa.bb.cc.dd:port USER:PASS Loader Written in C Parses STDIN in format that ScanListen sends out Connects to vulnerable devices and starts loading malicious binary Attempts to use wget, curl, tftp, and custom built getter if need be

31 scanlisten

32 Loader reads from STDIN and connects back to IoT devices uses wget, tftp and then built in compiled bin to download a copy Does busybox discovery by looking for string Applet not found Discovers architecture by running cat on /bin/echo Attempts to download correct architecture from site hosting it changes filename to dvrhelper and executes

33 Loader in Action

34 C2 (CNC) Server Written in Go Operates three different interfaces Command API port on 101 Interactive Telnet session (port 23) Control Uses Telnet as well AAA is stored in MySQL DB

35 CNC versus Operator Listener on port 23 If three NULL s it is a bot otherwise start an admin session Bot starts keepalive protocol Admin session sends a greeting followed by username/password prompt.

36 Wait. New Botnet Protocol? What do you do when have a new protocol? RFC!

37 RFC Botnet - handshake

38 RFC Botnet heartbeat

39 RFC Botnet start attack

40 Botnet Attack Options

41 Now with color!

42 What are some of the attacks on the menu?

43 Let s start messin with Sasquatch Now we ve figured out how the network works, let s start figuring out ways to fight back

44 messin with the raw socket I/O Sequence Number == your IP address We can recognize bots easily with no interaction Maybe there are other scanners out there that do the same thing Created a scapy based MHN collector pew pew map!

45 messin with the socket scanner Table of IP addresses with open ports doesn t search for existing entries of same IP You can respond with more than one packet Insert same IP address multiple times We can fill the table, get all the responses

46 You flood me?!? NO I FLOOD YOU!!!

47 OK, NOW YOU FLOOD ME

48 quick dirty binary analysis to find c2 Remember how we said the XOR encryption was only one byte? Brute force the binary to find CNC and Loader DNS entries

49 messin with the harvester Harvester does not check input Can enter all kinds of data incorrect hosts and ports usernames and passwords up to 255 characters long each any kind of binary data for user/pass combos Can be useful to check if harvester is still active ID new loader IP addresses by feeding harvester at regular intervals

50 messin with the harvester

51 messin with loader

52 messin with the CNC Since we can ID the CNC through the binary we can connect back Flood the CNC with fake clients Test if CNC is still alive by connecting to API port quicker and more reliable than trying to join botnet

53 Cuckoo Sandbox Execution Caution Bot wants to scan immediately for new hosts Need to firewall communication Solution Pinhole communication on DNS Repurposed a DNS resolver that drives IP tables When resolution occurs, opens hole in firewall to communicate with that IP Benefit Monitor C2 communications even if bot binary changes behavior Limit exposure (and liability) to infecting other networks

54 LMFTFY Final Edition Fast Flux or similar Use a randomly created SYN cookie rather than IP address Why limit yourself to DDoS? Create a larger password list update 9/1/17 ATT Arris hardcoded user/pass Update 10/26/17 Repear! using vulns for fun and profit Fix your XOR key code For the novices: This is automated loading If you leave root access available, it will be rooted almost immediately

55 FOLLOW THIS