Understanding the Mirai Botnet

Size: px

Start display at page:

Download "Understanding the Mirai Botnet"

Arline Short
6 years ago
Views:

1 Understanding the Mirai Botnet Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi Michalis Kallitsis!, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, Merit Network University of Illinois Urbana-Champaign, University of Michigan 1

2 Mirai 2

3 Growing IoT Threat Billion 2020 ~30 Billion 3

4 Research Goals Snapshot the IoT botnet phenomenon Reconcile a broad spectrum of botnet data perspectives Understand Mirai s mechanisms and motives 4

5 Lifecycle Attacker Send command Infrastructure Command & Control Report Server Dispatch Loader Relay Load Report Devices Scan Victim Bots Attack DDoS Target 5

6 Measurement Attacker Data Source Size Send command Network Telescope 4.7M unused IPs Infrastructure Command & Control Report Server Dispatch Loader Active Scanning Telnet Honeypots 136 IPv4 scans 434 binaries Relay Report Load Malware Repository 594 binaries Active/Passive DNS 499M daily RRs Devices Scan Victim C2 Milkers 64K issued attacks Bots Krebs DDoS Attack 170K attacker IPs Attack Dyn DDoS Attack 108K attacker IPS DDoS Target July February

7 What is the Mirai botnet? 7

8 Population # network telescope scans 700, , , , , , , /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Total Mirai Scans 8

9 Rapid Emergence # network telescope scans 700, , , , , , ,000 0 # network telescope scans 140, , ,000 80,000 60,000 40, :42 AM Single Scanner :00 3:59 AM Botnet Expands 08/01 06:00 08/01 12:00 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 08/01 18:00 23:59 PM 64,500 scanners 08/02 00:00 08/02 06:00 08/02 12:00 08/02 18:00 08/03 00:00 Total Mirai Scans Mirai TCP/23 scans Non-Mirai TCP/23 scans 08/03 06:00 08/03 12:00 08/03 18:00 Date 9

10 Many Ports of Entry 700,000 # network telescope scans 600, , , , , ,000 IoT Telnet TCP/2323 Total Mirai Scans TCP/23 TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 10

11 Many Ports of Entry 700,000 CWMP TCP/7547 # network telescope scans 600, , , , , , K peak Total Mirai Scans TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 11

12 Many Ports of Entry 700,000 CWMP TCP/7547 # network telescope scans 600, , , , , ,000 ~1 month = 6.7K Total Mirai Scans TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 12

13 Many Ports of Entry 700,000 # network telescope scans 600, , , , , ,000 Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 9 Additional Protocols 13

14 200K-300K Mirai Bots 700,000 # network telescope scans 600, , , , , ,000 Steady state Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80 TCP/23 TCP/2323 TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 14

15 Modest Mirai 700,000 # network telescope scans 600, , , , , ,000 Carna botnet Mirai botnet Total Mirai Scans 0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 15

16 Global Mirai Mirai TDSS/TDL4 South America + Southeast Asia = 50% of Infections North America + Europe = 94% of Infections 16

17 Cameras, DVRs, Routers Targeted Devices Source Code Password List Infected Devices HTTPS banners Device Type # Targeted Passwords Examples Device Type # HTTPS banners Camera / DVR 26 (57%) dreambox, Router 4 (9%) smcadmin, zte521 Printer 2 (4%) , 1111 VOIP Phone 1 (2%) Unknown 13 (28%) password, default Camera / DVR 36.8% Router 6.3% NAS 0.2% Firewall 0.1% Other 0.2% Unknown 56.4% 17

18 Who ran Mirai? 18

19 Divergent Evolution 48 unique password dictionaries Source code release 19

20 Divergent Evolution 48 unique password dictionaries Source code release 20

21 Divergent Evolution 48 unique password dictionaries Source code release Binary Packing DGA 21

22 How was Mirai used? 22

23 KrebsOnSecurity 23

24 Largest Reported DDoS 24

25 Dyn Attacker Motives It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by hacktivists. Or a foreign power that wanted to remind the United States of its vulnerability. 25

26 Dyn Attacker Motives It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by hacktivists. Or a foreign power that wanted to remind the United States of its vulnerability. Targeted IP rdns Passive DNS ns1.p05.dynect.net ns00.playstation.net Top targets are linked to Sony PlayStation ns2.p05.dynect.net ns01.playstation.net ns3.p05.dynect.net ns02.playstation.net ns4.p05.dynect.net ns03.playstation.net service.playstation.net ns05.playstation.net service.playstation.net ns06.playstation.net Attacks on Dyn interspersed among attacks on other game services 26

27 Booter-like Targets Games: Minecraft, Runescape, game commerce site Politics: Chinese political dissidents, regional Italian politician Anti-DDoS: DDoS protection service Misc: Russian cooking blog 27

28 Unconventional DDoS Behavior Arbor Networks global DDoS report 65% volumetric, 18% TCP state, 18% application attacks Mirai 33% volumetric, 32% TCP state, 34% application attacks Valve Source Engine game server attack Limited reflection/amplification 2.8% reflection attacks, compared to 74% for booters 28

29 Overview 200, ,000 globally distributed IoT devices compromised by default Telnet credentials Evidence of multiple operators releasing new strains of Mirai Mirai follows a booter-like pattern of behavior that is capable of launching some of the largest attacks on record 29

30 New Dog, Old Tricks 30

31 Security Hardening Username Password xc3511 vizxv admin admin admin xmhdipc default juantech support support (none) admin password user user admin (none) pass admin admin admin smcadmin Username Password admin password 1234 klv123 Administrator admin service service supervisor supervisor guest guest guest guest admin1 password administrator ubnt ubnt klv1234 Zte521 hi3518 jvbzd anko Username Password zlxx. 7ujMko0vizxv 7ujMko0admin system ikwb dreambox user realtek 0 admin admin 1234 admin admin admin admin 7ujMko0admin admin 1234 admin pass admin tech mother meinsm tech fucker 31

32 Automatic Updates # network telescope scans 700, , , , , , ,000 0 CWMP TCP/ /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date 600K peak CWMP TCP/7547 ~1 month = 6.7K Total Mirai Scans TCP/

33 Device Attribution 55.4M Scanning IP addresses 1.8M Protocol Banners 587K Identifying Labels 33

34 End-of-life Billion 2020 ~30 Billion 34

35 Understanding the Mirai Botnet Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi Michalis Kallitsis!, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, Yi Zhou Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, Merit Network University of Illinois Urbana-Champaign, University of Michigan 35

18-642: Security Vulnerabilities

18-642: Security Vulnerabilities 11/20/2017 Security Vulnerabilities Anti-Patterns for vulnerabilities Ignoring vulnerabilities until attacked Assuming vulnerabilities won t be exploited: Unsecure embedded