Mirai Botnet

The Mirai Botnet is named after the Mirai Trojan, the malware that was used in its creation. Mirai was discovered by MalwareMustDie!, a white-hat security research group, in August 2016. After obtaining samples of the Mirai Trojan, they determined that it had evolved from a previously-created Trojan, known as Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor, and Torlus. They reported that it was created using ELF (Executable and Linkable Format) binaries, a common file format for Linux and UNIX-based systems. This format is used in the firmware of many IoT devices including routers, DVRs, and IP cameras. In the samples they studied, the research group noted that Mirai targets SSH or Telnet network protocols, exploiting default and hardcoded credentials or using brute-force techniques to compromise the Linux-based devices. According to a report by intelligence firm, Flashpoint, the primary default username and password combination used on these vulnerable devices is root and xc3511. (See Fig. 1 for additional username/password combinations.) Once compromised, the malware payload is delivered. In some cases, the malware’s executable files delete themselves after the main process launches, in order to avoid detection. Mirai also encrypts the traffic that passes between the infected devices and the C2 servers used to issue commands in order to prevent monitoring. A detailed analysis of the Mirai Trojan can be found on the MalwareMustDie! Blog.

 

Fig. 1 – Source: KrebsOnSecurity.com

 

DDoS Attacks Attributed to the Mirai Botnet:

The Mirai Botnet began garnering a lot of attention on October 1, 2016 when security researcher, Brian Krebs, published a blog post titled Source Code for IoT Botnet “Mirai” Released. According to his post, the alleged botnet creator, “Anna-senpai,” leaked the Mirai Botnet source code on a popular hacking forum. Just a week and a half prior, on September 20, Krebs’ website was the target of the largest DDoS attack that cloud security provider, Akamai, had seen up to that point. At 620 Gbps, Akamai struggled to mitigate the attack and ultimately made the decision to stop shielding KrebsOnSecurity.com, giving Brian Krebs approximately two hours to migrate his site off their network. To protect his website hosting provider from the ongoing attack, Krebs requested that all incoming network traffic be redirected to 127.0.0.1 until a better solution could be found. A few days later, on September 25, Krebs’ site returned with the help of Project Shield, an initiative by Google designed to help protect journalists from online censorship. After a thorough investigation, the DDoS attack on Krebs’ website was attributed to the Mirai Botnet. More information about Krebs’ DDoS attack and recovery can be found in his blog post titled, The Democratization of Censorship.

On September 20, the same day as the Krebs DDoS attack, OVH, a French-based web hosting provider, was targeted with network traffic that amounted to nearly 1 Tbps. Over the next 48 hours, OVH was the victim of more than 25 DDoS attacks on its servers. OVH founder, Octave Klaba, posted a picture to his personal Twitter account of the company’s network traffic log detailing the simultaneous attacks, each of them well over 100 Gbps. Klaba followed up with another post suggesting that this botnet, comprised of nearly 150,000 cameras and DVRs, was capable of delivering a multi-vector 1.5 Tbps DDoS attack. Fortunately, OVH was able to recover from the attack and it was determined that this was attack was conducted using the Mirai botnet.

On October 22, 2016, Dynamic Network Services, Inc., also known as Dyn, was the target of three large-scale DDoS attacks, which caused disruption to many major websites and online services across the U.S. Dyn’s DNS server infrastructure, responsible for resolving domain names to their IP addresses, struggled due to the strength of the attacks which reportedly reached 1 Tbps. Many large and popular companies felt the effects as users were unable to reach their websites for extended periods of time. Affected websites included: Twitter, Spotify, Amazon, Paypal, GitHub, Netflix, CNBC, among others. Dyn reported that the attacks were “well planned and executed, coming from tens of millions of IP addresses at the same time.” Flashpoint confirmed that the attacks against the Dyn DNS were the result of the Mirai Botnet. However, Flashpoint also noted that these attacks came from different sources than those that attacked KrebsOnSecurity.com and OVH, suggesting it may have been a different attacker who downloaded the Mirai source code and used it to create his or her own Mirai Botnet to launch this particular attack. The investigation is ongoing and, as of now, no attribution has been made.

UPDATE 12/16/2016: A new variant, dubbed Botnet #14 or Annie, was discovered by researchers from Qihoo 360 Technology Co., Ltd. It was designed with a built-in, but limited, domain generation algorithm (DGA) which generates one domain per day to use for communication with its C2 servers. This feature makes it very difficult to dismantle the botnet because it requires the successful prediction and purchase of domain names that the algorithm has not yet generated, as well as the coordination between law enforcement, domain registrars, and even security companies. However, Qihoo’s researchers were able to crack Botnet #14’s DGA and determine which domains it would generate. The Swiss Governmental Computer Emergency Response Team (GovCERT) posted a list of these domains here. This resulted in the botnet creator removing the DGA feature and claiming to have replaced it with Tor to preserve anonymity for the botnet controller and make it much more difficult for law enforcement to track and shut down domains. As of yet, no Mirai variant has been spotted using Tor for C2 communication in the wild.

UPDATE 2/21/2017: Kaspersky Lab published a report about a January 2017 discovery of a cross-platform Windows-based botnet actively distributing a Mirai variant. Internet-facing SQL servers running Windows that are connected to networks of devices with embedded Linux systems such as IP cameras, DVRs, and media center appliances are particularly vulnerable to this threat. Analysis of the code of this new botnet leads researchers at Kaspersky to believe that it was developed by a Chinese-speaking author. 

UPDATE 2/23/2017: UK police have arrested a suspect behind the DDoS attacks that knocked a German telecommunications company, Deutsche Telekom, offline in November 2016. The source of these attacks was attributed to Mirai Botnet #14 which exploited a vulnerability in the company’s standard router.

UPDATE 3/30/2017: A new Mirai botnet variant was observed targeting a US college beginning on February 28, 2017 and lasting 54 hours. The traffic generated by this new variant averaged over 30,000 RPS and peaked at approximately 37,000 RPS - the largest seen by any Mirai botnet to date. The attack generated more than 2.8 billion requests. Devices used in the attack include CCTV cameras, DVRs, and routers and cybersecurity firm, Imperva, discovered that 56 percent of the 9,793 IPs used in the attack originated from DVRs manufactured by the same vendor. 70 percent of the traffic originated from ten countries with the US representing almost 20 percent of the botnet IP addresses used.

UPDATE 4/11/2017: Between March 20 and March 27, one variant of the Mirai malware was observed delivering a Bitcoin-mining module to infected 64-bit BusyBox-based IoT devices. Researchers believe that distribution of this variant ceased because the infected devices lack the processing power needed to successfully mine Bitcoin. IBM researchers claim to have traced this version back to a web console used by a Chinese-speaking actor.