Mirai: The infamous IoT botnet

Mirai is a Trojan built to target Internet-connected DVRs and IP cameras, and then adding them to a botnet used for Distributed Denial of Service (DDoS) attacks. The Trojan was first discovered in August 31, 2016, by MalwareMustDie! (MMD). Mirai can be used to target ARM, ARM7, MIPS, PPC, SH4, SPARC and x86 chipsets using brute-force attacks via Telnet to unattended devices that use default administrator credentials. The Trojan is possibly a variant of a Trojan known as Bash0day, Gafgyt, Lizkebab, BASHLITE, Bashdoor, or Torlus that had infected at least one million Internet-connected devices in August 2016. Once installed on a device, it sends messages to a C&C server and waits for further instructions. It usually performs brute-force attack using the telnet protocol, and default factory credentials. The ports attacked by the Trojan includes 48101, 7547, 5555.

Evolution of Mirai botnet

Early August 2016
  • Bash0day/BASHLITE/Bashdoor/Torlus targeted Linux devices
Late August 2016
  • Mirai discovered
  • Targets ARM, ARM7, MIPS, PPC, SH4, SPARC and x86 chipsets
September 2016
  • New version of Mirai
    • Targets SPARC, ARM, MIPS, SH-4, and M68K architectures and Intel x86 computers
    • HTTP flood attack capability
  • Security blog (Krebs on Security) targeted in a DDoS attack (allegedly by Mirai botnet)
  • OVH suffers DDoS of magnitude >1 TB/sec (attack carried out by 1,45,607 compromised cameras/DVR)
October 2016
  • Hacker named “Anna-senpai” released source code of Mirai , thus numbers of mirai infected devices spiked
  • DDoS attack on Dyn causing massive Internet outage, impacting Twitter, Spotify, Reddit, PayPal, Netflix and several other sites
  • Another multiplatform IoT worm discovered “Hajime”.
    • Connects over default port 23
    • Downloads secondary malware from P2P network (torrent).
  • Yet another malware to target Linux based IoT devices “IRCTelnet” (a.k.a Bashlight).
    • Written in C++
    • Uses default passwords from Mirai source code
    • Checks if target is already infected and removes older malware
    • The infected device added to botnet controlled via IRC
  • New IoT malware named “Rex” shares similarities with Mirai
    • Initial infections dated back till May 2016
    • Includes capabilities of DDoS botnet, ransomware, communicate to other infected devices via P2P
    • Uses infected devices to mine crypto currency
    • Targets Drupal, WordPress, and Magento, and applications including Exagrid, Apache Jetspeed, and AirOS home routers.
November 2016
  • New Mirai botnet causes Internet outages in Liberia
    • The attack was of 500 Gbps magnitude
    • The Botnet involved in attack named Botnet 14
    • Possibly same botnet which attacked Dyn
  • Hackers selling access to their own Mirai botnet
    • consisting of 400,000 infected bots for rent to perform distributed denial of service (DDoS) attacks.
  • Mirai Botnet infects German ISP customers of German telecommunications company Deutsche Telekom
    • Over 900,000 routers attacked
    • TCP port 7547 used to exploit the SOAP Remote Code Execution (RCE) vulnerability on various router models
  • Adversaries using Mirai leveraged “NewNTPServer” used by the TR-064 protocol (used by Internet Service Providers to remotely manage customers’ hardware) can be exploited to execute arbitrary commands on the Eir D1000 Wireless Router (rebranded Zyxel Modem used by Irish ISP Eir).
  • Customers of the UK-based telecommunication providers KCOM, TalkTalk, and Post Office experienced outages due to ongoing Mirai DDoS activity targeting the Zyxel AMG1302 router
December 2016
  • Sony IPELA Engine IP cameras found vulnerable to Mirai,  80 different Sony camera models are affected.
  • New Mirai variant using Domain Generating Algorithm (DGA),
    • finds new command and control server every day (based on date)
    • Tries to kill other malware such as the Anime malware, the QBot, and LizardSquad botnets
    • Used TCP ports 7547 and 5555
  • A Hacker group announced that they will be attacking gaming companies on during Christmas time using Mirai botnet
  • Router models ZyXEL P660HN-T v1, ZyXEL P660HN-T v2 and Billion 5200W-T manufactured by ZyXEL were reported to be vulnerable to a remote code execution vulnerability. These devices were targeted by Mirai botnet
January 2017
  • Hacker tring to sell DDoS tool as a service capable of attacking at rate of 670 Gbps. He also offered Mirai source code along with infected bots
  • Brian Krebs alleged ‘Anna-Senpai’ is associated to (or is same person as) the owner of a DDoS mitigation company called ProTraf Solutions, Paras Jha.
February 2017
  • Windows Trojan (written in C++) used to scan devices on internet and spread Mirai. This windows malware scans for several ports including SSH (22), Telnet (23), RPC (135), AD (445), MSSQL (1433), MYSQL (3306), RDP (3389)
  • A British man arrested under suspicion of Deutsche Telekom attack – February 2017
April 2017
  • New Mirai like IoT malware which shares code with Mirai target devices at port 81
  • Another IoT malware named Hajime uses table of default credentials such as Mirai
July 2017
  • Hacker offering to rent his portion of his IoT based Mirai botnet
September 2017
  • A hacker, who used the Mirai botnet to conduct attacks on UK banks, was extradited from Germany to the United Kingdom.

 

References:

  • http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
  • http://news.drweb.com/show/?i=10218&c=5&lng=en&p=0
  • https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
  • https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
  • http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html
  • https://thisissecurity.net/2016/10/28/octopus-rex-evolution-of-a-multi-task-botnet/
  • https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks-sending-threatening-messages-about-6a61553d1c7#.oh5w0eeo3
  • https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/
  • https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/
  • http://www.bbc.com/news/technology-38167453
  • https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20161206-0_Sony_IPELA_Engine_IP_Cameras_Backdoors_v10.txt
  • http://blog.netlab.360.com/new-mirai-variant-with-dga/
  • https://www.incapsula.com/blog/650gbps-ddos-attack-leet-botnet.html
  • http://vms.drweb.com/virus/?i=14934685&lng=en
  • https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/
  • https://www.deepdotweb.com/2017/09/17/mirai-malware-mastermind-extradited-united-kingdom/

Leave a Reply

Your email address will not be published. Required fields are marked *