IoT Botnets: A look under the hood of Mirai

Submitted by Jonah Bellemans on Sun, 04/23/2017 - 15:07

BlackHoleTec recently attended Kaspersky's Industrial Security Day, in which was revealed that the amount of Linux-targeted security attacks has been rising with a staggering 71% per year. This is explained by the rise of IoT botnets. The IoT, Internet of Things, is the collective name for all "smart" devices that don't fall under the term "computer", but have a connection to the internet: smart cars, domotics, atm's, webcams,...

Most of these "embedded" systems run an Operating System called Linux, and weren't that much of a target for cyber criminals due to the low usage rate of the OS. Nowadays, it's almost impossible to live through a single day without bumping into dozens of systems running on it, and of course, cybercrime caught up with it. 

Botnets and DDOS's

A Botnet is a network created by a piece of malware that has a master-slave structure: the master computer sends commands to the infected "zombie", or "slave", devices, and gets them to do whatever they whish. This way, an attacker could use the infected devices as a personal army of malware spreaders, by sending mass spam emails, or use the computational power of all the devices for personal gain, such as Bitcoin mining or password cracking. Another use the attacker could have for the slave network is conducting DDOS (Distributed Denial of Service) attacks on targets of their own choice. During such an attack, the network will send as many network requests as possible to the target, effectively drowning out any other incoming signals and overpowering the target, leading to a crash on the system. More often than not, the creators of the botnet are not the ones to conduct these attacks: they merely create the tools and then rent them out to anyone who is willing to pay, regardless of what they will use the botnet for.

A new generation

The Mirai botnet takes things to another level: the Internet of Things. What if anything hooked up to the internet could be a potential slave? Not just common laptops, but "smart" sensors, domotics, cars, webcams,.. are potential targets for the malware. With the addition of so many new devices, Mirai packs a mean punch: after security analyst Brian Krebs' website got hit by the botnet, his DDOS protection provider reported it was easily the largest attack they had ever witnessed, nearly twice the power of the second biggest attack they've had. His website was brought down with approximately 620 Gbps of incoming traffic, a very, very scary number indeed. The attack on his website prompted him to write a number of follow-up articles about the democratisation of censorship, and about Anna-Senpai, the creator of Mirai, both of which, I can highly recommend to read.


Into the malware

After Anna-Senpai, the creator of Mirai, decided it was time to pack up and get out, they released the source code of the worm on, making it possible to analyse the way the malware functions in much more detail than it was by reverse engineering it. The full code repository is available on GitHub for academical purposes, but I'll give a brief rundown of the most noteworthy parts.

Most parts of the worm are written in C, and the CNC (Control and Command) Server is written in Golang. The design of the software is fairly modular, having every "task" of the worm split up into a different source file. A usual infection scenario starts with the worm probing the target via telnet, and if it is succesful in gaining access to the system, it kills off any other piece of malware that might be present. This step is quite unique and this "territorial" behaviour isn't frequently seen so far when analysing botnets. The worm is capable of locating competing bots such as QBot, Anime, or UPX with a technique they call memory scraping: it effectively locates the processes in memory at runtime and eliminates them if they are found. 

After infection, the bot "phones home" and connects to the CNC (if it is available) and waits for commands. If there are no masters available to connect to, the malware will start scanning new ranges of IP addresses to infect. Which brings us to another quirk of the worm: Mirai has a list of IP ranges it doesn't dare to provoke, in order to stay undetected for longer. This list includes the USPS, the Department of Defense, some servers of Hewlett Packard and the IANA (Internet Assigned Numbers Authority). If this list has ever been longer, with more sinister IP addresses and has been cleaned up before release, we do not know, just like we'll never know if this list has actually helped in prolonging the life of the worm before being discovered.

This, and many more of Mirai's details make it a very interesting topic to study. The way the code has been written reveals a programmer who knew what they were doing, but coincidentally, the sheer arrogance and weird way of writing of Anna-Senpai reveals a much more childish character than the code of the bot itself may seem to imply. The combination of the professionalism with which this malware was written and the seemingly childish/arrogant personality of the author may point towards assuming the author of the worm shows borderline sociapathic behaviour.

What can we do?

The first thing that needs to happen to prevent attacks like Mirai, is raising awareness. In the IoT Industry, it happens way too often that engineers take satisfaction out of security by obscurity: because the IP addresses of the devices are never shown to the public, a false feeling of security is created. However, search engines such as Shodan make it clear that the IoT is NOT secure, on the contrary: more often than not, a default login and password are kept instead of changed to more secure credentials, and there are currently barely any safety precautions that can be taken to make the devices more resistant to attacks. Software integrity checks, especially after pushing software updates to the devices, are paramount to increasing security, combined with network traffic encryption and regular anti-malware scanning.



(Images used in this article sourced from Kaspersky Labs Blog and Malware Must Die! Blog)

glqxz9283 sfy39587stf02 mnesdcuix8