Home » Articles » Analysis: Record DDoS Attacks by Mirai – IoT Botnet
Click Here To Hide Tor

Analysis: Record DDoS Attacks by Mirai – IoT Botnet

Number of Internet of Things (IoT) devices is growing exponentially over time. Internet connected cameras, thermostats, refrigerators and others were recently part of biggest Distributed Denial of Service Attack (DDoS) in the history.

This article contains explanation of botnets, DDoS and analysis of recent record breaking DDoS attack by Mirai Botnet and brief analysis of the C++ source code!

DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. For example, if a website’s server is capable of serving 1 byte per second and a DDoS attack of 5 bytes per second is launched against your site: in the first second, 1 byte would be processed, and then the remaining 5 bytes would be queued until the next second. At first, visitors don’t have to wait too long in the queue, but as the queue becomes longer, timeouts will increase.

Most servers today are capable of serving 1 Gbps. To recreate illustrated example, an attacker needs to request 5 Gbps from the server.

Just to get a picture – $50 per month is the cost of 1Gbps server,

– $300 per month is the cost of 10Gbps server.

How do hackers generate vast amount of traffic?

This is where botnets come into play. Botnet is a piece of malware that sleeps in the infected operating system waiting for a command from Command and Control (C&C) center. Strength of particular botnet lies in the number of infected victims (aka bots, zombies) and devices’ capability to generate traffic.

Botnets that target computers are unreliable because computers are often offline or turned off so they can’t be used for an attack, meaning that the number of infected victims needs to be at least 5 times greater than the optimal.

IoT devices are almost always connected to the internet and also terribly unsecure. Those 2 facts were exploited in Mirai, IoT botnet that broke the record of DDoS. This pseudonym shared the source code:

He leaked the source code in that post, although his share links don’t work anymore so check github for the source code.

“I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.”

“With Mirai, I usually pull max 380k bots from telnet alone.”

IoT Devices Discovery

Potential victims can be found using search engines such as Shodan and Censys. Amazing tools that search the world wide web for all devices connected to it.

“Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.”

“Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!”

Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.

Actual DDoS Attacks

Mirai malware was used for several extremely large DDoS attacks including:

27/9/2016 – with peaks over 1 Tbps from 152 000 IoT devices: 100,000 Smart TVs, Refrigerator, and other smart household appliances; rest were probably security cameras – 25 000 just from China

21/10/2016 – record one, over 1Tbps against Dyn DNS server.

Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.

Infrastructure

Although the attack is pretty simple, it requires sizeable infrastructure. Author’s recommended setup:

– 1 VPS with extremely bulletproof host for database server
– 1 VPS, rootkitted, for scanReceiver and distributor
– 1 server for C&C (used like 2% CPU with 400k bots)
– 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)

VPS stands for Virtual Private Server meaning that you control a server over virtual environment that is actually running on the server.

Mirai Analysis

Mirai malware is a C++ program continuously scanning the internet for IoT devices and attacks them. It tries to connect to them with default factory credentials mostly via telnet. Each device is attacked by a quick dictionary attack, trying all default credentials. Dictionary used:

root xc3511

root vizxv

root admin

admin admin

root 888888

root xmhdipc

root default

root juantech

root 123456

root 54321

support support

root (none)

admin password

root root

root 12345

user user

admin (none)

root pass

admin admin1234

root 1111

admin smcadmin

admin 1111

root 666666

root password

root 1234

root klv123

Administrator admin

service service

supervisor supervisor

guest guest

guest 12345

guest 12345

admin1 password

administrator 1234

666666 666666

888888 888888

ubnt ubnt

root klv1234

root Zte521

root hi3518

root jvbzd

root anko

root zlxx.

root 7ujMko0vizxv

root 7ujMko0admin

root system

root ikwb

root dreambox

root user

root realtek

root 00000000

admin 1111111

admin 1234

admin 12345

admin 54321

admin 123456

admin 7ujMko0admin

admin 1234

admin pass

admin meinsm

tech tech

mother fucker

While not executing an attack command, bots are doing same search and infect method further spreading the virus.

Infected devices will continue to function normally, except for occasional sluggishness and an increased use of bandwidth. After a reboot, unless the login password is changed immediately, the device will be infected within minutes.

Command and Control

Instead of hardcoding IP address, bots would resolve a domain to get the IP address of C&C server. This way, IP address of the server can be changed which is very useful defensive mechanism. These commands are programmed for bots:

#define CNC_OP_PING 0x00

#define CNC_OP_KILLSELF 0x10

#define CNC_OP_KILLATTKS 0x20

#define CNC_OP_PROXY 0x30

#define CNC_OP_ATTACK 0x40

C&C is coded in Go and it simply issues commands that bots read and translate into C++ functions.

Don’t Touch These List

One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their scans.

This list, which you can find below, includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric.

127.0.0.0/8 – Loopback

0.0.0.0/8 – Invalid address space

3.0.0.0/8 – General Electric (GE)

15.0.0.0/7 – Hewlett-Packard (HP)

56.0.0.0/8 – US Postal Service

10.0.0.0/8 – Internal network

192.168.0.0/16 – Internal network

172.16.0.0/14 – Internal network

100.64.0.0/10 – IANA NAT reserved

169.254.0.0/16 – IANA NAT reserved

198.18.0.0/15 – IANA Special use

224.*.*.*+ – Multicast

6.0.0.0/7 – Department of Defense

11.0.0.0/8 – Department of Defense

21.0.0.0/8 – Department of Defense

22.0.0.0/8 – Department of Defense

26.0.0.0/8 – Department of Defense

28.0.0.0/7 – Department of Defense

30.0.0.0/8 – Department of Defense

33.0.0.0/8 – Department of Defense

55.0.0.0/8 – Department of Defense

214.0.0.0/7 – Department of Defense

DDoS Possibilities

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

Fighting Other Malware

The malware holds several killer scripts meant to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device.

For example, the following scripts close all processes that use SSH, Telnet and HTTP ports:

killer_kill_by_port(htons(23)) // Kill telnet servicekiller_kill_by_port(htons(22)) // Kill SSH servicekiller_kill_by_port(htons(80)) // Kill HTTP service

These locate/eradicate other botnet processes from memory, a technique known as memory scraping:

#DEFINE TABLE_MEM_QBOT // REPORT %S:%S

#DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD

#DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO

#DEFINE TABLE_MEM_UPX // \X58\X4D\X4E\X4E\X43\X50\X46\X22

#DEFINE TABLE_MEM_ZOLLARD // ZOLLARD

Author(s) Footprints

Command and Control is in English, but there are some Russian strings in it for username, password etc. There is also this string – “я люблю куриные наггетсы” meaning “I love chicken nuggets”.

In table.c, just above some table entries, there is this comment:

// safe string https://youtu.be/dQw4w9WgXcQ

I will leave the conclusions about the author(s) to the readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *