MIRAI IoT Botnet at a Glance

Found an interesting article, originally posted on Fortinet.

Ever since the Mirai DDoS attack was launched a few weeks ago. Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say. And although the incident is still under investigation, domain name server provider Dyn posted a more detailed analysis of the distributed denial-of-service attack.


According to Imperva researchers, the investigation of an attack carried out in August has revealed around 49,657 unique IPs hosting Mirai-infected devices, mostly CCTV cameras, already proven popular targets for IoT botnets.


Src: Incapsula (Geo-locations of all Mirai-infected devices uncovered so far)

Akamai and Flashpoint confirm Mirai’s involvement

Mirai, which appeared at the start of September, is a malware family that targets Linux-based Internet of Things (IoT) devices, such as DVRs, CCTV systems, and IP cameras.

The original Mirai botnet is responsible for the two biggest DDoS attacks known to date, of 1.1 Tbps against French ISP OVH, and of 620 Gbps against KrebsOnSecurity.

These IP addresses, researchers say, are located in 164 countries, with Vietnam taking the top spot at 12.8%, followed by Brazil at 11.8%, the United States at 10.9%, China at 8.8%, and Mexico at 8.4%. South Korea, Taiwan, Russia, Romania, and Colombia are rounding up top ten most affected countries. Remote locations such as Montenegro, Tajikistan, and Somalia were also among the affected countries.

Who is the Author of Mirai?

The presumed developer goes under the pseudonym of ‘Anna Senpai’ on Hackforums – an English-speaking hacker forum.


His/her account on the forum is recent (July 2016) and was probably created when he/she started working on Mirai. For example:

·        July 10 – Begins “killing QBots”

·        August 8 – Brute forcing telnet logins

·        August 9 – Planning attack on OVH?. Hackers on the forum were obviously looking for a botnet to rent. Given this thread, it is possible OVH was not targeted by Mirai, or not by Mirai only. Other IoT botnets such as Kaiten are mentioned.

·        Sept 19 – Discussing how to DDoS onion.to

The account does not reveal any personal data, apart from that Anna Senpei .

His/her (actually, I’d vote for “he,” but that’s a personal guess!) country of origin is unknown. The only possible hints are the following – but they could all be false leads:

·        Hack forum is an English speaking forum.

·        Mirai means ‘Future’ in Japanese and in Chinese.

·        Source code has references to Russian (could be copy/pasted)

·        His/her skype login indicates he/she lives in Australia.

Finally, note that “Anna Senpai” is very probably the developer of Mirai, but may not have been involved in all of the DoS attacks attributed to Mirai. Indeed, as the source code was publicly released on Sept 30, 2016, other individuals or cyber criminal groups may have downloaded and used it. Some will say this strategy is quite shrewd to complicate attribution. 😉 On a positive note, inspection of the source code makes the malware easier to understand and detect. It may be viewed on several GitHub repositories.

Who is Behind the Attacks?

The most recent attack on Dyn was claimed by a group known as New World Hackers in retaliation for Ecuador’s rescinding Internet access to WikiLeaks founder Julian Assange, who has been granted asylum at their embassy in London. Two members of this group said they did it to “test power.” So far, this claim hasn’t been backed up by other data.

Is the Malware Advanced?

The source code does not implement any particular “exploit” and is therefore relatively easy to write. It is, however, quite well written, and the implementation of all types of floods requires some network programming knowledge.

Anyway, contrary to general belief, a malware need not be “advanced” to be efficient: the KISS principle (Keep It Simple, Stupid) works very well for malware…

How do we Know Linux/Mirai infects IoT?

We deduce this from two different points:

1.    The source code of Mirai tries to use a tool named dvrHelper, which is assumed to be found on Digital Video Recorders.

2.    In many cases, the list of credentials the malware brute-forces is specific to some devices. For example, credentials root/vizxv is not particularly common, but it happens to match the default password for Dahua DVR-3104H. So we can reasonably assume the malware is trying to hack this device, among others.

Can Linux/Mirai Infect Non-IoT Devices?

Yes, it can. Mirai targets Unix systems using busybox whether they are IoT or not.

In Mirai, the part that is specific to IoT is the list of telnet credentials it tries to brute-force. Some of those default credentials are specific to a given brand and model of IoT, and thus show Mirai targets it. On the other hand, however, some default credentials, such as admin/123456, are generic and would certainly apply to non-IoT hosts as well.

Most of the problem originates from using default passwords. Why can’t the owners change them?

On several of those IoT devices, the password is hardcoded in the firmware, and the tools to change it are not provided.

How do we know a given DDoS comes from devices infected with Linux/Mirai and not from another malware?

Given the situation, there are several ways to check that the attack specifically comes from Mirai:

1.    Identify the type of flood performed, and based on this, deduce the name of the malware. For example, so far only Linux/Mirai implements GRE floods. So if that’s what we see, it’s probably a Linux/Mirai attack (or possibly a yet unknown malware…).

2.    Identify the attacking devices, and based on their brand, deduce if it is Linux/Mirai or some other malware.

3.    Inspect DNS packets: Mirai prefixes its DNS DoS with a pseudorandom 12-character subdomain.

4.    Capture some traffic from infected devices, and depending on command channels and ports, deduce the name of the malware. However, this is usually not easy to do from the network that is being DDoSed.


·        Be sure to put your device on a network secured by security products

·        Reboot the device (this kills Mirai).

·        Check open ports for your device, and if possible close those you do not use.

·        Modify the default credentials!

For more: http://www.securityweek.com/mirai-botnet-infects-devices-164-countries


Source code: https://github.com/jgamblin/Mirai-Source-Code

Knowledge Sharing 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s