Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
Understanding the Mirai Botnet ▪︎ Zane Ma
Understanding the Mirai Botnet
1
◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network★University of Illinois Urbana-Champaign, ‡University of Michigan
Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱
Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱
Michalis Kallitsis!, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★
Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★
Understanding the Mirai Botnet ▪︎ Zane Ma2
Mirai
Understanding the Mirai Botnet ▪︎ Zane Ma3
2020~30 Billion
20166 - 9 Billion
Growing IoT Threat
Understanding the Mirai Botnet ▪︎ Zane Ma
Research GoalsSnapshot the IoT botnet phenomenon
Reconcile a broad spectrum of botnet data perspectives
Understand Mirai’s mechanisms and motives
4
Understanding the Mirai Botnet ▪︎ Zane Ma5
Lifecycle
Command & Control
LoaderReport Server
Devices
Infrastructure
Attacker
DDoS Target
Send command
Dispatch
Attack
Report
Scan
Load Relay
Victim
Bots
Understanding the Mirai Botnet ▪︎ Zane Ma
Command & Control
LoaderReport Server
Devices
Infrastructure
Attacker
DDoS Target
Send command
Dispatch
Attack
Report
Scan
Load Relay
Victim
Bots
6
Measurement
July 2016 - February 2017
Data Source Size
Network Telescope 4.7M unused IPs
Active Scanning 136 IPv4 scans
Telnet Honeypots 434 binaries
Malware Repository 594 binaries
Active/Passive DNS 499M daily RRs
C2 Milkers 64K issued attacks
Krebs DDoS Attack 170K attacker IPs
Dyn DDoS Attack 108K attacker IPS
Understanding the Mirai Botnet ▪︎ Zane Ma7
What is the Mirai botnet?
Understanding the Mirai Botnet ▪︎ Zane Ma
Population
8
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai Scans
Understanding the Mirai Botnet ▪︎ Zane Ma
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai Scans
9
0
40,000
60,000
80,000
100,000
120,000
140,000
08-01 00:00
08/01 06:00
08/01 12:00
08/01 18:00
08/02 00:00
08/02 06:00
08/02 12:00
08/02 18:00
08/03 00:00
08/03 06:00
08/03 12:00
08/03 18:00
#networktelescopescans
Date
Mirai TCP/23 scansNon-Mirai TCP/23 scans
23:59 PM 64,500 scanners
Rapid Emergence1:42 AM Single Scanner
3:59 AM Botnet Expands
Understanding the Mirai Botnet ▪︎ Zane Ma
Many Ports of Entry
10
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/23
TCP/2323
“IoT Telnet” TCP/2323
Understanding the Mirai Botnet ▪︎ Zane Ma11
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/7547
CWMP TCP/7547600K peak
Many Ports of Entry
Understanding the Mirai Botnet ▪︎ Zane Ma12
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/7547
CWMP TCP/7547~1 month = 6.7K
Many Ports of Entry
Understanding the Mirai Botnet ▪︎ Zane Ma13
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/23231
TCP/22TCP/2222TCP/37777
TCP/443TCP/5555TCP/6789TCP/8080TCP/80
9 Additional Protocols
Many Ports of Entry
Understanding the Mirai Botnet ▪︎ Zane Ma
200K-300K Mirai Bots
14
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/23231
TCP/22TCP/2222TCP/37777TCP/443TCP/5555
TCP/6789TCP/8080TCP/80TCP/23
TCP/2323TCP/7547
Steady state
Understanding the Mirai Botnet ▪︎ Zane Ma
Modest Mirai
15
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai Scans
Mirai botnet
Carna botnet
Understanding the Mirai Botnet ▪︎ Zane Ma
Global Mirai
16
Mirai TDSS/TDL4
South America + Southeast Asia = 50% of Infections
North America + Europe =
94% of Infections
Understanding the Mirai Botnet ▪︎ Zane Ma17
Targeted Devices
Device Type # Targeted Passwords Examples
Camera / DVR 26 (57%) dreambox, 666666
Router 4 (9%) smcadmin, zte521
Printer 2 (4%) 00000000, 1111
VOIP Phone 1 (2%) 54321
Unknown 13 (28%) password, default
Infected Devices
Device Type # HTTPS banners
Camera / DVR 36.8%
Router 6.3%
NAS 0.2%
Firewall 0.1%
Other 0.2%
Unknown 56.4%
Source Code Password List
Cameras, DVRs, RoutersHTTPS banners
Understanding the Mirai Botnet ▪︎ Zane Ma
Who ran Mirai?
18
Understanding the Mirai Botnet ▪︎ Zane Ma
Divergent Evolution
19
48 unique password dictionaries
Source coderelease
Understanding the Mirai Botnet ▪︎ Zane Ma
Divergent Evolution
20
Source coderelease
48 unique password dictionaries
Understanding the Mirai Botnet ▪︎ Zane Ma
Divergent Evolution
21
Source coderelease
48 unique password dictionaries
DGA
Binary Packing
Understanding the Mirai Botnet ▪︎ Zane Ma
How was Mirai used?
22
Understanding the Mirai Botnet ▪︎ Zane Ma
KrebsOnSecurity
23
Understanding the Mirai Botnet ▪︎ Zane Ma
Largest Reported DDoS
24
�
���
���
���
���
���
���
���
��
������ ������ ������ ������ ������ ������ ������
����
�� �
��� ���� ����������������� !""#
��� ����$� ��� !""#
��� ����$� %�� �� !""#
�&� ����%�� �� !""#
Understanding the Mirai Botnet ▪︎ Zane Ma
Dyn Attacker Motives
“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”
25
Understanding the Mirai Botnet ▪︎ Zane Ma26
Targeted IP rDNS Passive DNS208.78.70.5 ns1.p05.dynect.net ns00.playstation.net204.13.250.5 ns2.p05.dynect.net ns01.playstation.net208.78.71.5 ns3.p05.dynect.net ns02.playstation.net204.13.251.5 ns4.p05.dynect.net ns03.playstation.net
198.107.156.219 service.playstation.net ns05.playstation.net216.115.91.57 service.playstation.net ns06.playstation.net
• Top targets are linked to Sony PlayStation
• Attacks on Dyn interspersed among attacks on other game services
“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”
Dyn Attacker Motives
Understanding the Mirai Botnet ▪︎ Zane Ma
Games: Minecraft, Runescape, game commerce site
Politics: Chinese political dissidents, regional Italian politician
Anti-DDoS: DDoS protection service
Misc: Russian cooking blog
27
Booter-like Targets
Understanding the Mirai Botnet ▪︎ Zane Ma
Arbor Networks global DDoS report 65% volumetric, 18% TCP state, 18% application attacks
Mirai33% volumetric, 32% TCP state, 34% application attacks
Valve Source Engine game server attack
Limited reflection/amplification 2.8% reflection attacks, compared to 74% for booters
28
Unconventional DDoS Behavior
Understanding the Mirai Botnet ▪︎ Zane Ma
Overview
29
200,000 - 300,000 globally distributed IoT devices compromised by default Telnet credentials
Evidence of multiple operators releasing new strains of Mirai
Mirai follows a booter-like pattern of behavior that is capable of launching some of the largest attacks on record
Understanding the Mirai Botnet ▪︎ Zane Ma
New Dog, Old Tricks
30
Understanding the Mirai Botnet ▪︎ Zane Ma
Security Hardening
31
Username Passwordroot xc3511root vizxvroot admin
admin adminroot 888888root xmhdipcroot defaultroot juantechroot 123456root 54321
support supportroot (none)
admin passwordroot rootroot 12345user user
admin (none)root pass
admin admin1234root 1111
admin smcadmin
Username Passwordroot zlxx.root 7ujMko0vizxvroot 7ujMko0adminroot systemroot ikwbroot dreamboxroot userroot realtekroot 0
admin 1111111admin 1234admin 12345admin 54321admin 123456admin 7ujMko0adminadmin 1234admin passadmin meinsmtech tech
mother fucker
Username Passwordadmin 1111root 666666root passwordroot 1234root klv123
Administrator adminservice service
supervisor supervisorguest guestguest 12345guest 12345
admin1 passwordadministrator 1234
666666 666666888888 888888
ubnt ubntroot klv1234root Zte521root hi3518root jvbzdroot anko
Understanding the Mirai Botnet ▪︎ Zane Ma
Automatic Updates
32
0
100,000
200,000
300,000
400,000
500,000
600,000
700,000
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
#networktelescopescans
Date
Total Mirai ScansTCP/7547
CWMP TCP/7547600K peak
CWMP TCP/7547~1 month = 6.7K
Understanding the Mirai Botnet ▪︎ Zane Ma
Device Attribution
33
55.4M Scanning IP addresses
1.8M Protocol Banners
587K Identifying Labels
Understanding the Mirai Botnet ▪︎ Zane Ma
End-of-life
34
2020~30 Billion
20166 - 9 Billion
Understanding the Mirai Botnet ▪︎ Zane Ma
Understanding the Mirai Botnet
35
Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱
Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱
Michalis Kallitsis!, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★
Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★
◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network★University of Illinois Urbana-Champaign, ‡University of Michigan