Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

1

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network★University of Illinois Urbana-Champaign, ‡University of Michigan

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱

Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱

Michalis Kallitsis!, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★

Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

Understanding the Mirai Botnet ▪︎ Zane Ma2

Mirai

Understanding the Mirai Botnet ▪︎ Zane Ma3

2020~30 Billion

20166 - 9 Billion

Growing IoT Threat

Understanding the Mirai Botnet ▪︎ Zane Ma

Research GoalsSnapshot the IoT botnet phenomenon

Reconcile a broad spectrum of botnet data perspectives

Understand Mirai’s mechanisms and motives

4

Understanding the Mirai Botnet ▪︎ Zane Ma5

Lifecycle

Command & Control

LoaderReport Server

Devices

Infrastructure

Attacker

DDoS Target

Send command

Dispatch

 Attack

Report

Scan

Load  Relay

Victim

Bots

Understanding the Mirai Botnet ▪︎ Zane Ma

Command & Control

LoaderReport Server

Devices

Infrastructure

Attacker

DDoS Target

Send command

Dispatch

 Attack

Report

Scan

Load  Relay

Victim

Bots

6

Measurement

July 2016 - February 2017

Data Source Size

Network Telescope 4.7M unused IPs

Active Scanning 136 IPv4 scans

Telnet Honeypots 434 binaries

Malware Repository 594 binaries

Active/Passive DNS 499M daily RRs

C2 Milkers 64K issued attacks

Krebs DDoS Attack 170K attacker IPs

Dyn DDoS Attack 108K attacker IPS

Understanding the Mirai Botnet ▪︎ Zane Ma7

What is the Mirai botnet?

Understanding the Mirai Botnet ▪︎ Zane Ma

Population

8

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai Scans

Understanding the Mirai Botnet ▪︎ Zane Ma

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai Scans

9

0

40,000

60,000

80,000

100,000

120,000

140,000

08-01 00:00

08/01 06:00

08/01 12:00

08/01 18:00

08/02 00:00

08/02 06:00

08/02 12:00

08/02 18:00

08/03 00:00

08/03 06:00

08/03 12:00

08/03 18:00

#networktelescopescans

Date

Mirai TCP/23 scansNon-Mirai TCP/23 scans

23:59 PM 64,500 scanners

Rapid Emergence1:42 AM Single Scanner

3:59 AM Botnet Expands

Understanding the Mirai Botnet ▪︎ Zane Ma

Many Ports of Entry

10

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/23

TCP/2323

“IoT Telnet” TCP/2323

Understanding the Mirai Botnet ▪︎ Zane Ma11

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/7547

CWMP TCP/7547600K peak

Many Ports of Entry

Understanding the Mirai Botnet ▪︎ Zane Ma12

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/7547

CWMP TCP/7547~1 month = 6.7K

Many Ports of Entry

Understanding the Mirai Botnet ▪︎ Zane Ma13

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/23231

TCP/22TCP/2222TCP/37777

TCP/443TCP/5555TCP/6789TCP/8080TCP/80

9 Additional Protocols

Many Ports of Entry

Understanding the Mirai Botnet ▪︎ Zane Ma

200K-300K Mirai Bots

14

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/23231

TCP/22TCP/2222TCP/37777TCP/443TCP/5555

TCP/6789TCP/8080TCP/80TCP/23

TCP/2323TCP/7547

Steady state

Understanding the Mirai Botnet ▪︎ Zane Ma

Modest Mirai

15

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai Scans

Mirai botnet

Carna botnet

Understanding the Mirai Botnet ▪︎ Zane Ma

Global Mirai

16

Mirai TDSS/TDL4

South America + Southeast Asia = 50% of Infections

North America + Europe =

94% of Infections

Understanding the Mirai Botnet ▪︎ Zane Ma17

Targeted Devices

Device Type # Targeted Passwords Examples

Camera / DVR 26 (57%) dreambox, 666666

Router 4 (9%) smcadmin, zte521

Printer 2 (4%) 00000000, 1111

VOIP Phone 1 (2%) 54321

Unknown 13 (28%) password, default

Infected Devices

Device Type # HTTPS banners

Camera / DVR 36.8%

Router 6.3%

NAS 0.2%

Firewall 0.1%

Other 0.2%

Unknown 56.4%

Source Code Password List

Cameras, DVRs, RoutersHTTPS banners

Understanding the Mirai Botnet ▪︎ Zane Ma

Who ran Mirai?

18

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

19

48 unique password dictionaries

Source coderelease

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

20

Source coderelease

48 unique password dictionaries

Understanding the Mirai Botnet ▪︎ Zane Ma

Divergent Evolution

21

Source coderelease

48 unique password dictionaries

DGA

Binary Packing

Understanding the Mirai Botnet ▪︎ Zane Ma

How was Mirai used?

22

Understanding the Mirai Botnet ▪︎ Zane Ma

KrebsOnSecurity

23

Understanding the Mirai Botnet ▪︎ Zane Ma

Largest Reported DDoS

24

�

���

���

���

���

���

���

���

��

������ ������ ������ ������ ������ ������ ������

����

�� �

��� ���� ����������������� !""#

��� ����$� ��� !""#

��� ����$� %�� �� !""#

�&� ����%�� �� !""#

Understanding the Mirai Botnet ▪︎ Zane Ma

Dyn Attacker Motives

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.”

Or a foreign power that wanted to remind the United States of its vulnerability.”

25

Understanding the Mirai Botnet ▪︎ Zane Ma26

Targeted IP rDNS Passive DNS208.78.70.5 ns1.p05.dynect.net ns00.playstation.net204.13.250.5 ns2.p05.dynect.net ns01.playstation.net208.78.71.5 ns3.p05.dynect.net ns02.playstation.net204.13.251.5 ns4.p05.dynect.net ns03.playstation.net

198.107.156.219 service.playstation.net ns05.playstation.net216.115.91.57 service.playstation.net ns06.playstation.net

• Top targets are linked to Sony PlayStation

• Attacks on Dyn interspersed among attacks on other game services

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.”

Or a foreign power that wanted to remind the United States of its vulnerability.”

Dyn Attacker Motives

Understanding the Mirai Botnet ▪︎ Zane Ma

Games: Minecraft, Runescape, game commerce site

Politics: Chinese political dissidents, regional Italian politician

Anti-DDoS: DDoS protection service

Misc: Russian cooking blog

27

Booter-like Targets

Understanding the Mirai Botnet ▪︎ Zane Ma

Arbor Networks global DDoS report 65% volumetric, 18% TCP state, 18% application attacks

Mirai33% volumetric, 32% TCP state, 34% application attacks

Valve Source Engine game server attack

Limited reflection/amplification 2.8% reflection attacks, compared to 74% for booters

28

Unconventional DDoS Behavior

Understanding the Mirai Botnet ▪︎ Zane Ma

Overview

29

200,000 - 300,000 globally distributed IoT devices compromised by default Telnet credentials

Evidence of multiple operators releasing new strains of Mirai

Mirai follows a booter-like pattern of behavior that is capable of launching some of the largest attacks on record

Understanding the Mirai Botnet ▪︎ Zane Ma

New Dog, Old Tricks

30

Understanding the Mirai Botnet ▪︎ Zane Ma

Security Hardening

31

Username Passwordroot xc3511root vizxvroot admin

admin adminroot 888888root xmhdipcroot defaultroot juantechroot 123456root 54321

support supportroot (none)

admin passwordroot rootroot 12345user user

admin (none)root pass

admin admin1234root 1111

admin smcadmin

Username Passwordroot zlxx.root 7ujMko0vizxvroot 7ujMko0adminroot systemroot ikwbroot dreamboxroot userroot realtekroot 0

admin 1111111admin 1234admin 12345admin 54321admin 123456admin 7ujMko0adminadmin 1234admin passadmin meinsmtech tech

mother fucker

Username Passwordadmin 1111root 666666root passwordroot 1234root klv123

Administrator adminservice service

supervisor supervisorguest guestguest 12345guest 12345

admin1 passwordadministrator 1234

666666 666666888888 888888

ubnt ubntroot klv1234root Zte521root hi3518root jvbzdroot anko

Understanding the Mirai Botnet ▪︎ Zane Ma

Automatic Updates

32

0

100,000

200,000

300,000

400,000

500,000

600,000

700,000

08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

#networktelescopescans

Date

Total Mirai ScansTCP/7547

CWMP TCP/7547600K peak

CWMP TCP/7547~1 month = 6.7K

Understanding the Mirai Botnet ▪︎ Zane Ma

Device Attribution

33

55.4M Scanning IP addresses

1.8M Protocol Banners

587K Identifying Labels

Understanding the Mirai Botnet ▪︎ Zane Ma

End-of-life

34

2020~30 Billion

20166 - 9 Billion

Understanding the Mirai Botnet ▪︎ Zane Ma

Understanding the Mirai Botnet

35

Manos Antonakakis✝, Tim April◆, Michael Bailey★, Matthew Bernhard‡, Elie Bursztein✱

Jaime Cochran△, Zakir Durumeric‡, J. Alex Halderman‡, Luca Invernizzi✱

Michalis Kallitsis!, Deepak Kumar★, Chaz Lever✝, Zane Ma★, Joshua Mason★

Damian Menscher✱, Chad Seaman◆, Nick Sullivan△, Kurt Thomas✱, Yi Zhou★

◆Akamai Technologies, △Cloudflare, ✝Georgia Institute of Technology, ✱Google, ●Merit Network★University of Illinois Urbana-Champaign, ‡University of Michigan

zanema2@illinois.edu