by RSS Axelle Apvrille  |  Oct 31, 2016  |  Filed in: Industry Trends & News

Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know!

Who is the Author of Mirai?

The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum.

His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example:

The account does not reveal any personal data, apart from that Anna Senpei poses as a clever person, well informed on cybercriminality (here or here, or here), and arrogant.

His/her (actually, I'd vote for "he,” but that's a personal guess!) country of origin is unknown. The only possible hints are the following - but they could all be false leads:

  • Hack forum is an English speaking forum.
  • Mirai means 'Future' in Japanese and in Chinese.
  • Source code has references to Russian (could be copy/pasted)
  • His/her skype login indicates he/she lives in Australia.

Finally, note that "Anna Senpai" is very probably the developer of Mirai, but may not have been involved in all of the DoS attacks attributed to Mirai. Indeed, as the source code was publicly released on Sept 30, 2016, other individuals or cybercriminal groups may have downloaded and used it. Some will say this strategy is quite shrewd to complicate attribution. ;) On a positive note, inspection of the source code makes the malware easier to understand and detect. It may be viewed on several github repositories: herehere and here.

Who is Behind the Attacks?

The most recent attack on Dyn was claimed by a group known as New World Hackers in retaliation for Ecuador's rescinding Internet access to WikiLeaks founder Julian Assange, who has been granted asylum at their embassy in London. Two members of this group said they did it to "test power.” So far, this claim hasn't been backed up by other data.

For other attacks: see the first question. Attribution is more difficult because the source code is now public.

Is the Malware Advanced?

The source code does not implement any particular "exploit" and is therefore relatively easy to write. It is, however, quite well written, and the implementation of all types of floods requires some network programming knowledge.

Anyway, contrary to general belief, a malware need not be "advanced" to be efficient: the KISS principle (Keep It Simple, Stupid) works very well for malware...

List of Attacks Attributed to Linux/Mirai

Date

Where

Rate

Comments

Oct 21, 2016

Dyn DNS

1.2 Tbps?

Some of the attacks were coming from hosts infected with Mirai. Impacted Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. New World Hackergroup claimed responsibility. Size of botnet: 100,000.

Sept 22, 2016

OVH

1 Tbps

145,607 cameras and DVRs

Sept 13, 2016

KrebsOnSecurity.com

620 Gbps

More info from host Akamai

Aug 17, 2016

Incapsula

280 Gbps

Size of the botnet: 49,657 unique IPs. Most from CCTV cameras, DVRs and routers.

What is the Relationship of Mirai With Kaiten, Gafgyt, Bashlite etc?

Comparing

Tsunami

ELF/Gafgyt

Linux/Moose

PNscan

Linux/Remaiten

Mirai

Date

2013

2014

2015

2015

2016

2016

Aliases

Kaiten

Gayfgt, Bashlite

 

KTN-Remastered, KTN-RM

 

 

Propagation via IP scanning

 

Telnet (23)

On port 10073 or 23

SSH (22)

Telnet (23)

Telnet

Password brute force

 

Yes

Yes, list provided by C&C

Yes

Yes

Yes

Implemented attacks

HTTP Flood

Send emails, UDP and TCP packets

DNS Hijacking

 

Various UDP, TCP floods

UDP, TCP, DNS, GRE floods

Kills competing processes (e.g other malware)

 

Yes

Yes

Yes

 

Yes

Botnet communication channel

IRC

 

Port 10073

 

IRC

Ports 23 and 101

After infection

FTP access

 

 

Transfers a downloader matching the infected device's architecture

 

 

Targeted devices

Infected Linux Mint ISO in 2016

Router, cameras

Linux based system, in particular, consumer routers

India, in particular ,Ubiquiti Air OS router

Linux-based systems

CCTV, DVR, router

Goal

DoS

DoS ?

Capture unencrypted cookies on social networks and perform illegitimate follows or likes

DoS

DoS

DoS

Notable keywords in the code

tsunami

gayfgt

 

 

KTN2

Mirai

Largest botnet

 

120,000

 

 

 

140,000 (max. approx 300,000 according to Anna Senpai)

Note. This table might be incomplete. Also please report any errors.

How do we Know Linux/Mirai infects IoT?

We deduce this from two different points:

  1. The source code of Mirai tries to use a tool named dvrHelper, which is assumed to be found on Digital Video Recorders.
  2. In many cases, the list of credentials the malware bruteforces is specific to some devices. For example, credentials root/vizxv is not particularly common, but it happens to match the default password for Dahua DVR-3104H. So we can reasonably assume the malware is trying to hack this device, among others.

Can Linux/Mirai Infect Non-IoT Devices?

Yes, it can. Mirai targets Unix systems using busybox whether they are IoT or not.

In Mirai, the part that is specific to IoT is the list of telnet credentials it tries to bruteforce. Some of those default credentials are specific to a given brand and model of IoT, and thus show Mirai targets it. On the other hand, however, some default credentials, such as admin/123456, are generic and would certainly apply to non-IoT hosts as well.

Most of the problem originates from using default passwords. Why can't the owners change them?

On several of those IoT devices, the password is hardcoded in the firmware, and the tools to change it are not provided.

How do we know a given DDoS comes from devices infected with Linux/Mirai and not from another malware?

Given the situation, there are several ways to check that the attack specifically comes from Mirai:

  1. Identify the type of flood performed, and based on this, deduce the name of the malware. For example, so far only Linux/Mirai implements GRE floods. So if that's what we see, it's probably a Linux/Mirai attack (or possibly a yet unknown malware...).
  2. Identify the attacking devices, and based on their brand, deduce if it is Linux/Mirai or some other malware.
  3. Inspect DNS packets: Mirai prefixes its DNS DoS with a pseudorandom 12-character subdomain.
  4. Capture some traffic from infected devices, and depending on command channels and ports, deduce the name of the malware. However, this is usually not easy to do from the network that is being DDoSed.

Do Fortinet Products Protect Against Linux/Mirai?

Yes, of course! Fortiguard researchers have developed both AV and IPS signatures to detect Mirai. It is reported as "Linux/Mirai.A!tr" at the AV level, and as "Mirai.Botnet" at the IPS level.

Some advice:

  • Be sure to put your device on a network secured by Fortinet products.
  • Reboot the device (this kills Mirai).
  • Check open ports for your device, and if possible close those you do not use.
  • Modify the default credentials!

Thanks to David Maciejak for his review and inputs.

-- the Crypto Girl

 

by RSS Axelle Apvrille  |  Oct 31, 2016  |  Filed in: Industry Trends & News

comments powered by Disqus