Botnet Case Study: Mirai

AIMS Security
 Malware

Malware or malicious software, is code or software that

is specifically designed to damage, disrupt, steal, or in
general inflict some other “bad” or illegitimate action on
data, hosts, or networks.
 Viruses, worms, and Trojans are all classified as malware.
 Varying ways of infecting systems and propagating
themselves.
 Can infect systems by being bundled with other programs or
attached as macros to files.

2
 Malware

Malware or malicious software, is code or software that

is specifically designed to damage, disrupt, steal, or in
general inflict some other “bad” or illegitimate action on
data, hosts, or networks.
 Viruses, worms, and Trojans are all classified as malware.
 Varying ways of infecting systems and propagating
themselves.
 Can infect systems by being bundled with other programs or
attached as macros to files.

3
 Malware: Computer Virus
Computer Virus: A a type of
malware that propagates by inserting
a copy of itself into and becoming part
of another program.
It spreads from one computer to
 another, leaving infections as it travels.
 Can cause mildly annoying effects or damage data or
software and causing denial-of-service (DoS) conditions.
 Almost all viruses are attached to an executable file, the
virus may exist on a system but will not be active or able
to spread until a user runs or opens the malicious host file
or program.

4
 Malware: Computer Virus (con’t)

 When the host code is executed, the viral code is executed

as well.
 Normally, the host program keeps functioning after it is
infected by the virus.
 However, some viruses overwrite other programs with copies of
themselves, which destroys the host program altogether.
 Viruses can spread from one computer to another via
network, a disk, file sharing, or infected e-mail attachments.

5
 Malware: Computer Worm
Computer Worms replicate
functional copies of themselves
and can cause the same type
of damage as viruses.
Worms are standalone software and
do not require a host program or
 human help to propagate.
 To spread, worms either exploit a
 vulnerability on the target system or
 use some kind of social engineering to trick users into executing them.
 A worm enters a computer through a vulnerability in the system and
takes advantage of file-transport or information-transport features on the
system, allowing it to travel unaided.

6
 Malware: Trojan

A Trojan is a harmful piece of software

that, at first glance, looks legitimate.
Users are typically tricked into loading
 and executing it on their systems.
 After it is activated, it can achieve any
 number of attacks on the host, such as:
 irritating the user (popping up windows
 or changing desktops)
 damaging the host (deleting files, stealing data, or
 activating and spreading other malware, such as viruses).

7
 Malware: Trojan (con’t)

 Trojans are also known to create back doors to give

malicious users access to the system.
 Unlike viruses and worms, Trojans do not reproduce by
infecting other files nor do they self-replicate.
 Trojans must spread through user interaction such as opening
an e-mail attachment or downloading and running a file from
the Internet

8
 Malware: “Bots”

 "Bot" is derived from the word "robot" and is an automated

process that interacts with other network services.
 Bots automate tasks and provide information or services that
would otherwise be conducted by a human being.
 Bots can gather information (such as web crawlers), or interact
automatically with instant messaging (IM), Internet Relay Chat
(IRC), or other web interfaces.
 They may also be used to interact dynamically with websites.

Servant Bots

9
 Malware: “Bots” (cont’d)
 Bots can be used for either good or malicious intent.
 A malicious bot is self-propagating malware designed to infect a
host and connect back to a central server(s) that act as a
command and control (C&C) center for an entire network of
compromised devices, or "botnet."
 With a botnet, attackers can launch broad-based, "remote-
control," flood-type attacks against their target(s).
 Bots can:
 Log keystrokes
 Gather passwords
 Capture and analyze packets
 Gather financial information
 Launch DoS attacks, relay spam
 Open back doors on the infected host.

10
 Malware: “Bots” (cont’d)

 Bots can be used for either good or malicious intent.

 A malicious bot is self-propagating malware designed to infect a
host and connect back to a central server(s) that act as a
command and control (C&C) center for an entire network of
compromised devices, or "botnet."
 With a botnet, attackers can launch broad-based, "remote-
control," flood-type attacks against their target(s).
 Bots can:
 Log keystrokes
 Gather passwords
 Capture and analyze packets
 Gather financial information
 Launch DoS attacks, relay spam
 Open back doors on the infected host.

11
 Bot Example - Mirai

Source: Level 3 Communications

12
 Mirai

• Malware designed to scan for IoT devices, routers,

security cameras, DRVs
• Devices are tested for default login credentials
• Enslaved and enlisted into the Mirai botnet
• Can be utilized by attacker(s) to send out mass assaults
• Segmented command-and-control
• allows simultaneous DDoS attacks against multiple and unrelated targets
• Capable of launching multiple types of DDoS attacks:
• SYN-flooding, ACK-flooding, HTTP request flooding
• Arbor Networks Inc. researchers:
• the original Mirai botnet included roughly 500,000 IoT devices, with clusters
around the world, including in China, Hong Kong, Taiwan, South Korea, Southeast
Asia, Brazil, Spain and elsewhere.
 Dyn
• Internet infrastructure company

• Large Domain Name Service|System (DNS) provider

• Cloud-based Internet Performance Management (IPM)

company that provides unrivaled visibility and control
into cloud and public Internet resources. Dyn’s platform
monitors, controls and optimizes applications and
infrastructure through Data, Analytics, and Traffic
Steering, ensuring traffic gets delivered faster, safer,
and more reliably than ever.
 Dyn
• Dyn runs 20 data centers around the world for a
combination of both free and paid managed DNS
services. We saw impacts in 17 of them, all but Warsaw,
Beijing and Shanghai. Within these data centers, Dyn
maintains two ‘constellations’ of name servers (NS1,
NS3 in one group; NS2, NS4 in another) that are
intended to be isolated to failure.

• Dyn’s DNS service uses anycast, where a single IP

address is simultaneously announced from multiple data
centers and servers. Each of the constellations shares IP
addresses and routing prefixes, meaning that they share
peering connections and routes across the Internet. It
also means they share congestion during a DDoS attack.
 What is DNS?

• A quick reminder of what the DNS is and why an attack

on the DNS can be so devastating.
• The Domain Name System (DNS) translates domain
names (like www.hbonow.com) to IP addresses and vice
versa. This translation, or mapping, is not static over
time.
• DNS is critical to the ability of large-scale Internet
services to send user traffic to their nearest data center
or to switch traffic to a different server on a whim.
• Dyn is popular especially because of its Traffic Director
features which shape traffic flows for geographic load
balancing.
 What is DNS?

• The DNS is the first step in the process when a user accesses a
website or API.
• If a fresh DNS record is not located in the user’s cache, the OS will
set off a recursive search to find the IP address for the domain in
question.
• The search ends at an authoritative server that provides the
‘authoritative’ answer to the user’s query.
• Dyn is a service that runs authoritative servers on behalf of its
customers. Therefore, when Dyn is inaccessible, the DNS records of
its customers are also inaccessible, and their sites will become
progressively unavailable as the time to live (TTL) of their DNS
records expire.
 Mirai to date
• September 20th-30th, 2016
• Services of security journalist & blogger, Brian Krebs, of
krebsonsecurity.com
• 620 Gbps attack
• French internet infrastructure company OVH
• 100Gbps-799Gbps
• September 30th, 2016
• Mirai source code released publicly on Hackforums
• “Hacker” by the name “Anna-Senpai”
• October 21st, 2016
• Dyn
• Said to be 50 times the size of a “normal” DDoS
• Twitter
• Amazon
• Spotify
• Netflix
Mirai DDoS against Dyn
The view from Cloudflare
The view from Cloudflare
 Who was affected (courtesy of Wikipedia)


 Future

• Anyone can now create a Mirai botnet

•
• Smaller and spotty attacks on other targets
• DDoS for hire (booters)

• Tracking Mirai:
• https://twitter.com/MiraiAttacks
• https://intel.malwaretech.com/mirai.html

• Still larger botnets out there

 Future

• Some security experts believe that malicious entities

have been mounting a probing campaign against
Internet infrastructure (like DNS) for the past several
years to discover internet weaknesses and chokepoints.

 It’s unlikely that this attack is related, but this attack shows what can be done
with this type of information
 Moral to the Story

 The only real moral at this point is that the

internet is still very much like the wild west…
there are loose standards and agreements that
help prevent something like this, but there is no
real governance.
 This is not a problem we can solve through
legislation, RFCs, standards, etc alone… it must
be combined with education and awareness.
 Tools and sites that can be helpful for your home
networks:
 http://iotscanner.bullguard.com/
 https://www.grc.com/x/Ne.dll?bh0bkyd2
 http://www.online-tech-tips.com/software-reviews/free-advanced-network-
ip-and-port-scanner-security-tool/
 Common Vulnerabilities
Malware can be installed by
 exploiting known vulnerabilities in:
 An operating system (OS),
 A network device,
 Common office applications, or 
 Other software, such as a hole in a
 browser that only requires users to
 visit a website to infect their computers.
 The vast majority, however, are installed by some action
from a user, such as clicking an e-mail attachment or
downloading a file from the Internet.

27
Questions?