Industry Trends
IoT-based Linux/Mirai: Frequently Asked Questions
Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know!
Who is the Author of Mirai?
The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum.
His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example:
- July 10 - Begins "killing QBots"
- August 8 - Brute forcing telnet logins
- August 9 - Planning attack on OVH?. Hackers on the forum were obviously looking for a botnet to rent. Given this thread, it is possible OVH was not targeted by Mirai, or not by Mirai only. Other IoT botnets such as Kaiten are mentioned.
- Sept 19 - Discussing how to DDoS onion.to
The account does not reveal any personal data, apart from that Anna Senpei poses as a clever person, well informed on cybercriminality.
His/her (actually, I'd vote for "he,” but that's a personal guess!) country of origin is unknown. The only possible hints are the following - but they could all be false leads:
- Hack forum is an English speaking forum.
- Mirai means 'Future' in Japanese and in Chinese.
- Source code has references to Russian (could be copy/pasted)
- His/her skype login indicates he/she lives in Australia.
Finally, note that "Anna Senpai" is very probably the developer of Mirai, but may not have been involved in all of the DoS attacks attributed to Mirai. Indeed, as the source code was publicly released on Sept 30, 2016, other individuals or cybercriminal groups may have downloaded and used it. Some will say this strategy is quite shrewd to complicate attribution. ;) On a positive note, inspection of the source code makes the malware easier to understand and detect. It may be viewed on several github repositories: here, here and here.
Who is Behind the Attacks?
The most recent attack on Dyn was claimed by a group known as New World Hackers in retaliation for Ecuador's rescinding Internet access to WikiLeaks founder Julian Assange, who has been granted asylum at their embassy in London. Two members of this group said they did it to "test power.” So far, this claim hasn't been backed up by other data.
For other attacks: see the first question. Attribution is more difficult because the source code is now public.
Is the Malware Advanced?
The source code does not implement any particular "exploit" and is therefore relatively easy to write. It is, however, quite well written, and the implementation of all types of floods requires some network programming knowledge.
Anyway, contrary to general belief, a malware need not be "advanced" to be efficient: the KISS principle (Keep It Simple, Stupid) works very well for malware...
List of Attacks Attributed to Linux/Mirai
|
Date |
Where |
Rate |
Comments |
|---|---|---|---|
|
Oct 21, 2016 |
1.2 Tbps? |
Some of the attacks were coming from hosts infected with Mirai. Impacted Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. New World Hackergroup claimed responsibility. Size of botnet: 100,000. |
|
|
Sept 22, 2016 |
OVH |
1 Tbps |
145,607 cameras and DVRs |
|
Sept 13, 2016 |
620 Gbps |
More info from host Akamai |
|
|
Aug 17, 2016 |
280 Gbps |
Size of the botnet: 49,657 unique IPs. Most from CCTV cameras, DVRs and routers. |
What is the Relationship of Mirai With Kaiten, Gafgyt, Bashlite etc?
|
Comparing |
Tsunami |
Mirai |
||||
|---|---|---|---|---|---|---|
|
Date |
2013 |
2014 |
2015 |
2015 |
2016 |
2016 |
|
Aliases |
Kaiten |
Gayfgt, Bashlite |
|
KTN-Remastered, KTN-RM |
|
|
|
Propagation via IP scanning |
|
Telnet (23) |
On port 10073 or 23 |
SSH (22) |
Telnet (23) |
Telnet |
|
Password brute force |
|
Yes |
Yes, list provided by C&C |
Yes |
Yes |
Yes |
|
Implemented attacks |
HTTP Flood |
Send emails, UDP and TCP packets |
DNS Hijacking |
|
Various UDP, TCP floods |
UDP, TCP, DNS, GRE floods |
|
Kills competing processes (e.g other malware) |
|
Yes |
Yes |
Yes |
|
Yes |
|
Botnet communication channel |
IRC |
|
Port 10073 |
|
IRC |
Ports 23 and 101 |
|
After infection |
FTP access |
|
|
Transfers a downloader matching the infected device's architecture |
|
|
|
Targeted devices |
Infected Linux Mint ISO in 2016 |
Router, cameras |
Linux based system, in particular, consumer routers |
India, in particular ,Ubiquiti Air OS router |
Linux-based systems |
CCTV, DVR, router |
|
Goal |
DoS |
DoS ? |
Capture unencrypted cookies on social networks and perform illegitimate follows or likes |
DoS |
DoS |
DoS |
|
Notable keywords in the code |
tsunami |
gayfgt |
|
|
KTN2 |
Mirai |
|
Largest botnet |
|
120,000 |
|
|
|
140,000 (max. approx 300,000 according to Anna Senpai) |
Note. This table might be incomplete. Also please report any errors.
How do we Know Linux/Mirai infects IoT?
We deduce this from two different points:
- The source code of Mirai tries to use a tool named dvrHelper, which is assumed to be found on Digital Video Recorders.
- In many cases, the list of credentials the malware brute forces is specific to some devices. For example, credentials root/vizxv is not particularly common, but it happens to match the default password for Dahua DVR-3104H. So we can reasonably assume the malware is trying to hack this device, among others.
Can Linux/Mirai Infect Non-IoT Devices?
Yes, it can. Mirai targets Unix systems using busybox whether they are IoT or not.
In Mirai, the part that is specific to IoT is the list of telnet credentials it tries to brute force. Some of those default credentials are specific to a given brand and model of IoT, and thus show Mirai targets it. On the other hand, however, some default credentials, such as admin/123456, are generic and would certainly apply to non-IoT hosts as well.
Most of the problem originates from using default passwords. Why can't the owners change them?
On several of those IoT devices, the password is hardcoded in the firmware, and the tools to change it are not provided.
How do we know a given DDoS comes from devices infected with Linux/Mirai and not from another malware?
Given the situation, there are several ways to check that the attack specifically comes from Mirai:
- Identify the type of flood performed, and based on this, deduce the name of the malware. For example, so far only Linux/Mirai implements GRE floods. So if that's what we see, it's probably a Linux/Mirai attack (or possibly a yet unknown malware...).
- Identify the attacking devices, and based on their brand, deduce if it is Linux/Mirai or some other malware.
- Inspect DNS packets: Mirai prefixes its DNS DoS with a pseudorandom 12-character subdomain.
- Capture some traffic from infected devices, and depending on command channels and ports, deduce the name of the malware. However, this is usually not easy to do from the network that is being DDoSed.
Do Fortinet Products Protect Against Linux/Mirai?
Yes, of course! Fortiguard researchers have developed both AV and IPS signatures to detect Mirai. It is reported as "Linux/Mirai.A!tr" at the AV level, and as "Mirai.Botnet" at the IPS level.
Some advice:
- Be sure to put your device on a network secured by Fortinet products.
- Reboot the device (this kills Mirai).
- Check open ports for your device, and if possible close those you do not use.
- Modify the default credentials!
Thanks to David Maciejak for his review and inputs.
-- the Crypto Girl
