Recommended
Recommended
More Related Content
Similar to Understing the mirai botnet and the impact on iot security
Similar to Understing the mirai botnet and the impact on iot security (20)
More from SaeidGhasemshirazi
More from SaeidGhasemshirazi (20)
Recently uploaded
Recently uploaded (20)
Understing the mirai botnet and the impact on iot security
- 1. Understanding the Mirai Botnet Presented By: Saeid Shirazi
- 2. Mirai botnet Target and Propagation Evolution of Mirai Variants IoT Security and Longevity Tradeoff Table of Content
- 3. How did Mirai botnet get its name? meaning?
- 4. What it the botnet? Collection of internet-connect devices, Bots controlled by some remote 3RD party! The attacker can control the botnet with C&C server. Botnet can be used for: • DDoS • Steal data • Send spam • Etc.
- 5. How to Prevent DDoS Attacks?
- 6. What is Mirai? Mirai designed to infect IoT Devices! Abusing default Username & Password
- 7. The Rapid Spread 65K at first 20H, 200k-300k Initial Infections Geographic Concentration South America and Southeast Asia, with Brazil, Colombia, and Vietnam
- 8. Geographical Distribution South America + Southeast Asia = 50% of infection What do these statistics indicate?
- 9. Why does Mirai focus on IoT devices instead of regular computers in a network?
- 10. Targets and Propagation Primary Targets: Ip cameras, DVR, routers, printers, … Top manufacturer like: • Huawei, ZTE, Cisco,… Infection Strategy • Rapid scanning TCP SYN IPv4, targeting Telnet TCP ports 23 & 2323
- 11. Booter-like Targets Politics Chinese political dissidents, regional Italian politician Game Minecraft, game commerce site Anti-DDoS DDoS Proteciton Services Misc Russian cooking blog!
- 12. 10/21/2016 10/31/2016 11/26/2016 Dyn & Liberia & Deutch Telekom 09/18/2016 09/21/2016 OVH & Kreb 08/01/2016 Mirai Surface 09/30/2016 Mirai Source Code released 01/18/2017 Mirai Author Identified
- 13. About the Mirai Source Code Leak! Programing Language: Golang https://github.com/jgamblin/Mirai-Source-Code Mirai’s “Don’t Mess With” List Discussion: what do you think was the goal behind this list?!
- 14. A Territorial Predator Territorial Nature Close all process of Telnet, Ssh and HTTP Kill other worms and Trojans
- 15. Mirai Lifecycle
- 16. Variant Analysis - What’s in a Name? Akiru Katrina_v1 Sora Saikin Owari Josho_v3 Tokyo Credential combination 40 11 36 80 26 34 37 Overlap with Mirai 4 No overlap 6 4 7 1 6 Killing Ports 81,534 13, 52869 53413, 52869,3721 5 53413,5286 9,37215 - 53413,5286 9,,37215 - 53413,5286 9,37215
- 17. Mirai Variation tracking! Extract c2 domain 2 Ip Addresses and 66 distinct domains! Find correlated C2s through active and passive DNS data Cluster Notes 1 Targeted OVH and Krebs 2 Telecom operators 6 Attacked Dyn & Gaming related Target
- 18. Latest Mirai Variant! Default credential + Exploit Library! 27 different exploit to gain root access on IoT devices! It is targeting business devices.
- 19. Why are other variations not famous like Mirai?
- 20. What are the implications of Mirai's emergence for the security of IoT devices, and how can the industry learn from this experience to improve IoT security practices?
- 21. Security Vs Longevity! If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch Over 65 vendors using Realtek vulnerable chipset
- 22. Takeways Eliminate default credentials 1 Make auto-patching mandatory 2 Implement rate limiting 3 Insecure IoT devices are likely to continue fueling DDoS attacks. To prevent this, IoT manufacturers should adopt basic security practices.
- 23. Thank You for Attention
Editor's Notes
- Hi, I'm Saeid. Today, I want to talk to you about something important in online security. It's called the Mirai Botnet. I'll break it down and explain it in a way we can all understand. Let's get started
- What is Mirai Botnet: "Let's start by understanding what the Mirai Botnet is and why it matters in our digital world." Target and Propagation: "Next, we'll talk about who or what the Mirai Botnet targets and how it spreads. It's important to know how it works." Evolution of Mirai Variants: "We'll explore how the Mirai Botnet has changed over time. What are its different versions, and why does this evolution matter for our online security?" IoT Security and Longevity Tradeoff: "Finally, we'll discuss the tradeoff between security and longevity in Internet of Things (IoT) devices. Why does this matter, and what can we do about it?
- Before we dive into the details, quick question: Does anyone here know how the Mirai Botnet got its name and what it means? Feel free to share if you have any insights How did Mirai botnet get its name? Mirai is a Japanese given name that means “future.” According to a chatlog between Anna-senpai and Robert Coelho, an executive at ProxyPipe.com, the Mirai botnet was named after the Japanese animated series Mirai Nikki.
- A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control software.
- Anomaly check => check traffic Black and whitelist Authenticating challenges Rate Limit Protocol an Application check Keep Update Closely monitor your network Implement an advanced botnet detection solution
- Mirai is specifically designed to infect and take over IoT devices. How does it do that? Well, it scans the internet, searching for IoT devices that are still using their default usernames and passwords. In some cases, these devices even have hardcoded login credentials. At first, their main goal was to disrupt Minecraft servers and then demand protection money to keep them online
- Mirai made a quick impact by infecting about 65k IoT devices within its first 20 hours. Over time, it reached a consistent level of 200k to 300k infections. Notably, the majority of these infections were concentrated in South America and Southeast Asia, with Brazil, Colombia, and Vietnam making up a significant 41.5% of the affected devices.
- We look at geographic distribution of mirai! Half of Mirai's infections occurred in South America and Southeast Asia combined What's important to note is that the quick growth and changes in Mirai made people think that 'IoT botnets are the new normal of DDoS attacks.' This shows the broader global significance of Mirai's emergence. The statistic shows that : -devices are outdated -poor customer knowledge
- It is difficult to target and attack each devices! But in smart devices like cctv camera, babe monitor, smart refrigerator, .. These devices are connected to the internet without any protection and the number of devices are very huge! And in most cases the username and password remain unchanged! So the attack can just scan the internet and find the Ip address of devices and test the default credentials on each devices!
- Primary Targets: Mirai predominantly targeted IP cameras, DVRs, routers, and printers, with the top manufacturers of infected devices being Huawei, ZTE, Cisco, ZyXEL, and MikroTik. Infection Strategy: Mirai spread through rapid scanning and asynchronous TCP SYN probes to pseudorandom IPv4 addresses, targeting Telnet TCP ports 23 and 2323. As we can see, the protocol that they have targeted is telnet
- As we can see the targets are not focused on 1 realm, it includes like game, politics, anti ddos protection services and misc.
- Let take a quick look at mirai Timeline, September 2016 – Mirai attacks Krebs on Security and OVH data center October 2016 – Anna-Senpai publishes Mirai’s source code on the Hack Forums 21st October 2016 – Mirai strikes Dyn. November 2016 – Mirai attacks several Liberian telecom companies. 30th November 2016 – Mirai attacks ISP Deutsch Telekom January 2017 –Mirai’s authors are arrested and sentenced.
- One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans. As you can see in this list, includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric. The list is intriguing as it provides insight into the mindset of the code's authors. On one hand, it reveals their concern about drawing attention to their activities, which is ironic given that this malware ended up being used in one of the most high-profile attacks to date. Problem is that list is very naive and obviously created by a person impacted from social media not a professional cybersecurity researcher. He Ignore honeypots
- Another interesting thing about Mirai is its “territorial” nature. The malware holds several killer scripts meant to get rid of other worms and Trojans, also it prevents remote connection attempts of the hijacked device. What is the purpose of this? The purpose of this aggressive behavior is to: Help Mirai maximize the attack potential of the botnet devices. Prevent similar removal attempts from other malware.
- Mirai begin propagation through rapid scanning and after that try to brut force with default dictionary. If the device is vulnerable it is report to report server. In this step the hacker check the status of reported and if it is eligible for hack, it run the command to download the the loader on the new bot victim. After infection attacked was send the command from c&c server to the new infection device. And new bot attack ddos to target server
- Now do you think mirai has happened once and finished? The answer is no! After the leakage of mirai source code, many adversaries tried to develop more profound variants from the original mirai. As you can see, I have listed several of its famous variants. What is interesting about all of them is that they have named after the mirai from some animes. Also, as we can see for example the first one is … But my question while reading these, was why they didn’t get as famous as the mirai? And that is because after the mirai attack, big companies started to get security of IoT devices more serious and developed more profound security protocols for them. But if the security was upgraded why we still have variants? That’s because of the geographical differences. As I noted in the previous slides, in some regions its more likely that customers have adopted outdated devices. Also, they aren’t trained to know these security issues or even care about these issues.
- To keep up with the Mirai variants proliferation and track the various hacking groups behind them, we turned to infrastructure clustering. Reverse engineering all the Mirai versions we can find allowed us to extract the IP addresses and domains used as C&C by the various hacking groups than ran their own Mirai variant. In total, they recovered two IP addresses and 66 distinct domains. Looking at which sites were targeted by the largest clusters illuminates the specific motives behind those variants. As highlighted in the table, the first Mirai botnet (cluster 1) focused on OVH and Krebs, while the largest instance (cluster 6) targeted DYN and gaming-related sites. Notably, the third-largest variant (cluster 2) had a different target, going after African telecom operators
- The latest Mirai variant adopts a dual strategy by targeting default credentials and using an exploit library. With a 27 different exploits to gain root access on IoT devices, it's now focusing on business devices
- Scale and Impact: Mirai was responsible for some of the largest DDoS attacks ever recorded, impacting high-profile targets and causing widespread disruptions. The sheer scale and impact of its attacks drew considerable attention. Media Coverage: The Mirai botnet received extensive media coverage due to its high-profile attacks on well-known websites and services. The attention from mainstream media contributed to its widespread recognition. 3- security is enhanced after the mirai!
- Vendors force to change passwords Enhance other security issues Follow the best practice security
- Realtek chipsets used in many IoT devices have severe vulnerabilities that allow unauthenticated command execution. These vulnerabilities were disclosed and are being actively exploited by the Mirai botnet. Over 65 vendors using Realtek RTL819xD chipsets are affected. While Realtek has released patches, many older devices will not receive updates, leaving millions of devices open to compromise and recruitment into botnets like Mirai. Mainstream Technologies warns that: “If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch”. With keeping this in mind: How we can talk about iot longevity!
- Eliminate default credentials: This will prevent hackers from constructing a credential main list that allows them to compromise a myriad of devices as MIRAI did. Make auto-patching mandatory: IoT devices are meant to be “set and forget,” which makes manual patching unlikely. Having them auto-patch is the only reasonable option to ensure that no widespread vulnerability like the Deutsche Telekom one can be exploited to take down a large chunk of the Internet. Implement rate limiting: Enforcing login rate limiting to prevent brute-force attack is a good way to mitigate the tendency of people to use weak passwords. Another alternative would be using a captcha or a proof or work.