Understanding the Mirai Botnet
This presentation is for IoT Security Class.
The Mirai botnet grew to a peak of 600k infections within a seven-month period, causing DDoS attacks on various victims. It represents a significant shift in the development of botnets
Saeid Ghasemshirazi
2024
4. What it the botnet?
Collection of internet-connect devices, Bots controlled by some remote 3RD party!
The attacker can control the botnet with C&C server.
Botnet can be used for:
• DDoS
• Steal data
• Send spam
• Etc.
6. What is Mirai?
Mirai designed to infect IoT Devices!
Abusing default Username & Password
7. The Rapid Spread
65K at first 20H,
200k-300k
Initial Infections
Geographic Concentration
South America and Southeast
Asia, with Brazil, Colombia, and
Vietnam
13. About the Mirai Source Code Leak!
Programing Language: Golang
https://github.com/jgamblin/Mirai-Source-Code
Mirai’s “Don’t Mess With” List
Discussion: what do you think was the goal behind this list?!
14. A Territorial Predator
Territorial Nature
Close all process of Telnet, Ssh and HTTP
Kill other worms and Trojans
16. Variant Analysis - What’s in a Name?
Akiru Katrina_v1 Sora Saikin Owari Josho_v3 Tokyo
Credential
combination
40 11 36 80 26 34 37
Overlap with
Mirai
4 No overlap 6 4 7 1 6
Killing Ports 81,534
13,
52869
53413,
52869,3721
5
53413,5286
9,37215
- 53413,5286
9,,37215
- 53413,5286
9,37215
17. Mirai Variation tracking!
Extract c2 domain
2 Ip Addresses and 66 distinct domains!
Find correlated C2s through active and passive DNS data
Cluster Notes
1 Targeted OVH and Krebs
2 Telecom operators
6 Attacked Dyn & Gaming related Target
18. Latest Mirai Variant!
Default credential + Exploit Library!
27 different exploit to gain root access on IoT devices!
It is targeting business devices.
20. What are the implications of Mirai's
emergence for the security of IoT devices,
and how can the industry learn from this
experience to improve IoT security practices?
21. Security Vs Longevity!
If your device is over 10 years old, it definitely
will not get a patch. If it is over 5 years it
probably will not get a patch
Over 65 vendors using Realtek vulnerable chipset
22. Takeways
Eliminate default credentials
1
Make auto-patching mandatory
2
Implement rate limiting
3
Insecure IoT devices are likely to continue fueling DDoS attacks.
To prevent this, IoT manufacturers should adopt basic security practices.
Hi, I'm Saeid. Today, I want to talk to you about something important in online security. It's called the Mirai Botnet.
I'll break it down and explain it in a way we can all understand. Let's get started
What is Mirai Botnet: "Let's start by understanding what the Mirai Botnet is and why it matters in our digital world."
Target and Propagation: "Next, we'll talk about who or what the Mirai Botnet targets and how it spreads. It's important to know how it works."
Evolution of Mirai Variants: "We'll explore how the Mirai Botnet has changed over time. What are its different versions, and why does this evolution matter for our online security?"
IoT Security and Longevity Tradeoff: "Finally, we'll discuss the tradeoff between security and longevity in Internet of Things (IoT) devices. Why does this matter, and what can we do about it?
Before we dive into the details, quick question: Does anyone here know how the Mirai Botnet got its name and what it means? Feel free to share if you have any insights
How did Mirai botnet get its name?
Mirai is a Japanese given name that means “future.” According to a chatlog between Anna-senpai and Robert Coelho, an executive at ProxyPipe.com, the Mirai botnet was named after the Japanese animated series Mirai Nikki.
A botnet is a group of Internet-connected devices, each of which runs one or more bots.
Botnets can be used to perform Distributed Denial-of-Service attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control software.
Anomaly check => check traffic
Black and whitelist
Authenticating challenges
Rate Limit
Protocol an Application check
Keep Update
Closely monitor your network
Implement an advanced botnet detection solution
Mirai is specifically designed to infect and take over IoT devices.
How does it do that? Well, it scans the internet, searching for IoT devices that are still using their default usernames and passwords.
In some cases, these devices even have hardcoded login credentials.
At first, their main goal was to disrupt Minecraft servers and then demand protection money to keep them online
Mirai made a quick impact by infecting about 65k IoT devices within its first 20 hours.
Over time, it reached a consistent level of 200k to 300k infections.
Notably, the majority of these infections were concentrated in South America and Southeast Asia, with Brazil, Colombia, and Vietnam making up a significant 41.5% of the affected devices.
We look at geographic distribution of mirai!
Half of Mirai's infections occurred in South America and Southeast Asia combined
What's important to note is that the quick growth and changes in Mirai made people think that 'IoT botnets are the new normal of DDoS attacks.' This shows the broader global significance of Mirai's emergence.
The statistic shows that :
-devices are outdated
-poor customer knowledge
It is difficult to target and attack each devices! But in smart devices like cctv camera, babe monitor, smart refrigerator, .. These devices are connected to the internet without any protection and the number of devices are very huge! And in most cases the username and password remain unchanged!
So the attack can just scan the internet and find the Ip address of devices and test the default credentials on each devices!
Primary Targets: Mirai predominantly targeted IP cameras, DVRs, routers, and printers, with the top manufacturers of infected devices being Huawei, ZTE, Cisco, ZyXEL, and MikroTik.
Infection Strategy: Mirai spread through rapid scanning and asynchronous TCP SYN probes to pseudorandom IPv4 addresses, targeting Telnet TCP ports 23 and 2323.
As we can see, the protocol that they have targeted is telnet
As we can see the targets are not focused on 1 realm, it includes like game, politics, anti ddos protection services and misc.
Let take a quick look at mirai Timeline,
September 2016 – Mirai attacks Krebs on Security and OVH data center
October 2016 – Anna-Senpai publishes Mirai’s source code on the Hack Forums
21st October 2016 – Mirai strikes Dyn.
November 2016 – Mirai attacks several Liberian telecom companies.
30th November 2016 – Mirai attacks ISP Deutsch Telekom
January 2017 –Mirai’s authors are arrested and sentenced.
One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans.
As you can see in this list, includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric.
The list is intriguing as it provides insight into the mindset of the code's authors. On one hand, it reveals their concern about drawing attention to their activities, which is ironic given that this malware ended up being used in one of the most high-profile attacks to date.
Problem is that list is very naive and obviously created by a person impacted from social media not a professional cybersecurity researcher.
He Ignore honeypots
Another interesting thing about Mirai is its “territorial” nature. The malware holds several killer scripts meant to get rid of other worms and Trojans, also it prevents remote connection attempts of the hijacked device.
What is the purpose of this?
The purpose of this aggressive behavior is to:
Help Mirai maximize the attack potential of the botnet devices.
Prevent similar removal attempts from other malware.
Mirai begin propagation through rapid scanning and after that try to brut force with default dictionary.
If the device is vulnerable it is report to report server.
In this step the hacker check the status of reported and if it is eligible for hack, it run the command to download the the loader on the new bot victim.
After infection attacked was send the command from c&c server to the new infection device.
And new bot attack ddos to target server
Now do you think mirai has happened once and finished?The answer is no!
After the leakage of mirai source code, many adversaries tried to develop more profound variants from the original mirai.As you can see, I have listed several of its famous variants.
What is interesting about all of them is that they have named after the mirai from some animes.
Also, as we can see for example the first one is …
But my question while reading these, was why they didn’t get as famous as the mirai?
And that is because after the mirai attack, big companies started to get security of IoT devices more serious and developed more profound security protocols for them.
But if the security was upgraded why we still have variants?
That’s because of the geographical differences. As I noted in the previous slides, in some regions its more likely that customers have adopted outdated devices. Also, they aren’t trained to know these security issues or even care about these issues.
To keep up with the Mirai variants proliferation and track the various hacking groups behind them, we turned to infrastructure clustering. Reverse engineering all the Mirai versions we can find allowed us to extract the IP addresses and domains used as C&C by the various hacking groups than ran their own Mirai variant. In total, they recovered two IP addresses and 66 distinct domains.
Looking at which sites were targeted by the largest clusters illuminates the specific motives behind those variants.
As highlighted in the table, the first Mirai botnet (cluster 1) focused on OVH and Krebs, while the largest instance (cluster 6) targeted DYN and gaming-related sites. Notably, the third-largest variant (cluster 2) had a different target, going after African telecom operators
The latest Mirai variant adopts a dual strategy by targeting default credentials and using an exploit library.
With a 27 different exploits to gain root access on IoT devices, it's now focusing on business devices
Scale and Impact: Mirai was responsible for some of the largest DDoS attacks ever recorded, impacting high-profile targets and causing widespread disruptions. The sheer scale and impact of its attacks drew considerable attention.
Media Coverage: The Mirai botnet received extensive media coverage due to its high-profile attacks on well-known websites and services. The attention from mainstream media contributed to its widespread recognition.
3- security is enhanced after the mirai!
Vendors force to change passwords
Enhance other security issues
Follow the best practice security
Realtek chipsets used in many IoT devices have severe vulnerabilities that allow unauthenticated command execution. These vulnerabilities were disclosed and are being actively exploited by the Mirai botnet.
Over 65 vendors using Realtek RTL819xD chipsets are affected. While Realtek has released patches, many older devices will not receive updates, leaving millions of devices open to compromise and recruitment into botnets like Mirai.
Mainstream Technologies warns that: “If your device is over 10 years old, it definitely will not get a patch. If it is over 5 years it probably will not get a patch”.
With keeping this in mind:
How we can talk about iot longevity!
Eliminate default credentials: This will prevent hackers from constructing a credential main list that allows them to compromise a myriad of devices as MIRAI did.
Make auto-patching mandatory: IoT devices are meant to be “set and forget,” which makes manual patching unlikely. Having them auto-patch is the only reasonable option to ensure that no widespread vulnerability like the Deutsche Telekom one can be exploited to take down a large chunk of the Internet.
Implement rate limiting: Enforcing login rate limiting to prevent brute-force attack is a good way to mitigate the tendency of people to use weak passwords. Another alternative would be using a captcha or a proof or work.