>> TAKING THE INTERNET DOWN - INNER WORKINGS OF MIRAI BOTNET

15B connected devices in 2015.. 40B+ by 2020 - that's a foundation for a massive botnet!

On Friday 21, October 2016 - the USA suffered one of the biggest digital attacks in history by a botnet called "Mirai" (Japanese word for “future”). It disrupted a number of internet sites including, but not limited to Twitter, Paypal, AWS (Amazon Web Services) - all of which were linked to the domain name service Dyn. In the end users couldn't resolve the IP address of certain websites.

krebsonsecurity.com reports that the devices responsible for the DDoS attacks on Friday was mainly from digital video records and IP cameras using components manufactured by Chinese hi-tech company called XiongMai Technologies. It has also been identified that the majority of these products use hard-coded factory set passwords that cannot be reset easily, if at all.

To make matters worse; the source code to the Mirai botnet was released earlier this month - meaning hundreds of hackers could have had access to deploying their own botnet, even modifying it to make it harder to shutdown once deployed. So; how does it work exactly?

In order to deploy a botnet, one must have some form of scanner to detect if devices nearby or on the Internet actually can be vulnerable. I mentioned in yesterdays blog that when you use stock standard operating systems like Linux, it is important to shutdown any services that are no longer needed during deployment. In this case; the devices still enabled telnetd - exposing a shell.

Once a shell has been exposed, specifically root access on the device - it is possible to create files, edit files and change execution permissions on the underlying operating system. This is effectively how the hackers get onto the device and has it waiting to receive instructions to perform an attack on innocent servers - bringing down websites via DDoS.

scanner.c exposes sixty two default user/password combinations for a variety of devices. The scanning function attempts to connect to the device and iterates through all authentication pairs and in the event one of them works; it calls the report_working() function where the program and report that a device is vulnerable. In the code; a hacker could change the domain/port to use in the table.c file for TABLE_SCAN_CB_DOMAIN and TABLE_SCAN_CB_PORT values.

Looking at the main.c source file; it becomes clear that the program even has the ability to detect a newer instance of itself and shut itself down; it doesn't make sense to keep trying to infect devices with the same or previous versions of the hack. It then attempts to connect to a server to download instructions and effective start perform its attack.

Exactly what the attack tasks are are dynamic based on what the hacker instructs on their server - which the botnet will connect to to obtain instructions on what to do (aka: ATTACK_VECTOR). A number of attack vectors are defined, all capable of bringing a network down if used in volume.

add_attack(ATK_VEC_UDP, (ATTACK_FUNC)attack_udp_generic);
add_attack(ATK_VEC_VSE, (ATTACK_FUNC)attack_udp_vse);
add_attack(ATK_VEC_DNS, (ATTACK_FUNC)attack_udp_dns);
add_attack(ATK_VEC_UDP_PLAIN, (ATTACK_FUNC)attack_udp_plain);
add_attack(ATK_VEC_SYN, (ATTACK_FUNC)attack_tcp_syn);
add_attack(ATK_VEC_ACK, (ATTACK_FUNC)attack_tcp_ack);
add_attack(ATK_VEC_STOMP, (ATTACK_FUNC)attack_tcp_stomp);
add_attack(ATK_VEC_GREIP, (ATTACK_FUNC)attack_gre_ip);
add_attack(ATK_VEC_GREETH, (ATTACK_FUNC)attack_gre_eth);
add_attack(ATK_VEC_HTTP, (ATTACK_FUNC)attack_app_http);

Interestingly; the HTTP attack method doesn't use the same User-Agent strong - in fact it includes five different ones that represent Windows or MacOX users; making it difficult to distinguish between real users or the botnet. Surely must be frustrating for network administrators to isolate.

The botnet is designed to be able to deploy itself with newer versions of itself; but, at the same time this could also be a method to help clean up infected devices by writing a similar hack that detects existing botnet installs and puts a "good" version in its place. However, if they wanted to be extremely nasty; simply modify the botnet to start on device boot and shutdown the backdoor they used to get into the device in the first place; leaving the device permanently infected.

The developers of this hack have been quite comprehensive; with a few small modifications they could do a lot more damage - I doubt that is their intensions however. Seems there is a turf war in place amongst the hacking communication to see who is better than the other.