>> TAKING THE INTERNET DOWN - INNER WORKINGS OF MIRAI BOTNET
15B connected devices in 2015.. 40B+ by 2020 - that's a foundation for a
On Friday 21, October 2016 - the USA suffered one of the biggest digital
attacks in history by a botnet called "Mirai" (Japanese word for “future”).
It disrupted a number of internet sites including, but not limited to
Twitter, Paypal, AWS (Amazon Web Services) - all of which were linked to
the domain name service Dyn. In the end users couldn't resolve the IP
address of certain websites.
reports that the devices responsible for the DDoS attacks on Friday was mainly
from digital video records and IP cameras using components manufactured by
Chinese hi-tech company called XiongMai Technologies. It has also been
identified that the majority of these products use hard-coded factory set
passwords that cannot be reset easily, if at all.
To make matters worse; the
to the Mirai botnet was released earlier this month - meaning hundreds of
hackers could have had access to deploying their own botnet, even modifying
it to make it harder to shutdown once deployed. So; how does it work exactly?
In order to deploy a botnet, one must have some form of scanner to detect
if devices nearby or on the Internet actually can be vulnerable. I mentioned in
that when you use stock standard operating systems like Linux, it is important
to shutdown any services that are no longer needed during deployment. In this
case; the devices still enabled telnetd - exposing a shell.
Once a shell has been exposed, specifically root access on the device - it
is possible to create files, edit files and change execution permissions on
the underlying operating system. This is effectively how the hackers get
onto the device and has it waiting to receive instructions to perform an
attack on innocent servers - bringing down websites via DDoS.
exposes sixty two default user/password combinations for a variety of devices.
The scanning function attempts to connect to the device and iterates through
all authentication pairs and in the event one of them works; it calls the
report_working() function where the program and report that a device
is vulnerable. In the code; a hacker could change the domain/port to use
in the table.c file for TABLE_SCAN_CB_DOMAIN and
Looking at the
source file; it becomes clear that the program even has the ability to
detect a newer instance of itself and shut itself down; it doesn't make sense
to keep trying to infect devices with the same or previous versions of the
hack. It then attempts to connect to a server to download instructions and
effective start perform its attack.
Exactly what the attack tasks are are dynamic based on what the hacker
instructs on their server - which the botnet will connect to to obtain
instructions on what to do (aka: ATTACK_VECTOR). A number of
attack vectors are defined, all capable of bringing a network down if
used in volume.
Interestingly; the HTTP attack method doesn't use the same User-Agent
strong - in fact it includes five different ones that represent Windows or
MacOX users; making it difficult to distinguish between real users or the
botnet. Surely must be frustrating for network administrators to isolate.
The botnet is designed to be able to deploy itself with newer versions of
itself; but, at the same time this could also be a method to help clean up
infected devices by writing a similar hack that detects existing botnet
installs and puts a "good" version in its place. However, if they wanted to be
extremely nasty; simply modify the botnet to start on device boot and
shutdown the backdoor they used to get into the device in the first place;
leaving the device permanently infected.
The developers of this hack have been quite comprehensive; with a few
small modifications they could do a lot more damage - I doubt that is their
intensions however. Seems there is a
in place amongst the hacking communication to see who is better than the other.