Mirai: the people’s botnet
November 14, 2016
Mirai-botnet, the infamous IoT botnet, has struck again, and this time it almost took down an entire country; Liberia.
Mirai botnet is a botnet that attempts to infect Internet of Things (IoT) devices to perform DDoS attacks, and was recently used to perform the largest DDoS attack ever which caused network outages affecting several popular US sites.
The source code of Mirai was released in October, so now both security researchers and more cybercriminals have access to it. The botnet itself is simple: the bot is written in C and the panel in GO, and in order to expand the botnet, the bots themselves can scan the internet for more IoT devices. A quick look at the source code reveals how the bot finds new devices to infect – it selects them at random using the function get_random_ip():
The function generates IPs randomly until it gets an IP that’s not in one of the ranges that belong to this groups:
- Loopback range
- Invalid address space ranges
- General Electric Company
- Hewlett-Packard Company
- US Postal Service
- Internal network ranges
- IANA NAT reserved ranges
- IANA Special use range
- Multicast ranges
- Fort Huachuca
- Department of Defense Network Information Center
Now, obviously there’s no reason to avoid scanning the loopback range or the private ranges, but the botnet is also avoiding targeting some US companies, like General Electric and HP, and some services, like the US postal service or the Department of Defense.
One of the reasons why they might avoid these targets is because HP, General Electric and the United States services aren’t running many IoT devices. We won’t know why they didn’t go a step further and added more known ranges to remove some millions of IPs from their scanners.
The bot performs a basic port scan and once it has detected a device with the telnet port or the port 2323 open, it attempts to brute-force the login with the following list of users/passwords:
Since the source code has been leaked, any botmaster can expand this list to meet their own needs. If the bot gains access to the device, it will infect it, gaining one more bot for the botnet.
The release of the source code has fueled the success of the botnet, because now anyone can setup their own Mirai-botnet and use it to attack whoever they want to.
@MalwareTechBlog and @2sec4u have created a Twitter account (@MiraiAttacks) that provides information on attacks performed by Mirai botnets, including the type of attack, the target and the duration.
IOT devices will always be a threat to users until manufacturers get serious about securing their own devices. This relatively new threat that targets both customers and companies should be given special consideration when assessing an organization’s cyber risks.
Learn more about the Blueliv Botnets & CC module, designed to automatically detect IP infections, retrieve stolen credentials, identify attacks and block crime servers.
Victor Acin, Blueliv Research Labs