Mirai: the people’s botnet

Mirai-botnet, the infamous IoT botnet, has struck again, and this time it almost took down an entire country; Liberia.

Mirai botnet is a botnet that attempts to infect Internet of Things (IoT) devices to perform DDoS attacks, and was recently used to perform the largest DDoS attack ever which caused network outages affecting several popular US sites.

The source code of Mirai was released in October, so now both security researchers and more cybercriminals have access to it. The botnet itself is simple: the bot is written in C and the panel in GO, and in order to expand the botnet, the bots themselves can scan the internet for more IoT devices. A quick look at the source code reveals how the bot finds new devices to infect – it selects them at random using the function get_random_ip():

Mirai botnet code

The function generates IPs randomly until it gets an IP that’s not in one of the ranges that belong to this groups:

  • Loopback range
  • Invalid address space ranges
  • General Electric Company
  • Hewlett-Packard Company
  • US Postal Service
  • Internal network ranges
  • IANA NAT reserved ranges
  • IANA Special use range
  • Multicast ranges
  • Fort Huachuca
  • Department of Defense Network Information Center

Now, obviously there’s no reason to avoid scanning the loopback range or the private ranges, but the botnet is also avoiding targeting some US companies, like General Electric and HP, and some services, like the US postal service or the Department of Defense.

One of the reasons why they might avoid these targets is because HP, General Electric and the United States services aren’t running many IoT devices. We won’t know why they didn’t go a step further and added more known ranges to remove some millions of IPs from their scanners.

The bot performs a basic port scan and once it has detected a device with the telnet port or the port 2323 open, it attempts to brute-force the login with the following list of users/passwords:

User Password User Password User Password
root xc3511 root 666666 root 7ujMko0admin
root vizxv root password root system
root admin root 1234 root ikwb
admin admin root klv123 root dreambox
root 888888 Administrator admin root user
root xmhdipc service service root realtek
root default supervisor supervisor root 0
root juantech guest guest admin 1111111
root 123456 guest 12345 admin 1234
root 54321 guest 12345 admin 12345
support support admin1 password admin 54321
root (none) administrator 1234 admin 123456
admin password 666666 666666 admin 7ujMko0admin
root root 888888 888888 admin 1234
root 12345 ubnt ubnt admin pass
user user root klv1234 admin meinsm
admin (none) root Zte521 tech tech
root pass root hi3518 mother fucker
admin admin1234 root jvbzd
root 1111 root anko
admin smcadmin root zlxx.
admin 1111 root 7ujMko0vizxv

Since the source code has been leaked, any botmaster can expand this list to meet their own needs. If the bot gains access to the device, it will infect it, gaining one more bot for the botnet.

The release of the source code has fueled the success of the botnet, because now anyone can setup their own Mirai-botnet and use it to attack whoever they want to.

@MalwareTechBlog and @2sec4u have created a Twitter account (@MiraiAttacks) that provides information on attacks performed by Mirai botnets, including the type of attack, the target and the duration.

Mirai botnet

IOT devices will always be a threat to users until manufacturers get serious about securing their own devices. This relatively new threat that targets both customers and companies should be given special consideration when assessing an organization’s cyber risks.

Learn more about the Blueliv Botnets & CC module, designed to automatically detect IP infections, retrieve stolen credentials, identify attacks and block crime servers.

Victor Acin, Blueliv Research Labs

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP