Understanding the Mirai Botnet

Understanding the Mirai Botnet

Understanding the Mirai Botnet Manos Antonakakis Tim April‡ Michael Bailey† Matthew Bernhard/ Elie Bursztein◦ Jaime Cochran. Zakir Durumeric/ J. Alex Halderman/ Luca Invernizzi◦ Michalis Kallitsis§ Deepak Kumar† Chaz Lever Zane Ma†∗ Joshua Mason† Damian Menscher◦ Chad Seaman‡ Nick Sullivan. Kurt Thomas◦ Yi Zhou† ‡Akamai Technologies .Cloudflare Georgia Institute of Technology ◦Google §Merit Network †University of Illinois Urbana-Champaign /University of Michigan Abstract of factors—efficient spreading based on Internet-wide The Mirai botnet, composed primarily of embedded scanning, rampant use of insecure default passwords in and IoT devices, took the Internet by storm in late 2016 IoT products, and the insight that keeping the botnet’s when it overwhelmed several high-profile targets with behavior simple would allow it to infect many hetero- massive distributed denial-of-service (DDoS) attacks. In geneous devices—all played a role. Indeed, Mirai has this paper, we provide a seven-month retrospective anal- spawned many variants that follow the same infection ysis of Mirai’s growth to a peak of 600k infections and strategy, leading to speculation that “IoT botnets are the a history of its DDoS victims. By combining a variety new normal of DDoS attacks” [64]. of measurement perspectives, we analyze how the bot- In this paper, we investigate the precipitous rise of Mi- net emerged, what classes of devices were affected, and rai and the fragile IoT ecosystem it has subverted. We how Mirai variants evolved and competed for vulnerable present longitudinal measurements of the botnet’s growth, hosts. Our measurements serve as a lens into the fragile composition, evolution, and DDoS activities from Au- ecosystem of IoT devices. We argue that Mirai may rep- gust 1, 2016 to February 28, 2017. We draw from a resent a sea change in the evolutionary development of diverse set of vantage points including network telescope botnets—the simplicity through which devices were in- probes, Internet-wide banner scans, IoT honeypots, C2 fected and its precipitous growth, demonstrate that novice milkers, DNS traces, and logs provided by attack vic- malicious techniques can compromise enough low-end tims. These unique datasets enable us to conduct the first devices to threaten even some of the best-defended targets. comprehensive analysis of Mirai and posit technical and To address this risk, we recommend technical and non- non-technical defenses that may stymie future attacks. technical interventions, as well as propose future research We track the outbreak of Mirai and find the botnet directions. infected nearly 65,000 IoT devices in its first 20 hours before reaching a steady state population of 200,000– 300,000 infections. These bots fell into a narrow band of 1 Introduction geographic regions and autonomous systems, with Brazil, Columbia, and Vietnam disproportionately accounting for Starting in September 2016, a spree of massive distributed 41.5% of infections. We confirm that Mirai targeted a denial-of-service (DDoS) attacks temporarily crippled variety of IoT and embedded devices ranging from DVRs, Krebs on Security [46], OVH [43], and Dyn [36]. The ini- IP cameras, routers, and printers, but find Mirai’s ultimate tial attack on Krebs exceeded 600 Gbps in volume [46]— device composition was strongly influenced by the market among the largest on record. Remarkably, this overwhelm- shares and design decisions of a handful of consumer ing traffic was sourced from hundreds of thousands of electronics manufacturers. some of the Internet’s least powerful hosts—Internet of By statically analyzing over 1,000 malware samples, Things (IoT) devices—under the control of a new botnet we document the evolution of Mirai into dozens of vari- named Mirai. ants propagated by multiple, competing botnet operators. While other IoT botnets such as BASHLITE [86] and These variants attempted to improve Mirai’s detection Carna [38] preceded Mirai, the latter was the first to avoidance techniques, add new IoT device targets, and in- emerge as a high-profile DDoS threat. What explains troduce additional DNS resilience. We find that Mirai har- Mirai’s sudden rise and massive scale? A combination nessed its evolving capabilities to launch over 15,000 at- ∗Denotes primary, lead, or “first” author tacks against not only high-profile targets (e.g., Krebs 09/30/2016 Source code released 09/18/2016 11/26/2016 02/23/2017 OVH attacks 10/21/2016 Deutsche Telekom Deutsche Telekom begin Dyn attacks CWMP exploit attacker arrested Sept Oct Nov Dec Jan Feb 08/01/2016 09/21/2016 10/31/2016 01/18/2017 Mirai surfaces Krebs on Security Liberia Lonestar Mirai author peak attack attacks begin identified Figure 1: Mirai Timeline—Major attacks (red), exploits (yellow), and events (black) related to the Mirai botnet. on Security, OVH, and Dyn), but also numerous game release of Mirai’s source code on hackforums.net [4]. We servers, telecoms, anti-DDoS providers, and other seem- rely on this code to develop our measurement method- ingly unrelated sites. While DDoS was Mirai’s flavor ology (Section3). Furthermore, as we detail later (Sec- of abuse, future strains of IoT malware could leverage tion5), this source code release led to the proliferation access to compromised routers for ad fraud, cameras for of Mirai variants with competing operators. One notable extortion, network attached storage for bitcoin mining, variant added support for a router exploit through CPE or any number of applications. Mirai’s reach extended WAN Management Protocol (CWMP), an HTTP-based across borders and legal jurisdictions, and it infected de- protocol that enables auto-configuration and remote man- vices with little infrastructure to effectively apply security agement of home routers, modems, and other customer- patches. This made defending against it a daunting task. premises equipment (CPE) [15]. This exploit led to an out- Finally, we look beyond Mirai to explore the security age at Deutsche Telekom late November 2016 [47], with posture of the IoT landscape. We find that the absence of the suspected attacker later arrested in February 2017 [13]. security best practices—established in response to desk- In this work, we track Mirai’s variants and examine how top worms and malware over the last two decades—has they influenced Mirai’s propagation. created an IoT substrate ripe for exploitation. However, this space also presents unique, nuanced challenges in the Botnet structure & propagation We provide a sum- realm of automatic updates, end-of-life, and consumer no- mary of Mirai’s operation in Figure2, as gleaned from tifications. Without improved defenses, IoT-based attacks the released source code. Mirai spread by first entering are likely to remain a potent adversarial technique as bot- a rapid scanning phase (¬) where it asynchronously and net variants continue to evolve and discover new niches “statelessly” sent TCP SYN probes to pseudorandom IPv4 to infect. In light of this, Mirai seems aptly named—it is addresses, excluding those in a hard-coded IP blacklist, on Japanese for “the future.” Telnet TCP ports 23 and 2323 (hereafter denoted TCP/23 and TCP/2323). If Mirai identifies a potential victim, it en- tered into a brute-force login phase in which it attempted 2 The Mirai Botnet to establish a Telnet connection using 10 username and password pairs selected randomly from a pre-configured Mirai is a worm-like family of malware that infected list of 62 credentials. At the first successful login, Mirai IoT devices and corralled them into a DDoS botnet. We sent the victim IP and associated credentials to a hard- provide a brief timeline of Mirai’s emergence and discuss coded report server (­). its structure and propagation. A separate loader program (®) asynchronously in- Timeline of events Reports of Mirai appeared as fected these vulnerable devices by logging in, determining early as August 31, 2016 [89], though it was not until the underlying system environment, and finally, down- mid-September, 2016 that Mirai grabbed headlines with loading and executing architecture-specific malware (¯). massive DDoS attacks targeting Krebs on Security [46] After a successful infection, Mirai attempted to conceal and OVH [74] (Figure1). Several additional high-profile its presence by deleting the downloaded binary and ob- attacks later targeted DNS provider Dyn [36] and fuscating its process name in a pseudorandom alphanu- Lonestar Cell, a Liberian telecom [45]. In early 2017, the meric string. As a consequence, Mirai infections did not actors surrounding Mirai came to light as the Mirai author persist across system reboots. In order to fortify itself, was identified [49]. Throughout our study, we corroborate the malware additionally killed other processes bound our measurement findings with these media reports and to TCP/22 or TCP/23, as well as processes associated expand on the public information surrounding Mirai. with competing infections, including other Mirai vari- Another significant event in this timeline is the public ants, .anime [25], and Qbot [72]. At this point, the bot 3.1 Network Telescope Attacker Send command Mirai’s indiscriminate, rapid scanning strategy lends it- self to tracking the botnet’s propagation to new hosts. We Command Report Dispatch Loader monitored all network requests to a network telescope [9] Infrastructure & Control Server composed of 4.7 million IP address operated by Merit Relay Load Network over a seven month period from July 18, 2016 Report to February 28, 2017. On average, the network telescope received 1.1 million packets from 269,000 IP addresses Devices Scan Victim per minute during this period. To distinguish Mirai traffic Bots from background radiation [94] and other scanning ac- tivity, we uniquely fingerprinted Mirai probes based on Attack an artifact of Mirai’s stateless scanning whereby every probe has a TCP sequence number—normally a random DDoS Target 32-bit integer—equal to the destination IP address. The likelihood of this occurring incidentally is 1=232, and we would expect to see roughly 86 packets demonstrating Figure 2: Mirai Operation—Mirai bots scan the IPv4 address this pattern in our entire dataset.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    19 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us