The document discusses the Mirai botnet attacks of 2016 and subsequent variants. It provides details on:
1) The 2016 Mirai attack that took down major websites by exploiting vulnerabilities in IoT devices like IP cameras and routers.
2) How Mirai and other botnets work by compromising internet-connected devices into a botnet that can be used to launch DDoS attacks.
3) Updates on the evolution of Mirai variants that target new devices and architectures, incorporating more sophisticated techniques.
2. Contents
1. 2016 Mirai attack
2. Botnets, DDoS
3. Current state of Mirai and Mirai variants
4. How detect and defend
5. September-October 2018 updates
• NISTIR Draft, Considerations for Managing
Internet of Things (IoT) Cybersecurity and
Privacy Risks
• California IoT Security Law
https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
4. Botnets
Collection of internet-connected
devices that an attacker has
compromised
• Force multiplier for individual
attackers, cyber-criminal groups,
nation-states
• Disrupt or break into targets
systems
• Commonly used in DDoS attacks
• Collective computing power
o Send large volumes of spam
o Steal credentials at scale
o Spy on people and organizations
https://www.csoonline.com/article/3240364/hacking/what-is-a-botnet-and-why-they-arent-going-away-anytime-soon.html
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
Mirai-infected devices
5. Distributed Denial of Service (DDoS)
https://www.incapsula.com/blog/how-to-identify-a-mirai-style-ddos-attack.html
Botnet
Attack Nodes
Many vectors
• Layer 3, 4, and 7 attacks
• DNS attacks
• IoT Botnets
• New attacks
9. Mirai Targets
IP cameras, DVRs, home routers
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
Unsophisticated Dictionary Attack
10. Mirai and the Minecraft Connection
https://www.cbronline.com/news/mirai-botnet
https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
• Mirai attacked Minecraft servers
o Minecraft servers, lucrative
o Gain Minecraft advantage
• Targeted OVH, Minecraft DDoS
mitigation tools (VAC)
• Not nation-state attackers
o 21-year-old Rutgers college student
o 2 friends
• 200,000-300,000 infections
• Peak 600,000 devices
• Used variety of traffic
Graphic: https://minecraft.net/en-us/
“Targeted an entire range of IP addresses—not just one
particular server or website—enabling it to crush a
company’s entire network”
11. Mirai Operation
• Mirai bots scan the IPv4 address space for
devices that run telnet or SSH
o Log in using dictionary of hardcoded IoT
credentials
• Bot sends the victim IP address and
credentials to a report server, which
asynchronously triggers a loader to infect
the device
• Infected hosts scan for additional victims
and accept DDoS commands from a C2
server
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
15. Mirai Variants
• Brian Krebs reported Mirai precursors
o Bashlite, Gafgyt, Qbot (2014), Remaiten, Torlus
• Satori, also known as Masuta, and DaddysMirai
include the original Mirai vectors but removed
the HTTP attack
• Orion is an exact copy of the original Mirai attack
table (and just like Mirai, has abandoned the
PROXY attack)
• Owari added two new vectors, STD and XMAS
https://www.zdnet.com/article/meet-torii-a-new-iot-botnet-far-more-sophisticated-than-mirai/
https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/
https://krebsonsecurity.com/tag/ddos-for-hire/
16. Mirai Variants
https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/
Many attackers were fighting for Telnet
access to IoT devices with traditional Mirai
• New variants were developed to find
additional methods of exploitation and
infection
• TR-064 exploits that were quickly added to
the code (and used to infect the endpoints
of service providers)
• 0-day exploit on Huawei routers in several
botnets
• Reaper botnet, which includes 10
previously disclosed CVEs.
CVE = Critical Vulnerabilities and Exposures
• TR064 is defined by DSL Forum as part
of its Broadband suite.
• TR064 describes a specific
implementation to be used for DSL CPE
LAN-side configuration.
• The management application can be a
software program or a installation CD
from the CPE vendor.
• It was developed by DSL Forum based
on UPnP Devices Structure 1.0.
17. New Mirai Botnet Breed Taps Aboriginal Linux to
Spawn Across Devices
https://www.cbronline.com/news/mirai-botnet
The new variant has been created using an
open source project named Aboriginal Linux;
• Botnet compatible with an array of
architectures, devices
o IP cameras
o Routers
o Speakers
o Android-based devices
• Found an ARM7 Mirai variant running on
an Android device running Android 4.4,
and as well as a variant on Debian ARM
Aboriginal Linux is a shell script that builds the smallest,
simplest Linux system capable of rebuilding itself from
source code. Aboriginal’s “elegant cross-compilation framework” gave Mirai new teeth
18. Torii (September 27, 2018)
• Sophistication "a level above anything we have seen before”
• Rich set of features for exfiltration of (sensitive) information
• Ability to persist
• Modular architecture capable of fetching and executing other
commands and executables
• Multiple layers of encrypted communication
• Can infect a wide range of devices
• Support for a wide range of target architectures, including MIPS,
ARM, x86, x64, PowerPC, SuperH, MC68000, and others
• Give credit to @VessOnSecurity, who actually tweeted about a
sample hitting his telnet honeypot last week
https://blog.avast.com/new-torii-botnet-threat-research
Infection chain starts with a Telnet attack on
the weak credentials of targeted devices
• Then execution of an initial shell script
20. IoT Challenges
• Limited IoT visibility
• Limited IoT control
• Limited IoT security manufactured in
• Increased attack surface
• Wide range of devices
• Many are consumer-managed
• Many have no interface
• Technical and regulatory challenges
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=006157&lang=EN
Graphic: https://www.theinquirer.net/inquirer/news/3036359/half-a-billion-iot-devices-in-the-office-vulnerable-to-dns-attacks-warns-armis
22. IoT Challenges
• IoT security must evolve away from default-open ports to
default-closed and adopt security hardening best practices
• Devices should consider default networking configurations
that limit remote address access to those devices to local
networks or specific providers
• Apart from network security, IoT developers need to apply
ASLR, isolation boundaries, and principles of least privilege
into their designs
• From a compliance perspective, certifications might help
guide consumers to more secure choices as well as pressure
manufacturers to produce more secure products
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
ASLR = Address Space Layout Randomization
Telnet
A network protocol
that allows a user on
one computer to log
onto another
computer that is part
of the same network
23. IoT Challenges: NISTIR
• Many IoT devices interact with the physical
world in ways conventional IT devices usually
do not
• Many IoT devices cannot be accessed,
managed, or monitored in the same ways
conventional IT devices can
• The availability, efficiency, and effectiveness
of cybersecurity and privacy capabilities are
often different for IoT devices than
conventional IT devices
https://csrc.nist.gov/publications/detail/nistir/8228/draft
Graphic: https://online.stanford.edu/courses/xee100-introduction-internet-things
25. How Detect and Defend against Botnet Attacks?
Ideal World
• Detect new device on network
• Automatically apply device policy
• Monitor device
• Detect abnormal activity
• Alert on abnormal activity
• Disable infected devices
• End-of-Life, decommission
https://www.electronicspecifier.com/blog/iot-device-management-scorecard-profiles-wind-river-helix-device-cloud
26. DDoS Defenses
Ideal World
• Outgoing
o Throttle traffic
o Block outbound
DDoS
o Isolate botnets
• Incoming
o Stop incoming DDoS
o Throttle traffic
o Prevent infection
Brickers
• Detect botnet attack, brick devices
• BrickerBot
o IP Cameras, DVRs
• Use as a mitigating countermeasure?
o Hajime
o Blocks ports Mirai is known to attack
(23, 7547, 555, 5358)
o But after reboot, does not persist
Source: Electronic Design, Ralph Nguyen, August 8, 2017
27. Mitigate IoT Botnet Attacks
https://www.upwork.com/hiring/data/dont-get-entangled-botnet/
https://www.quest-global.com/wp-content/uploads/2015/08/UPnP-in_Digital_Home_Networking.pdf
• Credentials and login
o Change default passwords
o Enforce login rate limiting to prevent brute force attacks
o Use captcha or proof of work
o Future: Eliminate default credentials
• Authentication
• Device Identification
• Encryption
• Chains of Trust
• Turn Off Universal Plug-and-Play (UPnP)
• Firewalls
• Put IoT devices on a separate network
• Keep Firmware Up-to-Date
o Over the Air (OTA)
o Automatic, Make Auto Patch Mandatory
• Use Secure Devices
• End-of-Life, Decommission old IoT devices
o How get rid of them?
UPnP is meant to make it easier to connect and set
up devices by allowing them to discover one
another over a local network
28. Mitigate IoT Botnet Attacks Using AI
https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/
• Network-based solutions
• Device-based solutions
o Machine learning can help bring
lightweight endpoint protection to
IoT devices
o Not signature-based
o Behavior-based
29. Mitigate IoT Botnet Attacks Using AI
https://hackernoon.com/prevent-iot-botnet-attacks-using-ai-with-code-3817fb3fcf7e
Attribute Information
• H: Stats summarizing the recent traffic from this
packet’s host (IP)
• HH: Stats summarizing the recent traffic going
from this packet’s host (IP) to the packet’s
destination host.
• HpHp: Stats summarizing the recent traffic
going from this packet’s host+port (IP) to the
packet’s destination host+port. Example
192.168.4.2:1242 -> 192.168.4.12:80
• HH_jit: Stats summarizing the jitter of the traffic
going from this packet’s host (IP) to the packet’s
destination host
Uses Linear Regression
30. Mitigate IoT Botnet Attacks: Domain Specificity
https://www.iotsecurityfoundation.org/machine-learning-will-be-key-to-securing-iot-in-smart-homes/
• Domain-specific
• Industrial Control Systems
(ICS)
• Smart Buildings
o Includes intelligent buildings
equipment and controls
o Audio visual (AV)
o Fire
o HVAC
o Lighting
o Building security.
32. NIST Interagency/Internal Report (NISTIR)
https://csrc.nist.gov/publications/detail/nistir/8228/draft
NISTIR Draft,
Considerations for
Managing Internet of
Things (IoT) Cybersecurity
and Privacy Risks
• Date Published: September
2018
• Comments Due: October
24, 2018
34. NISTIR
https://csrc.nist.gov/publications/detail/nistir/8228/draft
Recommendations for
Addressing
Cybersecurity and
Privacy Risk Mitigation
Challenges for IoT
Devices
1. Understand the IoT device risk
2. Adjust organizational policies and processes
3. Implement updated mitigation practices for the
organization’s IoT devices
• May need to determine how to manage risk for hundreds or thousands of
IoT device types
• Capabilities vary widely from one IoT device type to another, with one type
lacking data storage and centralized management capabilities, and another
type having numerous sensors and actuators, using local and remote data
storage and processing capabilities, and being connected to several
internal and external networks at once
• The variability in capabilities causes similar variability in the cybersecurity
and privacy risks involving each IoT device type, as well as the options for
mitigating those risks
35. Filed September 28, 2018
• Senate Bill No. 327
• Chapter 886
Goes into effect January 1, 2020
https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
California IoT Security Law
36. Requires manufacturers of any “connected device” to
implement “reasonable” security features
• “Connected device” is any device, or other physical object,
that is capable of connecting to the Internet, directly or
indirectly, and that is assigned an Internet Protocol address
or Bluetooth address
https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
California IoT Security Law
37. “Reasonable” security features for IoT devices are ones
that are:
• Appropriate to the nature and function of the device;
• Appropriate to the information it may collect, contain, or
transmit; and
• Designed to protect the device and any information contained
therein from unauthorized access, destruction, use, modification,
or disclosure
Including:
• A preprogrammed unique password assigned by the
manufacturer, or
• Requiring that the user establish a new password prior to
first use
https://www.lexology.com/library/detail.aspx?g=8d4b1869-296d-4eaa-89b9-b4efb15adfcd
California IoT Security Law: No More Admin/Admin
60 username/password
pairs hardcoded into
Mirai source code:
https://www.grahamclul
ey.com/mirai-botnet-
password/
43. Usenix (August 2017)
• a
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
44. References
• Fruhlinger, Josh. The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet,
https://www.csoonline.com/article/3258748/security/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-
down-the-internet.html (March 9, 2018).
• Graff, Garrett M. How a Dorm Room Minecraft Scam Brought Down the Internet, https://www.wired.com/story/mirai-botnet-minecraft-
scam-brought-down-the-internet/ (December 13, 2017). Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS
Botnet Analysis, https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016).
• Herzberg, Dan; Bekerman, Dima; Zeifman, Igal. Breaking Down Mirai: An IoT DDoS Botnet Analysis,
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html (October 26, 2016).
• Krebs, Brian; Alleged ‘Satori‘ IoT Botnet Operator Sought Media Spotlight, Got Indicted, https://krebsonsecurity.com/tag/ddos-for-hire/
(September 2, 2018).
• Winward, Bob. Defending Against the Mirai Botnet, https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/
(September 12, 2018).
45. Mirai successfully compromised a segment
that is severely lacking in security best
practices, IoT devices.
While it’s the first malware known to
possess this capability, it will surely not be
the last.
https://www.youtube.com/watch?v=jMTwA6q6VKo
– Roger Barranco, CISSP, NSA, CDCP
Senior Director, Global Security Operations,
Akamai Technologies
46. Defend Against the Mirai IoT Botnet
https://www.radware.com/iot-attack-ebook-lpc-64317
47. Defend Against the Mirai IoT Botnet
https://blog.radware.com/security/2018/09/defending-against-the-mirai-botnet/
Attack Vectors (Protocol)
• DNS (UDP)
• VSE (UDP)
• STOMP (TCP)
• GREETH (GRE)
• GREIO (GRE)
• SYN (TCP)
• ACK (TCP)
• UDO (UDP)
• UDPPLAIN (UDP)
• HTTP (TCP, HTTP)
• STD (UDP)
• XMAS (TCP)
Valve Source Engine attack is specially crafted for servers that
run certain games from the developer Valve Corporation
48. How Detect and Defend against Botnet Attacks?
• Group IoT Traffic
o Source or Destination IP address, Domains APN
o IMEI
o VLAN
• Type of protocols and applications permitted for communication
• Time of day, day of week for when communication allowed
• Number of new connections, amount of bandwidth allowed