网络科技

    今日:78| 主题:278884
收藏本版
互联网、科技极客的综合动态。

[其他] Mirai C&C Botnets

[复制链接]
天空blond 投递于 2016-10-19 04:04:39
434 9
Level 3 Threat Research Labs has previouslyreported on a family of malware that exploits Internet of Things (IoT) devices to create distributed denial of service (DDoS) botnets. With a rapidly increasing market for these devices and little attention being paid to security, the threat from these botnets is growing.  Level 3 Threat Research Labs has been continuously tracking these botnets as they wreak havoc on victims across the internet.
   In mid-September, we discovered a new botnet connected to the malware known as “Mirai,” which has been responsible for attacks such as the record breaking DDoS attack on KrebsOnSecurity.com .  Recently the source code of Mirai was released, which has inspired a significant number of new bad actors, all working to exploit similar pools of vulnerable devices. In this post we explore the behavior, structure, and trends of Mirai botnets, focusing on their interaction with our network backbone.
  C2s

  Using various machine learning techniques to analyze DDoS attacks sourced from known susceptible devices, Level 3 Threat Research Labs was able to identify a number of C2s associated with this botnet. Additionally, the IP addresses identified pointed to domains containing “santasbigcandycane.cx” (.cx is a top-level domain of Christmas Island) and were prefixed by “network” and “report” to denote their role in the botnet.  As a challenge to the security community, an IP from one of the network C2s was also once resolved to “catch.me.if.you.can” as opposed to the usual “network.santasbigcandycane.cx”.  By querying DNS records, these C2 IPs were easily enumerated.  A list of C2 IP addresses and domains can be found in the table at the bottom of this post.
   At any one time, only a handful of network C2 IP addresses were active.  Approximately every two days, a new network C2 IP became active (see figure below).  This switching behavior is roughly 3-times more rapid than we observed in the gafgyt botnet.  It is likely done in an effort to evade detection.  In the plot below, we show the outbound traffic from network C2s, with each color representing a different network C2 IP.  The bars show the number of unique hosts sending traffic to the C2 each hour varied greatly (these hosts are assumed to be bots). The Mirai report C2 at “report.santasbigcandycane.cx” had much less communication with bots than the network C2s.

Mirai C&C Botnets

Mirai C&C Botnets-1-网络科技-2016,santasbigcandyca,server,Mirai,the

  Figure 1 – Mirai “network” C2 outbound traffic binned by hour. Colors represent different C2s.
   One interesting interaction we discovered was that the Mirai network C2s were attacked several times by a gafgyt/BASHLITE botnet.  In particular, there were gigabit-per-second level simultaneous attacks on two separate Mirai network C2s that stretched just over 24 hours, mostly during September 18.  Additionally, there were several shorter attacks on additional C2s in subsequent days, as can be seen by the spikes in bandwidth in the plot below.

Mirai C&C Botnets

Mirai C&C Botnets-2-网络科技-2016,santasbigcandyca,server,Mirai,the

  Figure 2 – Mirai “network” C2 inbound traffic binned by hour.  The spikes in the plot are attacks against the Mirai C2s. Several C2s were attacked by gafgyt/BASHLITE bots, including a significant 24-hour attack on September 18.
   Structure of the Botnet

Mirai C&C Botnets

Mirai C&C Botnets-3-网络科技-2016,santasbigcandyca,server,Mirai,the
Figure 3 – Structure of a Mirai botnet
  By analyzing the communication patterns of the Mirai C2 IP addresses, we were able to identify and enumerate Mirai’s infrastructure. This analysis was later confirmed accurate when the Mirai source code was released. It is interesting to note the initial Mirai infrastructure was much more complex than the various gafgyt variants we analyzed in our previous work. The diagram above outlines the basic functionality of Mirai and its components.
  Bots (B) communicating with the Mirai C2 (C) were found scanning across TCP port 23 and port 2323 as well as performing DDoS attacks against various victims (D). Bots sent one-way traffic towards a report server (R) (report.santasbigcandycane.cx), which were the IP addresses and credentials of the vulnerable hosts. This was hypothesized due to the fact that several other IP addresses (L, loaders) would communicate with IP addresses that were previously scanned and later identified as bots. This communication contained bi-directional traffic on port 23, sometimes with large packet sizes, signifying interaction with the telnet service. We observed these same victims accessing a different IP address (M) on port 80 with large packet sizes. This IP address hosted the Mirai binary itself and the large packet sizes were due to the victim downloading the malware. After downloading the binary and finishing interaction with the loader, the victim IP would begin bot activity. Throughout our investigation we identified a long-lived IP connection from a TOR exit node to the report server (R), which we believe may have been the botnet author controlling the botnet.  With the botnet established, it was being sold to various users (U) who used an API hosted on the C2 server (C) to order DDoS attacks.
  Bots

   As with the gafgyt malware family, Mirai targets IoT devices.  The majority of these bots are DVRs (>80percent) with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.  The devices are often operated with the default passwords, which are simple for bot herders to guess.  From the source code it has been found that Mirai’s scanning protocol utilizes a list of generic and device-specific credentials to gain access to susceptible devices.
  We have been able to identify bots via communications with the C2. Once new bots are identified, their common communications lead to new C2s, which then lead to more bots.  Prior to the Mirai source code release, we identified approximately 213,000 bots using this method.  Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000.  The true number of actual bots may be higher based on an incomplete view of the infrastructure.
   While the types of devices infected by Mirai and gafgyt are similar, the geographic distribution of devices we observed are quite different.  The highest fraction of devices used are located in the United States (29 percent), followed by devices in Brazil (23 percent) and Colombia (8 percent).  Of the hosts we are confident have been assimilated by the Mirai botnet, 24 percent of them overlap with bots known to be used in gafgyt attacks.  Such a high overlap indicates that multiple malware families are targeting the same pool of vulnerable IoT devices.

Mirai C&C Botnets

Mirai C&C Botnets-4-网络科技-2016,santasbigcandyca,server,Mirai,the

  Figure 4 – Global Distribution of Mirai bots
  DDoS Victims

   Typically, we have observed Mirai attacks on game servers and residential IP addresses. However, Mirai has also been blamed for the record attack on KrebsOnSecurity during September 20-22.  We can confirm that Mirai bots attacked Brian Krebs’ website.  Of the attackers we observed, approximately half were known Mirai bots at the time.
   The magnitude of attacks observed can be quite significant.  We have observed several attacks using more than 100 Gbps.  Large armies of bots participated in attacks, with several using over 100,000 bots against the same victim. We have seen Mirai botnets employ a variety of different attacks, the majority of which are L7 HTTP attacks and UDP and TCP floods, while a smaller fraction utilized GRE.  Additionally, we have seen a number of attacks against authoritative DNS infrastructure, sometimes as a part of attacks using multiple of these methods.

Mirai C&C Botnets

Mirai C&C Botnets-5-网络科技-2016,santasbigcandyca,server,Mirai,the

  Figure 5 – Observed number of attacks attributed to Mirai
  Proliferation

  With the public release of the Mirai source code around October 1, it is expected additional actors will continue to utilize the malware to initiate DDoS attacks.  Shortly after the release, on October 2, we began observing bots connect to another C2 domain.  The domain associated with the IP, “cnc.disabled.racing”, appears analogous to the “network.santasbigcandycane.cx” C2 type.  Additionally, the “report” naming convention is duplicated in the “report.disabled.racing” domain.  As of this article, cnc.disabled.racing only talks to about 25 percent of the known susceptible IoT devices that network.santasbigcandycane.cx did. Interestingly, a single IP (93.158.200.115) related to report.disabled.racing and cnc.disabled.racing on October 3, was also associated with report.santasbigcandycane.cx on October 4.  We cannot confirm if the original author has moved to this new domain infrastructure or rather this newer Mirai variant is utilizing the same rented server infrastructure.
  Table 1 – Mirai C2s and Report C2s
              C2     Report     Description              network.santasbigcandycane.cx      report.santasbigcandycane.cx     Identified September 14              cnc.disabled.racing      report.disabled.racing     Identified October 2              b0ts.xf0.pw      report.xf0.pw     Identified October 2              imscaredaf.xyz, swinginwithme.ru      imscaredaf.xyz, swinginwithme.ru     Identified October 3              kankerc.queryhost.xyz      report.queryhost.xyz     Identified October 5           We also identified a new C2 domain, xf0.pw, associated with similar Mirai activity and hosting a new Mirai binary on its own IP. Traffic shows this variant was most likely using the same IP for initial scanning, scan result reporting, and malware distribution for some time. An IP address associated with xf0.pw had previously been identified as a gafgyt C2 back in late August using our C2 detection algorithm. On October 5, we identified another C2 variant using queryhost.xyz who seems to be also hosting its infrastructure on the same host.
   A new Mirai variant hosted on the IP address associated with the domain names imscaredaf.xyz and swinginwithme.ru was found on October 3, but had slightly different network behavior when compared to the original Mirai variant. As it turns out, around the same time this same IP was hosting a “get.sh” shell script submitted to VirusTotal . This shell script uses wget to download various binaries based on architecture and when run, downloads a new Mirai variant. Gafgyt used a very similar type of script via their scanners.
  Looking Forward

  With the recent and frequent introduction of new Mirai variants, we expect continued DDoS activity from Mirai botnets.  The structure of these botnets is evolving as different owners adapt the malware. In some cases, we see the new variants running all of their infrastructure on one or two hosts, as opposed to the original Mirai variant which had many different hosts and frequently changed IPs to avoid detection or attack. We also see different malware distribution mechanisms, as in the case of swinginwithme.ru.  Level 3 Threat Research Labs will continue to identify and track developments in these botnets. We will also work with hosting providers and domain registrars to block traffic to these C2s.
   There are further actions that can be taken to prevent attacks from IoT botnets. Manufacturers play a vital role in mitigating threats from malware like Mirai.  By disabling unused services, such as telnet, and requiring users to set passwords after installation, devices become much less vulnerable.  Consumers can improve their security as well by changing default passwords and following security best practices .  As IoT devices become more widespread, implementing these basic security measures will become more important.
  Appendix A: C2 list as of 10/14/2016
               Domain Name       IP Address       First Seen Date       Last Seen Date       Description              network.santasbigcandycane.cx     80.87.205.11     9/16/2016     9/17/2016     C2 server             network.santasbigcandycane.cx     185.93.185.12     9/16/2016     9/16/2016     C2 server             network.santasbigcandycane.cx     185.93.185.11     9/16/2016     9/17/2016     C2 server             network.santasbigcandycane.cx     80.87.205.10     9/17/2016     9/18/2016     C2 server             network.santasbigcandycane.cx     185.70.105.161     9/18/2016     9/19/2016     C2 server             network.santasbigcandycane.cx     185.130.225.95     9/19/2016     9/19/2016     C2 server             network.santasbigcandycane.cx     185.130.225.94     9/19/2016     9/19/2016     C2 server             network.santasbigcandycane.cx     185.130.225.65     9/20/2016     9/21/2016     C2 server             network.santasbigcandycane.cx     185.130.225.83     9/21/2016     9/22/2016     C2 server             network.santasbigcandycane.cx     185.130.225.66     9/21/2016     9/21/2016     C2 server             network.santasbigcandycane.cx     185.70.105.164     9/22/2016     9/23/2016     C2 server             network.santasbigcandycane.cx     185.130.225.90     9/22/2016     9/22/2016     C2 server             network.santasbigcandycane.cx     46.249.38.153     9/23/2016     9/28/2016     C2 server             network.santasbigcandycane.cx     46.249.38.149     9/23/2016     9/24/2016     C2 server             network.santasbigcandycane.cx     46.249.38.152     9/24/2016     9/24/2016     C2 server             network.santasbigcandycane.cx     46.249.38.148     9/24/2016     9/24/2016     C2 server             network.santasbigcandycane.cx     46.249.38.154     9/25/2016     9/26/2016     C2 server             network.santasbigcandycane.cx     46.249.38.151     9/28/2016     9/29/2016     C2 server             network.santasbigcandycane.cx     46.249.38.150     9/28/2016     9/28/2016     C2 server             network.santasbigcandycane.cx     46.249.38.146     9/28/2016     9/28/2016     C2 server             network.santasbigcandycane.cx     46.249.38.145     9/28/2016     9/28/2016     C2 server             network.santasbigcandycane.cx     46.249.38.159     9/30/2016     10/14/2016     C2 server                                              report.santasbigcandycane.cx     65.98.91.181     9/16/2016     9/28/2016     report server             report.santasbigcandycane.cx     72.8.183.202     9/28/2016     10/1/2016     report server             report.santasbigcandycane.cx     93.158.200.115     10/2/2016     10/14/2016     report server                                              cnc.disabled.racing     93.158.200.115     10/2/2016     10/2/2016     C2 server             cnc.disabled.racing     92.222.66.137     10/2/2016     10/9/2016     C2 server             cnc.disabled.racing     188.209.52.101     10/2/2016     10/9/2016     C2 server             cnc.disabled.racing     93.158.200.66     10/3/2016     10/3/2016     C2 server             cnc.disabled.racing     173.212.192.219     10/4/2016     10/5/2016     C2 server             cnc.disabled.racing     191.96.249.29     10/6/2016     10/6/2016     C2 server             cnc.disabled.racing     151.80.27.90     10/8/2016     10/10/2016     C2 server                                              gay.disabled.racing     151.80.27.90     10/10/2016     10/13/2016     C2 server             gay.disabled.racing     51.255.172.22     10/11/2016     10/11/2016     C2 server             gay.disabled.racing     77.247.178.191     10/13/2016     10/13/2016     C2 server                                              report.disabled.racing     93.158.200.115     10/2/2016     10/3/2016     report server             report.disabled.racing     93.158.200.68     10/3/2016     10/3/2016     report server             report.disabled.racing     166.62.80.172     10/4/2016     10/4/2016     report server             report.disabled.racing     173.212.192.219     10/6/2016     10/7/2016     report server             report.disabled.racing     77.247.178.191     10/7/2016     10/7/2016     report server             report.disabled.racing     93.158.200.126     10/8/2016     10/12/2016     report server             report.disabled.racing     93.158.200.105     10/13/2016     10/13/2016     report server                                              lol.disabled.racing     151.80.27.90     10/8/2016     10/10/2016     C2 server             lol.disabled.racing     93.158.200.66     10/9/2016     10/9/2016     C2 server             lol.disabled.racing     93.158.200.103     10/9/2016     10/9/2016     C2 server             lol.disabled.racing     92.222.66.137     10/9/2016     10/9/2016     C2 server             lol.disabled.racing     51.255.172.22     10/10/2016     10/10/2016     C2 server                                              dongs.disabled.racing     93.158.200.126     10/8/2016     10/11/2016     malware distribution             penis.disabled.racing     77.247.178.191     10/12/2016     10/12/2016     C2 server                                              b0ts.xf0.pw     185.47.62.199     10/2/2016     10/4/2016     C2 server             b0ts.xf0.pw     149.56.232.146     10/6/2016     10/10/2016     C2 server             b0ts.xf0.pw     158.69.142.34     10/10/2016     10/10/2016     C2 server             b0ts.xf0.pw     185.153.197.103     10/11/2016     10/11/2016     C2 server             b0ts.xf0.pw     176.126.245.213     10/11/2016     10/13/2016     C2 server                                              report.xf0.pw     91.185.190.172     10/3/2016     10/3/2016     report server             report.xf0.pw     149.56.151.180     10/5/2016     10/6/2016     report server             report.xf0.pw     149.56.232.146     10/9/2016     10/9/2016     report server             report.xf0.pw     185.115.125.99     10/11/2016     10/11/2016     report server             report.xf0.pw     93.104.209.11     10/13/2016     10/13/2016     report server             report.xf0.pw     23.89.159.176     10/14/2016     10/14/2016     report server                                              swinginwithme.ru     154.16.199.48     10/3/2016     10/10/2016     C2 server             swinginwithme.ru     77.247.178.47     10/5/2016     10/7/2016     C2 server             swinginwithme.ru     151.80.99.91     10/9/2016     10/10/2016     C2 server             swinginwithme.ru     151.80.99.90     10/9/2016     10/9/2016     C2 server             swinginwithme.ru     154.16.199.78     10/11/2016     10/13/2016     C2 server             swinginwithme.ru     185.100.87.238     10/13/2016     10/14/2016     C2 server             swinginwithme.ru     185.62.190.38     10/14/2016     10/14/2016     C2 server                                              imscaredaf.xyz     154.16.199.48     10/4/2016     10/10/2016     C2, same IP as swinginwithme.ru             imscaredaf.xyz     154.16.199.78     10/10/2016     10/14/2016     C2, same IP as swinginwithme.ru           Appendix B: Hashes
               Mirai Samples                    Filename       Hash       C2              mirai.arm     35156594d941216f7fe6ced5c1893921     network.santasbigcandycane.cx             mirai.arm     b0803b91933fe61b1abc91b001699058     network.santasbigcandycane.cx             mirai.arm7     d2273df4dcff8cca812104cf17a23bca     network.santasbigcandycane.cx             mirai.m68k     75f752e4785f359511a781a1aa67bbed     network.santasbigcandycane.cx             mirai.mips     c16ea02487ddcdfbae313f45de23d064     network.santasbigcandycane.cx             mirai.mpsl     0ddfad615dbd51b088d4f535a045efd3     network.santasbigcandycane.cx             mirai.mpsl     6a1774e85f866f37be32c3b6cf30c972     network.santasbigcandycane.cx             mirai.ppc     edeb470ad89d81dfcf72e5c9d7a9eb6c     network.santasbigcandycane.cx             mirai.sh4     1cb8051b5a220b12a913048a23490f02     network.santasbigcandycane.cx             mirai.spc     753742e76ad5589fd8bab94a16755322     network.santasbigcandycane.cx             mirai.arm7     239d86648c6c8677972db133f3604b85     gay.disabled.racing             mirai.arm     c4126d9de9d55de77d15596edac81aec     swinginwithme.ru             mirai.arm7     89ca713bc51a20a6a21727a6d9e3222d     swinginwithme.ru             mirai.mips     84417c5f1819f7ac8b9051646f69b0e4     swinginwithme.ru             mirai.mpsl     fdc4632f34ee396cf3f1ff3a1aec2c0e     swinginwithme.ru             mirai.ppc     ea88382c48fb1a287530337ed48cc36b     swinginwithme.ru             mirai.sh4     629de321735e2c5928b914e2c9bcbd39     swinginwithme.ru             mirai.spc     5b4eb0b1935b6586e139b13232446928     swinginwithme.ru             mirai.x86     374d0e146452a390bea075f1f6530cde     swinginwithme.ru             mirai.arm7     7d3ad2e3f06fc9111f9dfdb9203730ff     b0ts.xf0.pw             mirai.arm7     ddc7379e059b8449b9e5b25970fbb0c5     kankerc.queryhost.xyz             mirai.x86     1e953ba0180c0d45d0314f51eb7efc1b     kankerc.queryhost.xyz             mirai.arm     0737b51eb31b67c2cb85af5e4fac5ec5     meme.icmp.online             mirai.arm5n     9739dedcd6e7995501524d6c84732e87     meme.icmp.online             mirai.arm7     166c1baec2c8728de54df743961a6043     meme.icmp.online             mirai.m68k     0fe84136a5496eec3056bf0c990c0424     meme.icmp.online             mirai.mips     9534fe7a3494bb6c41655d9b682c40cd     meme.icmp.online             mirai.mpsl     11bfc3d943fe4d5fbd15d5a50e9594f3     meme.icmp.online             mirai.ppc     dda6c2005e552cccdfe9be38fa048d2c     meme.icmp.online             mirai.sh4     6f8826b5103ac1a1074fff9513bc2230     meme.icmp.online             mirai.spc     69b2a6c518cf75fbdd9298e756c8d036     meme.icmp.online             mirai.x86     ae88d89c18c53a333bda6a14db5a00d0     meme.icmp.online                                                            Downloader Samples                    Filename       Hash       C2              dlr.arm     88f609b296ae81720457b2cc32df28f6     77.247.181.219 (santasbigcandycane distribution)             dlr.arm7     3387ba13f577d0911812ce4a012678a3     77.247.181.219 (santasbigcandycane distribution)             dlr.m68k     f09c7e5aef3808162fa4364d1da29b28     77.247.181.219 (santasbigcandycane distribution)             dlr.mips     971522fa2e019ceecb38cf388a606c48     77.247.181.219 (santasbigcandycane distribution)             dlr.mpsl     aa34cf52ab812051405f69535e675a62     77.247.181.219 (santasbigcandycane distribution)             dlr.ppc     a6431d361cfe8ce31e7da3991eaf8dc9     77.247.181.219 (santasbigcandycane distribution)             dlr.sh4     5057bfbdc55c2081c810c3af57a8d339     77.247.181.219 (santasbigcandycane distribution)             dlr.spc     f47f794b9159653aca920d3412922621     77.247.181.219 (santasbigcandycane distribution)             dlr.x86     ed63ea432a0ecc176e0d711602a3f096     77.247.181.219 (santasbigcandycane distribution)             dlr.arm     ef027cedce36a4808a9ce0d53ecf203b     154.16.199.48 (swinginwithme distribution)             dlr.arm7     8318fbb72af45e9dfdeb3bd13f6e2b81     154.16.199.48 (swinginwithme distribution)             dlr.mips     479c7fcab6500d81890194fca1d17ebd     154.16.199.48 (swinginwithme distribution)             dlr.mpsl     76baedb1910b40340fedd828b42b9f9c     154.16.199.48 (swinginwithme distribution)             dlr.ppc     c67f42a42ee09f3b8eb3abbc4f8a12f7     154.16.199.48 (swinginwithme distribution)             dlr.sh4     6910ca3077ea3afb5399723439e8c888     154.16.199.48 (swinginwithme distribution)             dlr.spc     5411711f9ae75f48073aa5afeca84ea1     154.16.199.48 (swinginwithme distribution)             dlr.x86     53bb869591a19e2c94ae453f87e25235     154.16.199.48 (swinginwithme distribution)             get.sh     8d16d4b998562a8d062183ee5fb9177f     154.16.199.48 (swinginwithme distribution)           
       
  •      +1   
  •      Pocket   
  •      Pinterest  



上一篇:JavaScript for Web Designers: DOM Scripting
下一篇:Serverless Architecture with Ben Godwin
冬莲 投递于 2016-10-19 05:18:40
抄水表,抄水表,楼主赶紧的开门!
回复 支持 反对

使用道具 举报

地方 投递于 2016-10-19 05:31:04
传说中的沙发???卡卡
回复 支持 反对

使用道具 举报

Allelujah 投递于 2016-10-19 05:51:24
一天最高可刷99点经验的。把如下语句复制,粘帖即可。以前不懂看贴总是不回,一直没提升等级和增加经验现在我明白了反正回贴可以升级也可以赚经验而升级又需要经验我就把这句话复制下来
回复 支持 反对

使用道具 举报

冷霜 投递于 2016-10-19 05:51:48
开往春天的坦克!
回复 支持 反对

使用道具 举报

福降 投递于 2016-10-21 04:07:38
在乎的人不明白,明白的人不在乎。
回复 支持 反对

使用道具 举报

厮守、mAB 投递于 2016-10-26 11:20:33
煮熟的鸭子飞不了,煮熟的楼主在哪里?
回复 支持 反对

使用道具 举报

Discuz!主机 投递于 2016-10-26 11:29:50
有钱的捧个钱场,没钱的回家拿钱捧个钱场。
回复 支持 反对

使用道具 举报

lkoebfhh 投递于 2016-11-6 16:35:38
LZ帖子不给力,勉强给回复下吧
回复 支持 反对

使用道具 举报

一直很想你 投递于 2016-11-20 16:49:39
天空blond是一个典型的文艺青年啊!
回复 支持 反对

使用道具 举报

我要投稿

推荐阅读


回页顶回复上一篇下一篇回列表
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 | 粤公网安备 44010402000842号 )

© 2001-2017 Comsenz Inc.

返回顶部 返回列表