Level 3 Threat Research Labs has previouslyreported on a family of malware that exploits Internet of Things (IoT) devices to create distributed denial of service (DDoS) botnets. With a rapidly increasing market for these devices and little attention being paid to security, the threat from these botnets is growing. Level 3 Threat Research Labs has been continuously tracking these botnets as they wreak havoc on victims across the internet.
您需要 登录 才可以下载或查看，没有帐号？立即注册
In mid-September, we discovered a new botnet connected to the malware known as “Mirai,” which has been responsible for attacks such as the record breaking DDoS attack on KrebsOnSecurity.com . Recently the source code of Mirai was released, which has inspired a significant number of new bad actors, all working to exploit similar pools of vulnerable devices. In this post we explore the behavior, structure, and trends of Mirai botnets, focusing on their interaction with our network backbone.
Using various machine learning techniques to analyze DDoS attacks sourced from known susceptible devices, Level 3 Threat Research Labs was able to identify a number of C2s associated with this botnet. Additionally, the IP addresses identified pointed to domains containing “santasbigcandycane.cx” (.cx is a top-level domain of Christmas Island) and were prefixed by “network” and “report” to denote their role in the botnet. As a challenge to the security community, an IP from one of the network C2s was also once resolved to “catch.me.if.you.can” as opposed to the usual “network.santasbigcandycane.cx”. By querying DNS records, these C2 IPs were easily enumerated. A list of C2 IP addresses and domains can be found in the table at the bottom of this post.
At any one time, only a handful of network C2 IP addresses were active. Approximately every two days, a new network C2 IP became active (see figure below). This switching behavior is roughly 3-times more rapid than we observed in the gafgyt botnet. It is likely done in an effort to evade detection. In the plot below, we show the outbound traffic from network C2s, with each color representing a different network C2 IP. The bars show the number of unique hosts sending traffic to the C2 each hour varied greatly (these hosts are assumed to be bots). The Mirai report C2 at “report.santasbigcandycane.cx” had much less communication with bots than the network C2s.
Mirai C&C Botnets
Figure 1 – Mirai “network” C2 outbound traffic binned by hour. Colors represent different C2s.
One interesting interaction we discovered was that the Mirai network C2s were attacked several times by a gafgyt/BASHLITE botnet. In particular, there were gigabit-per-second level simultaneous attacks on two separate Mirai network C2s that stretched just over 24 hours, mostly during September 18. Additionally, there were several shorter attacks on additional C2s in subsequent days, as can be seen by the spikes in bandwidth in the plot below.
Mirai C&C Botnets
Figure 2 – Mirai “network” C2 inbound traffic binned by hour. The spikes in the plot are attacks against the Mirai C2s. Several C2s were attacked by gafgyt/BASHLITE bots, including a significant 24-hour attack on September 18.
Structure of the Botnet
Mirai C&C Botnets
Figure 3 – Structure of a Mirai botnet
By analyzing the communication patterns of the Mirai C2 IP addresses, we were able to identify and enumerate Mirai’s infrastructure. This analysis was later confirmed accurate when the Mirai source code was released. It is interesting to note the initial Mirai infrastructure was much more complex than the various gafgyt variants we analyzed in our previous work. The diagram above outlines the basic functionality of Mirai and its components.
Bots (B) communicating with the Mirai C2 (C) were found scanning across TCP port 23 and port 2323 as well as performing DDoS attacks against various victims (D). Bots sent one-way traffic towards a report server (R) (report.santasbigcandycane.cx), which were the IP addresses and credentials of the vulnerable hosts. This was hypothesized due to the fact that several other IP addresses (L, loaders) would communicate with IP addresses that were previously scanned and later identified as bots. This communication contained bi-directional traffic on port 23, sometimes with large packet sizes, signifying interaction with the telnet service. We observed these same victims accessing a different IP address (M) on port 80 with large packet sizes. This IP address hosted the Mirai binary itself and the large packet sizes were due to the victim downloading the malware. After downloading the binary and finishing interaction with the loader, the victim IP would begin bot activity. Throughout our investigation we identified a long-lived IP connection from a TOR exit node to the report server (R), which we believe may have been the botnet author controlling the botnet. With the botnet established, it was being sold to various users (U) who used an API hosted on the C2 server (C) to order DDoS attacks.
As with the gafgyt malware family, Mirai targets IoT devices. The majority of these bots are DVRs (>80percent) with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers. The devices are often operated with the default passwords, which are simple for bot herders to guess. From the source code it has been found that Mirai’s scanning protocol utilizes a list of generic and device-specific credentials to gain access to susceptible devices.
We have been able to identify bots via communications with the C2. Once new bots are identified, their common communications lead to new C2s, which then lead to more bots. Prior to the Mirai source code release, we identified approximately 213,000 bots using this method. Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000. The true number of actual bots may be higher based on an incomplete view of the infrastructure.
While the types of devices infected by Mirai and gafgyt are similar, the geographic distribution of devices we observed are quite different. The highest fraction of devices used are located in the United States (29 percent), followed by devices in Brazil (23 percent) and Colombia (8 percent). Of the hosts we are confident have been assimilated by the Mirai botnet, 24 percent of them overlap with bots known to be used in gafgyt attacks. Such a high overlap indicates that multiple malware families are targeting the same pool of vulnerable IoT devices.
Mirai C&C Botnets
Figure 4 – Global Distribution of Mirai bots
Typically, we have observed Mirai attacks on game servers and residential IP addresses. However, Mirai has also been blamed for the record attack on KrebsOnSecurity during September 20-22. We can confirm that Mirai bots attacked Brian Krebs’ website. Of the attackers we observed, approximately half were known Mirai bots at the time.
The magnitude of attacks observed can be quite significant. We have observed several attacks using more than 100 Gbps. Large armies of bots participated in attacks, with several using over 100,000 bots against the same victim. We have seen Mirai botnets employ a variety of different attacks, the majority of which are L7 HTTP attacks and UDP and TCP floods, while a smaller fraction utilized GRE. Additionally, we have seen a number of attacks against authoritative DNS infrastructure, sometimes as a part of attacks using multiple of these methods.
Mirai C&C Botnets
Figure 5 – Observed number of attacks attributed to Mirai
With the public release of the Mirai source code around October 1, it is expected additional actors will continue to utilize the malware to initiate DDoS attacks. Shortly after the release, on October 2, we began observing bots connect to another C2 domain. The domain associated with the IP, “cnc.disabled.racing”, appears analogous to the “network.santasbigcandycane.cx” C2 type. Additionally, the “report” naming convention is duplicated in the “report.disabled.racing” domain. As of this article, cnc.disabled.racing only talks to about 25 percent of the known susceptible IoT devices that network.santasbigcandycane.cx did. Interestingly, a single IP (18.104.22.168) related to report.disabled.racing and cnc.disabled.racing on October 3, was also associated with report.santasbigcandycane.cx on October 4. We cannot confirm if the original author has moved to this new domain infrastructure or rather this newer Mirai variant is utilizing the same rented server infrastructure.
Table 1 – Mirai C2s and Report C2s
C2 Report Description network.santasbigcandycane.cx report.santasbigcandycane.cx Identified September 14 cnc.disabled.racing report.disabled.racing Identified October 2 b0ts.xf0.pw report.xf0.pw Identified October 2 imscaredaf.xyz, swinginwithme.ru imscaredaf.xyz, swinginwithme.ru Identified October 3 kankerc.queryhost.xyz report.queryhost.xyz Identified October 5 We also identified a new C2 domain, xf0.pw, associated with similar Mirai activity and hosting a new Mirai binary on its own IP. Traffic shows this variant was most likely using the same IP for initial scanning, scan result reporting, and malware distribution for some time. An IP address associated with xf0.pw had previously been identified as a gafgyt C2 back in late August using our C2 detection algorithm. On October 5, we identified another C2 variant using queryhost.xyz who seems to be also hosting its infrastructure on the same host.
A new Mirai variant hosted on the IP address associated with the domain names imscaredaf.xyz and swinginwithme.ru was found on October 3, but had slightly different network behavior when compared to the original Mirai variant. As it turns out, around the same time this same IP was hosting a “get.sh” shell script submitted to VirusTotal . This shell script uses wget to download various binaries based on architecture and when run, downloads a new Mirai variant. Gafgyt used a very similar type of script via their scanners.
With the recent and frequent introduction of new Mirai variants, we expect continued DDoS activity from Mirai botnets. The structure of these botnets is evolving as different owners adapt the malware. In some cases, we see the new variants running all of their infrastructure on one or two hosts, as opposed to the original Mirai variant which had many different hosts and frequently changed IPs to avoid detection or attack. We also see different malware distribution mechanisms, as in the case of swinginwithme.ru. Level 3 Threat Research Labs will continue to identify and track developments in these botnets. We will also work with hosting providers and domain registrars to block traffic to these C2s.
There are further actions that can be taken to prevent attacks from IoT botnets. Manufacturers play a vital role in mitigating threats from malware like Mirai. By disabling unused services, such as telnet, and requiring users to set passwords after installation, devices become much less vulnerable. Consumers can improve their security as well by changing default passwords and following security best practices . As IoT devices become more widespread, implementing these basic security measures will become more important.
Appendix A: C2 list as of 10/14/2016
Domain Name IP Address First Seen Date Last Seen Date Description network.santasbigcandycane.cx 22.214.171.124 9/16/2016 9/17/2016 C2 server network.santasbigcandycane.cx 126.96.36.199 9/16/2016 9/16/2016 C2 server network.santasbigcandycane.cx 188.8.131.52 9/16/2016 9/17/2016 C2 server network.santasbigcandycane.cx 184.108.40.206 9/17/2016 9/18/2016 C2 server network.santasbigcandycane.cx 220.127.116.11 9/18/2016 9/19/2016 C2 server network.santasbigcandycane.cx 18.104.22.168 9/19/2016 9/19/2016 C2 server network.santasbigcandycane.cx 22.214.171.124 9/19/2016 9/19/2016 C2 server network.santasbigcandycane.cx 126.96.36.199 9/20/2016 9/21/2016 C2 server network.santasbigcandycane.cx 188.8.131.52 9/21/2016 9/22/2016 C2 server network.santasbigcandycane.cx 184.108.40.206 9/21/2016 9/21/2016 C2 server network.santasbigcandycane.cx 220.127.116.11 9/22/2016 9/23/2016 C2 server network.santasbigcandycane.cx 18.104.22.168 9/22/2016 9/22/2016 C2 server network.santasbigcandycane.cx 22.214.171.124 9/23/2016 9/28/2016 C2 server network.santasbigcandycane.cx 126.96.36.199 9/23/2016 9/24/2016 C2 server network.santasbigcandycane.cx 188.8.131.52 9/24/2016 9/24/2016 C2 server network.santasbigcandycane.cx 184.108.40.206 9/24/2016 9/24/2016 C2 server network.santasbigcandycane.cx 220.127.116.11 9/25/2016 9/26/2016 C2 server network.santasbigcandycane.cx 18.104.22.168 9/28/2016 9/29/2016 C2 server network.santasbigcandycane.cx 22.214.171.124 9/28/2016 9/28/2016 C2 server network.santasbigcandycane.cx 126.96.36.199 9/28/2016 9/28/2016 C2 server network.santasbigcandycane.cx 188.8.131.52 9/28/2016 9/28/2016 C2 server network.santasbigcandycane.cx 184.108.40.206 9/30/2016 10/14/2016 C2 server report.santasbigcandycane.cx 220.127.116.11 9/16/2016 9/28/2016 report server report.santasbigcandycane.cx 18.104.22.168 9/28/2016 10/1/2016 report server report.santasbigcandycane.cx 22.214.171.124 10/2/2016 10/14/2016 report server cnc.disabled.racing 126.96.36.199 10/2/2016 10/2/2016 C2 server cnc.disabled.racing 188.8.131.52 10/2/2016 10/9/2016 C2 server cnc.disabled.racing 184.108.40.206 10/2/2016 10/9/2016 C2 server cnc.disabled.racing 220.127.116.11 10/3/2016 10/3/2016 C2 server cnc.disabled.racing 18.104.22.168 10/4/2016 10/5/2016 C2 server cnc.disabled.racing 22.214.171.124 10/6/2016 10/6/2016 C2 server cnc.disabled.racing 126.96.36.199 10/8/2016 10/10/2016 C2 server gay.disabled.racing 188.8.131.52 10/10/2016 10/13/2016 C2 server gay.disabled.racing 184.108.40.206 10/11/2016 10/11/2016 C2 server gay.disabled.racing 220.127.116.11 10/13/2016 10/13/2016 C2 server report.disabled.racing 18.104.22.168 10/2/2016 10/3/2016 report server report.disabled.racing 22.214.171.124 10/3/2016 10/3/2016 report server report.disabled.racing 126.96.36.199 10/4/2016 10/4/2016 report server report.disabled.racing 188.8.131.52 10/6/2016 10/7/2016 report server report.disabled.racing 184.108.40.206 10/7/2016 10/7/2016 report server report.disabled.racing 220.127.116.11 10/8/2016 10/12/2016 report server report.disabled.racing 18.104.22.168 10/13/2016 10/13/2016 report server lol.disabled.racing 22.214.171.124 10/8/2016 10/10/2016 C2 server lol.disabled.racing 126.96.36.199 10/9/2016 10/9/2016 C2 server lol.disabled.racing 188.8.131.52 10/9/2016 10/9/2016 C2 server lol.disabled.racing 184.108.40.206 10/9/2016 10/9/2016 C2 server lol.disabled.racing 220.127.116.11 10/10/2016 10/10/2016 C2 server dongs.disabled.racing 18.104.22.168 10/8/2016 10/11/2016 malware distribution penis.disabled.racing 22.214.171.124 10/12/2016 10/12/2016 C2 server b0ts.xf0.pw 126.96.36.199 10/2/2016 10/4/2016 C2 server b0ts.xf0.pw 188.8.131.52 10/6/2016 10/10/2016 C2 server b0ts.xf0.pw 184.108.40.206 10/10/2016 10/10/2016 C2 server b0ts.xf0.pw 220.127.116.11 10/11/2016 10/11/2016 C2 server b0ts.xf0.pw 18.104.22.168 10/11/2016 10/13/2016 C2 server report.xf0.pw 22.214.171.124 10/3/2016 10/3/2016 report server report.xf0.pw 126.96.36.199 10/5/2016 10/6/2016 report server report.xf0.pw 188.8.131.52 10/9/2016 10/9/2016 report server report.xf0.pw 184.108.40.206 10/11/2016 10/11/2016 report server report.xf0.pw 220.127.116.11 10/13/2016 10/13/2016 report server report.xf0.pw 18.104.22.168 10/14/2016 10/14/2016 report server swinginwithme.ru 22.214.171.124 10/3/2016 10/10/2016 C2 server swinginwithme.ru 126.96.36.199 10/5/2016 10/7/2016 C2 server swinginwithme.ru 188.8.131.52 10/9/2016 10/10/2016 C2 server swinginwithme.ru 184.108.40.206 10/9/2016 10/9/2016 C2 server swinginwithme.ru 220.127.116.11 10/11/2016 10/13/2016 C2 server swinginwithme.ru 18.104.22.168 10/13/2016 10/14/2016 C2 server swinginwithme.ru 22.214.171.124 10/14/2016 10/14/2016 C2 server imscaredaf.xyz 126.96.36.199 10/4/2016 10/10/2016 C2, same IP as swinginwithme.ru imscaredaf.xyz 188.8.131.52 10/10/2016 10/14/2016 C2, same IP as swinginwithme.ru Appendix B: Hashes
Mirai Samples Filename Hash C2 mirai.arm 35156594d941216f7fe6ced5c1893921 network.santasbigcandycane.cx mirai.arm b0803b91933fe61b1abc91b001699058 network.santasbigcandycane.cx mirai.arm7 d2273df4dcff8cca812104cf17a23bca network.santasbigcandycane.cx mirai.m68k 75f752e4785f359511a781a1aa67bbed network.santasbigcandycane.cx mirai.mips c16ea02487ddcdfbae313f45de23d064 network.santasbigcandycane.cx mirai.mpsl 0ddfad615dbd51b088d4f535a045efd3 network.santasbigcandycane.cx mirai.mpsl 6a1774e85f866f37be32c3b6cf30c972 network.santasbigcandycane.cx mirai.ppc edeb470ad89d81dfcf72e5c9d7a9eb6c network.santasbigcandycane.cx mirai.sh4 1cb8051b5a220b12a913048a23490f02 network.santasbigcandycane.cx mirai.spc 753742e76ad5589fd8bab94a16755322 network.santasbigcandycane.cx mirai.arm7 239d86648c6c8677972db133f3604b85 gay.disabled.racing mirai.arm c4126d9de9d55de77d15596edac81aec swinginwithme.ru mirai.arm7 89ca713bc51a20a6a21727a6d9e3222d swinginwithme.ru mirai.mips 84417c5f1819f7ac8b9051646f69b0e4 swinginwithme.ru mirai.mpsl fdc4632f34ee396cf3f1ff3a1aec2c0e swinginwithme.ru mirai.ppc ea88382c48fb1a287530337ed48cc36b swinginwithme.ru mirai.sh4 629de321735e2c5928b914e2c9bcbd39 swinginwithme.ru mirai.spc 5b4eb0b1935b6586e139b13232446928 swinginwithme.ru mirai.x86 374d0e146452a390bea075f1f6530cde swinginwithme.ru mirai.arm7 7d3ad2e3f06fc9111f9dfdb9203730ff b0ts.xf0.pw mirai.arm7 ddc7379e059b8449b9e5b25970fbb0c5 kankerc.queryhost.xyz mirai.x86 1e953ba0180c0d45d0314f51eb7efc1b kankerc.queryhost.xyz mirai.arm 0737b51eb31b67c2cb85af5e4fac5ec5 meme.icmp.online mirai.arm5n 9739dedcd6e7995501524d6c84732e87 meme.icmp.online mirai.arm7 166c1baec2c8728de54df743961a6043 meme.icmp.online mirai.m68k 0fe84136a5496eec3056bf0c990c0424 meme.icmp.online mirai.mips 9534fe7a3494bb6c41655d9b682c40cd meme.icmp.online mirai.mpsl 11bfc3d943fe4d5fbd15d5a50e9594f3 meme.icmp.online mirai.ppc dda6c2005e552cccdfe9be38fa048d2c meme.icmp.online mirai.sh4 6f8826b5103ac1a1074fff9513bc2230 meme.icmp.online mirai.spc 69b2a6c518cf75fbdd9298e756c8d036 meme.icmp.online mirai.x86 ae88d89c18c53a333bda6a14db5a00d0 meme.icmp.online Downloader Samples Filename Hash C2 dlr.arm 88f609b296ae81720457b2cc32df28f6 184.108.40.206 (santasbigcandycane distribution) dlr.arm7 3387ba13f577d0911812ce4a012678a3 220.127.116.11 (santasbigcandycane distribution) dlr.m68k f09c7e5aef3808162fa4364d1da29b28 18.104.22.168 (santasbigcandycane distribution) dlr.mips 971522fa2e019ceecb38cf388a606c48 22.214.171.124 (santasbigcandycane distribution) dlr.mpsl aa34cf52ab812051405f69535e675a62 126.96.36.199 (santasbigcandycane distribution) dlr.ppc a6431d361cfe8ce31e7da3991eaf8dc9 188.8.131.52 (santasbigcandycane distribution) dlr.sh4 5057bfbdc55c2081c810c3af57a8d339 184.108.40.206 (santasbigcandycane distribution) dlr.spc f47f794b9159653aca920d3412922621 220.127.116.11 (santasbigcandycane distribution) dlr.x86 ed63ea432a0ecc176e0d711602a3f096 18.104.22.168 (santasbigcandycane distribution) dlr.arm ef027cedce36a4808a9ce0d53ecf203b 22.214.171.124 (swinginwithme distribution) dlr.arm7 8318fbb72af45e9dfdeb3bd13f6e2b81 126.96.36.199 (swinginwithme distribution) dlr.mips 479c7fcab6500d81890194fca1d17ebd 188.8.131.52 (swinginwithme distribution) dlr.mpsl 76baedb1910b40340fedd828b42b9f9c 184.108.40.206 (swinginwithme distribution) dlr.ppc c67f42a42ee09f3b8eb3abbc4f8a12f7 220.127.116.11 (swinginwithme distribution) dlr.sh4 6910ca3077ea3afb5399723439e8c888 18.104.22.168 (swinginwithme distribution) dlr.spc 5411711f9ae75f48073aa5afeca84ea1 22.214.171.124 (swinginwithme distribution) dlr.x86 53bb869591a19e2c94ae453f87e25235 126.96.36.199 (swinginwithme distribution) get.sh 8d16d4b998562a8d062183ee5fb9177f 188.8.131.52 (swinginwithme distribution)
下一篇：Serverless Architecture with Ben Godwin