Level 3 Threat Research Labs has previouslyreported on a family of malware that exploits Internet of Things (IoT) devices to create distributed denial of service (DDoS) botnets. With a rapidly increasing market for these devices and little attention being paid to security, the threat from these botnets is growing. Level 3 Threat Research Labs has been continuously tracking these botnets as they wreak havoc on victims across the internet.
In mid-September, we discovered a new botnet connected to the malware known as “Mirai,” which has been responsible for attacks such as the record breaking DDoS attack on KrebsOnSecurity.com . Recently the source code of Mirai was released, which has inspired a significant number of new bad actors, all working to exploit similar pools of vulnerable devices. In this post we explore the behavior, structure, and trends of Mirai botnets, focusing on their interaction with our network backbone.
Using various machine learning techniques to analyze DDoS attacks sourced from known susceptible devices, Level 3 Threat Research Labs was able to identify a number of C2s associated with this botnet. Additionally, the IP addresses identified pointed to domains containing “santasbigcandycane.cx” (.cx is a top-level domain of Christmas Island) and were prefixed by “network” and “report” to denote their role in the botnet. As a challenge to the security community, an IP from one of the network C2s was also once resolved to “catch.me.if.you.can” as opposed to the usual “network.santasbigcandycane.cx”. By querying DNS records, these C2 IPs were easily enumerated. A list of C2 IP addresses and domains can be found in the table at the bottom of this post.
At any one time, only a handful of network C2 IP addresses were active. Approximately every two days, a new network C2 IP became active (see figure below). This switching behavior is roughly 3-times more rapid than we observed in the gafgyt botnet. It is likely done in an effort to evade detection. In the plot below, we show the outbound traffic from network C2s, with each color representing a different network C2 IP. The bars show the number of unique hosts sending traffic to the C2 each hour varied greatly (these hosts are assumed to be bots). The Mirai report C2 at “report.santasbigcandycane.cx” had much less communication with bots than the network C2s.
Figure 1 – Mirai “network” C2 outbound traffic binned by hour. Colors represent different C2s.
One interesting interaction we discovered was that the Mirai network C2s were attacked several times by a gafgyt/BASHLITE botnet. In particular, there were gigabit-per-second level simultaneous attacks on two separate Mirai network C2s that stretched just over 24 hours, mostly during September 18. Additionally, there were several shorter attacks on additional C2s in subsequent days, as can be seen by the spikes in bandwidth in the plot below.
Figure 2 – Mirai “network” C2 inbound traffic binned by hour. The spikes in the plot are attacks against the Mirai C2s. Several C2s were attacked by gafgyt/BASHLITE bots, including a significant 24-hour attack on September 18.
Structure of the Botnet