Number of Internet of Things (IoT) devices is growing exponentially over time. Internet connected cameras, thermostats, refrigerators and others were recently part of biggest Distributed Denial of Service Attack (DDoS) in the history.
This article contains explanation of botnets, DDoS and analysis of recent record breaking DDoS attack by Mirai Botnet and brief analysis of the C++ source code!
DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. For example, if a website’s server is capable of serving 1 byte per second and a DDoS attack of 5 bytes per second is launched against your site: in the first second, 1 byte would be processed, and then the remaining 5 bytes would be queued until the next second. At first, visitors don’t have to wait too long in the queue, but as the queue becomes longer, timeouts will increase.
Most servers today are capable of serving 1 Gbps. To recreate illustrated example, an attacker needs to request 5 Gbps from the server.
Just to get a picture – $50 per month is the cost of 1Gbps server,
– $300 per month is the cost of 10Gbps server.
How do hackers generate vast amount of traffic?
This is where botnets come into play. Botnet is a piece of malware that sleeps in the infected operating system waiting for a command from Command and Control (C&C) center. Strength of particular botnet lies in the number of infected victims (aka bots, zombies) and devices’ capability to generate traffic.
Botnets that target computers are unreliable because computers are often offline or turned off so they can’t be used for an attack, meaning that the number of infected victims needs to be at least 5 times greater than the optimal.
IoT devices are almost always connected to the internet and also terribly unsecure. Those 2 facts were exploited in Mirai, IoT botnet that broke the record of DDoS. This pseudonym shared the source code:
He leaked the source code in that post, although his share links don’t work anymore so check github for the source code.
“I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.”
“With Mirai, I usually pull max 380k bots from telnet alone.”
IoT Devices Discovery
“Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.”
“Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!”
Censys is a search engine that allows computer scientists to ask questions about the devices and networks that compose the Internet. Driven by Internet-wide scanning, Censys lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed.
Actual DDoS Attacks
Mirai malware was used for several extremely large DDoS attacks including:
27/9/2016 – with peaks over 1 Tbps from 152 000 IoT devices: 100,000 Smart TVs, Refrigerator, and other smart household appliances; rest were probably security cameras – 25 000 just from China
21/10/2016 – record one, over 1Tbps against Dyn DNS server.
Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.
Although the attack is pretty simple, it requires sizeable infrastructure. Author’s recommended setup:
– 1 VPS with extremely bulletproof host for database server
– 1 VPS, rootkitted, for scanReceiver and distributor
– 1 server for C&C (used like 2% CPU with 400k bots)
– 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)
VPS stands for Virtual Private Server meaning that you control a server over virtual environment that is actually running on the server.
Mirai malware is a C++ program continuously scanning the internet for IoT devices and attacks them. It tries to connect to them with default factory credentials mostly via telnet. Each device is attacked by a quick dictionary attack, trying all default credentials. Dictionary used:
While not executing an attack command, bots are doing same search and infect method further spreading the virus.
Infected devices will continue to function normally, except for occasional sluggishness and an increased use of bandwidth. After a reboot, unless the login password is changed immediately, the device will be infected within minutes.
Command and Control
Instead of hardcoding IP address, bots would resolve a domain to get the IP address of C&C server. This way, IP address of the server can be changed which is very useful defensive mechanism. These commands are programmed for bots:
#define CNC_OP_PING 0x00
#define CNC_OP_KILLSELF 0x10
#define CNC_OP_KILLATTKS 0x20
#define CNC_OP_PROXY 0x30
#define CNC_OP_ATTACK 0x40
C&C is coded in Go and it simply issues commands that bots read and translate into C++ functions.
Don’t Touch These List
One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their scans.
This list, which you can find below, includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric.
127.0.0.0/8 – Loopback
0.0.0.0/8 – Invalid address space
184.108.40.206/8 – General Electric (GE)
220.127.116.11/7 – Hewlett-Packard (HP)
18.104.22.168/8 – US Postal Service
10.0.0.0/8 – Internal network
192.168.0.0/16 – Internal network
172.16.0.0/14 – Internal network
100.64.0.0/10 – IANA NAT reserved
169.254.0.0/16 – IANA NAT reserved
198.18.0.0/15 – IANA Special use
224.*.*.*+ – Multicast
22.214.171.124/7 – Department of Defense
126.96.36.199/8 – Department of Defense
188.8.131.52/8 – Department of Defense
184.108.40.206/8 – Department of Defense
220.127.116.11/8 – Department of Defense
18.104.22.168/7 – Department of Defense
22.214.171.124/8 – Department of Defense
126.96.36.199/8 – Department of Defense
188.8.131.52/8 – Department of Defense
184.108.40.206/7 – Department of Defense
For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.
Fighting Other Malware
The malware holds several killer scripts meant to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device.
For example, the following scripts close all processes that use SSH, Telnet and HTTP ports:
killer_kill_by_port(htons(23)) // Kill telnet servicekiller_kill_by_port(htons(22)) // Kill SSH servicekiller_kill_by_port(htons(80)) // Kill HTTP service
These locate/eradicate other botnet processes from memory, a technique known as memory scraping:
#DEFINE TABLE_MEM_QBOT // REPORT %S:%S
#DEFINE TABLE_MEM_QBOT2 // HTTPFLOOD
#DEFINE TABLE_MEM_QBOT3 // LOLNOGTFO
#DEFINE TABLE_MEM_UPX // \X58\X4D\X4E\X4E\X43\X50\X46\X22
#DEFINE TABLE_MEM_ZOLLARD // ZOLLARD
Command and Control is in English, but there are some Russian strings in it for username, password etc. There is also this string – “я люблю куриные наггетсы” meaning “I love chicken nuggets”.
In table.c, just above some table entries, there is this comment:
// safe string https://youtu.be/dQw4w9WgXcQ
I will leave the conclusions about the author(s) to the readers.