SlideShare a Scribd company logo

MiraiBotnet.pptx

Download as PPTX, PDF
A
AmitSingh565980

mirai botnet

Technology
1 of 28
Understanding the Mirai Botnet Presented by John Johnson
Why this paper?  Not a theoretical paper  Demonstrates real world consequences  Expected creation of billions of IOT devices
The Dark Arts are many, varied, ever-changing, and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible. - Severus Snape
How do botnets propagate?  Scan a target  Leverage known exploits  Install the botnet software  Rinse and repeat
Fighting back  We must identify these devices and shut them down  But there are so many devices  And we have limited resources  And users are clueless
Network Telescope  Watch the unindexed portions of the internet for suspicious traffic  Use fingerprinting to selectively ID  116 billion probes  55 million probers
Identifying infections  Detect a vulnerability scan from the infected device  Banner scan the device for unclosed services  Only tag devices ID’d within 20 minutes of a scan
Honeypots  Invaluable for analyzing malware infections  Can determine attacker sophistication and behavior based on malware reverse engineering  Can dissect infection process
Got Milk?  Milkers are similar to honeypots  Figure out what commands a C2 server will send  Identify additional C2 servers  15,194 attacks identified
Mirai protected itself better than the IOT devices it infected  Mirai disables all common unused services  Fingerprinting can’t be done by the usual banner grabbing  Still able to banner grab lesser known services
Your tired your poor, your low bandwidth  DVRs, routers, and cameras are all fair game  Atypically composed of devices from non-US countries  More like shambling zombies than a pack of cheetahs (bandwidth limits matter)
Not your average botnet  Botnet owners didn’t care for persistence  This is highly unusual, but makes the botnet much harder to detect  A rebooted device would simply be re-infected later
Evolution  Why log in when you can steal a devices soul? (RCE variant)  It is easy to tack on new infection methods  We will continue to see variants of Mirai for some time
But wait! There’s more!  Abuse DNS and residual trust  Make reversing harder by using complex packers  Add support infrastructure, command relays
Attackers suffer from the same pains as regular IOT users  Slow initial growth due to the restricted capability of infected devices  Infrastructure is required to manage half a million devices  1000 devices to 1 C2 servers
Scalin’ on Up
Notable achievements  Knocked Liberia off the internet for a period of time  Forced Cloudflare to abandon their deal with Brian Krebs  Harassed DDoS mitigation companies  Knocked Minecraft servers and other gaming services offline
Script kiddies do not an Advanced Persistent Threat make  Mostly childish attacks on people the attackers disliked  Minimal if any lasting damage  We were very lucky no important services were targeted  We could have done better to protect against Mirai
Not the sharpest tools in the shed When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. - One of the Mirai authors
It will probably get worse  Attacks get more sophisticated  New attacks come out of nowhere (ransomware)  Mirai was only 600k devices (imagine a billion)  We don’t know how new attacks will leverage IOT
Heterogeneity makes for a juicy attack surface  Easy to target cheap-on-security IOT vendors  Startup vendors have less resources/experience to orchestrate patching  Spending time to develop exploits for a single device can net you thousands of infected hosts  It also makes it harder to compromise the entire market
How do we fix this?  Basic hardening (ASLR, priv. separation etc)  Teach about patching, make it easier  Find a way to reliably take unsupported devices offline  Identification? What about privacy?
xkcd.com
It could get better  Vendors are slowly replacing hardcoded passwords with generated ones  Our society is coming to terms with managing vulnerable devices in a digital age  We can educate consumers about how to care for devices better
The Internet of Garbage
Questions?

Recommended

Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Botnet
BotnetBotnet
Botnetprisonbreak4950
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
How spam change the world
How spam change the world How spam change the world
How spam change the world Farhaan Bukhsh
 
CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 

Recommended

Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Botnet
BotnetBotnet
Botnetprisonbreak4950
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
Honeypots and honeynets
Honeypots and honeynetsHoneypots and honeynets
Honeypots and honeynetsRasool Irfan
 
How spam change the world
How spam change the world How spam change the world
How spam change the world Farhaan Bukhsh
 
CrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec A-Round Fundraising Deck
CrowdSec A-Round Fundraising DeckCrowdSec
 
Detecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsDetecting and Confronting Flash Attacks from IoT Botnets
Detecting and Confronting Flash Attacks from IoT BotnetsFarjad Noor
 
Honeypot ss
Honeypot ssHoneypot ss
Honeypot ssKajal Mittal
 
Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Understing the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot securityUndersting the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot securitySaeidGhasemshirazi
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing BotBellaj Badr
 
Netforts
Netforts Netforts
Netforts Wing Venture Capital
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusStig-Arne Kristoffersen
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Honeypots
HoneypotsHoneypots
HoneypotsBilal ZIANE
 
Honeypots
HoneypotsHoneypots
HoneypotsJyoti Nagargoje
 
BOTNETS
BOTNETSBOTNETS
BOTNETSArjo Ghosh
 
BOTNET
BOTNETBOTNET
BOTNETArjo Ghosh
 
Botnet
BotnetBotnet
Botnetlokenra
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and BotnetHicube Infosec
 
Deep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai BotnetDeep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai BotnetSaeidGhasemshirazi
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Cybersecurity -Terms.
Cybersecurity -Terms.Cybersecurity -Terms.
Cybersecurity -Terms.offensoSEOwork
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

More Related Content

Similar to MiraiBotnet.pptx

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationJeff Zahn
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Understing the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot securityUndersting the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot securitySaeidGhasemshirazi
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing BotBellaj Badr
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusStig-Arne Kristoffersen
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesPierluigi Paganini
 
Deep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai BotnetDeep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai BotnetSaeidGhasemshirazi
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021tsevier
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the ArtBiagio Botticelli
 

Similar to MiraiBotnet.pptx (20)

Thane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentationThane Barnier MACE 2016 presentation
Thane Barnier MACE 2016 presentation
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Understing the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot securityUndersting the mirai botnet and the impact on iot security
Understing the mirai botnet and the impact on iot security
 
beware of Thing Bot
beware of Thing Botbeware of Thing Bot
beware of Thing Bot
 
Netforts
Netforts Netforts
Netforts
 
Botnet
BotnetBotnet
Botnet
 
Artificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virusArtificial Intelligence powered malware - A Smart virus
Artificial Intelligence powered malware - A Smart virus
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Honeypots
HoneypotsHoneypots
Honeypots
 
BOTNETS
BOTNETSBOTNETS
BOTNETS
 
BOTNET
BOTNETBOTNET
BOTNET
 
Botnet
BotnetBotnet
Botnet
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
Deep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai BotnetDeep Dive to Understanding the Mirai Botnet
Deep Dive to Understanding the Mirai Botnet
 
Botnets
BotnetsBotnets
Botnets
 
Nastiest Malware 2021
Nastiest Malware 2021Nastiest Malware 2021
Nastiest Malware 2021
 
Cybersecurity -Terms.
Cybersecurity -Terms.Cybersecurity -Terms.
Cybersecurity -Terms.
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
IoT Honeypots: State of the Art
IoT Honeypots: State of the ArtIoT Honeypots: State of the Art
IoT Honeypots: State of the Art
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

MiraiBotnet.pptx

  • 2. Why this paper?  Not a theoretical paper  Demonstrates real world consequences  Expected creation of billions of IOT devices
  • 3. The Dark Arts are many, varied, ever-changing, and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible. - Severus Snape
  • 4. How do botnets propagate?  Scan a target  Leverage known exploits  Install the botnet software  Rinse and repeat
  • 5. Fighting back  We must identify these devices and shut them down  But there are so many devices  And we have limited resources  And users are clueless
  • 6. Network Telescope  Watch the unindexed portions of the internet for suspicious traffic  Use fingerprinting to selectively ID  116 billion probes  55 million probers
  • 7. Identifying infections  Detect a vulnerability scan from the infected device  Banner scan the device for unclosed services  Only tag devices ID’d within 20 minutes of a scan
  • 8. Honeypots  Invaluable for analyzing malware infections  Can determine attacker sophistication and behavior based on malware reverse engineering  Can dissect infection process
  • 9. Got Milk?  Milkers are similar to honeypots  Figure out what commands a C2 server will send  Identify additional C2 servers  15,194 attacks identified
  • 10. Mirai protected itself better than the IOT devices it infected  Mirai disables all common unused services  Fingerprinting can’t be done by the usual banner grabbing  Still able to banner grab lesser known services
  • 11. Your tired your poor, your low bandwidth  DVRs, routers, and cameras are all fair game  Atypically composed of devices from non-US countries  More like shambling zombies than a pack of cheetahs (bandwidth limits matter)
  • 12. Not your average botnet  Botnet owners didn’t care for persistence  This is highly unusual, but makes the botnet much harder to detect  A rebooted device would simply be re-infected later
  • 13. Evolution  Why log in when you can steal a devices soul? (RCE variant)  It is easy to tack on new infection methods  We will continue to see variants of Mirai for some time
  • 14. But wait! There’s more!  Abuse DNS and residual trust  Make reversing harder by using complex packers  Add support infrastructure, command relays
  • 15. Attackers suffer from the same pains as regular IOT users  Slow initial growth due to the restricted capability of infected devices  Infrastructure is required to manage half a million devices  1000 devices to 1 C2 servers
  • 17.
  • 18. Notable achievements  Knocked Liberia off the internet for a period of time  Forced Cloudflare to abandon their deal with Brian Krebs  Harassed DDoS mitigation companies  Knocked Minecraft servers and other gaming services offline
  • 19. Script kiddies do not an Advanced Persistent Threat make  Mostly childish attacks on people the attackers disliked  Minimal if any lasting damage  We were very lucky no important services were targeted  We could have done better to protect against Mirai
  • 20. Not the sharpest tools in the shed When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. - One of the Mirai authors
  • 21. It will probably get worse  Attacks get more sophisticated  New attacks come out of nowhere (ransomware)  Mirai was only 600k devices (imagine a billion)  We don’t know how new attacks will leverage IOT
  • 22. Heterogeneity makes for a juicy attack surface  Easy to target cheap-on-security IOT vendors  Startup vendors have less resources/experience to orchestrate patching  Spending time to develop exploits for a single device can net you thousands of infected hosts  It also makes it harder to compromise the entire market
  • 23. How do we fix this?  Basic hardening (ASLR, priv. separation etc)  Teach about patching, make it easier  Find a way to reliably take unsupported devices offline  Identification? What about privacy?
  • 25. It could get better  Vendors are slowly replacing hardcoded passwords with generated ones  Our society is coming to terms with managing vulnerable devices in a digital age  We can educate consumers about how to care for devices better
  • 26.
  • 27. The Internet of Garbage