Chuck McAuley, Ixia Communications The Mirai botnet has brought public awareness to the danger of poorly secured embedded devices. Its ability to propagate is fast and reliable. Its impact can be devastating and variants of it will be around for a long time. You need to identify it, stop it, and prevent its spread. I had the opportunity to become familiar with the structure, design, and weaknesses of Mirai and its variants. At this talk you'll learn how to detect members of the botnet, mess with them through various means and setup a safe live fire lab environment for your own amusement. I will demonstrate how to join a C2 server, how to collect new samples for study, and some changes that have occurred since release of the source code. By the end you'll be armed and ready to take the fight to these jerks. Unless you're a botnet operator. Then you'll learn about some of the mistakes you made.

1. Identifying and Disrupting
Mirai Botnets
Chuck McAuley

2. Who me?
Chuck McAuley
Principal Threat Researcher at Ixia’s
Application Threat Intelligence team
• Talks to all the people
• Goes to all the places
• Does all the things
• @nobletrout
I’ve been called ‘Chief Pie Finger Poker’

3. Mirai - A brief background
• Last year krebsonsecurity.com got taken down by ‘stressers’
• 600 Gigabit DDoS

4. Increased scanning on port 23/2323
• Scanning intensified the day of the attack on Krebs
• Later discovered to be related to Mirai based scans [1]
[1] https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563/

5. A week or two later and the plot thickens

6. • Unique chance to see how this stuff works from the inside out
• Treasure trove of data released to play with
• Some helpful soul already had taken source code and uploaded to github
(thanks jgamblin whoever you are!)
• But the source code was incomplete, did not have a build script that worked,
was machine dependent, and generally was ‘readable’ but not ‘buildable.’
• I wanted my own botnet
Source Code Released!

8. • Vagrant is a VM based tool that allows separation of development (editors,
operating system, etc) and build and operational environment.
• “Like docker, but heavier”
• It provided many advantages for building and analysis
• Platform agnostic – build and run on trusty64 in VM, develop on mac
• Can easily destroy and recreate if need be without a new git fetch
• Easily isolate on independent network segment
• Separate analysis from execution
• This is how real developers do it
• https://github.com/chuckixia/Mirai-Source-Code
Enter Vagrant Build Environment FTW

9. Build Environment Setup

10. Compile & Build

11. Point, Click, Botnet Operator!!!

12. Bot
• Infected device
• Multi-architecture POSIX C
• MIPS, ARM, x86, SPARC, PPC
Loader
• Harvests successful logins/IP pairs
• Connects back to new devices
• Fingerprints and loads binaries
• Very minimal code
Website hosting bot malware
• Independent Web Server
• Hosts Mirai bot binaries
• Probably compromised server
C2 Server
• Serves as head end for bots
• Operator panel
• Works over telnet
• Written in Go
Highlevel - Four pieces in motion

13. Infected IoT Stuff
“My Stuff”
Report Results
Loader
C2 Server
Binary Hosting Web

14. Let’s focus on the bot code first

15. • Deletes itself off disk
• Sets signal trap to change code execution
• Rewrites function pointers
• Forks, changes process name
• Connects to CNC server and waits for connections
• Starts scanning for new hosts to infect and reports back
Bot Execution Path

16. Bespoke name resolver
• Hardcoded requests to 8.8.8.8
• Sends 5 requests before timeout
• If DNS fails, will not connect to CNC and Harvester

17. Bot – Table Obfuscation
• Bot has an obfuscated table that is XOR’d
• Table entries need to be ‘encrypted’ with XOR encryption tools
• XOR key looks like it’s 4 bytes long (0xdeadbeef)

18. Bot – Table Encryption Bug
• The XOR key is actually only one byte
• 0xDEADBEEF = 0x22
• 1 Byte XOR key table a lot easier to
• brute force

19. LMTFY XOR Key

20. Execution Obfuscation
• Mirai has execution obfuscation
• Anna-Senpai made a shout out to malwaremustdie
• He thought it was pretty cool
• Let’s see if he was right!

21. Sets a signal
Raises Signal if TRUE
Compares Filename to Buffer
maps function to new function
Code execution prevent part 1

22. Code execution prevention part 2

23. LMFTFY: String matching with a side of math

24. • Bot comes with a telnet brute forcer
• Used to discover other devices that might be vulnerable
• Utilizes a two stage approach
• Raw socket TCP port scanner
• Brute forcers hosts that respond to raw socket port scanner
• Very effective scanner, can send thousands of packets a second
Bot Scanning Technique

25. Sets TCP Sequence
number = destination
IP address
Then checks later on
if ACK is equal to
destination IP + 1
Mirai SYN Cookies – scanner.c

26. Bot Scanner Second Stage
• Brute forces any listening telnet servers discovered by first stage
• After login, fingerprints system as a busybox system
• If successful reports back IP, Port, and User/Pass combo that worked to loader
(more on that shortly)

27. • harvester location is defined in lookup table as TABLE_SCAN_CB_DOMAIN
• Message signal is packed like this:
Scanner reports back to harvester

28. Scanner Report

29. Loader

30. • Harvester (called scanListen)
• tools/ScanListen.go
• Written in go
• collector of logins
• Binds to port 48101
• Writes login information out to
STDOUT
• format is “aa.bb.cc.dd:PORT
USER:PASS”
• Loader
• Written in C
• Parses STDIN in format that
ScanListen sends out
• Connects to vulnerable devices and
starts loading malicious binary
• Attempts to use wget, curl, tftp, and
custom built getter if need be
Let’s look at the harvester/loader

31. scanListen

32. • reads from STDIN and connects back to IoT devices
• uses wget, tftp and then built in compiled bin to download a copy
• Does busybox discovery by looking for string “Applet not found”
• Discovers architecture by running cat on /bin/echo
• Attempts to download correct architecture from site hosting it
• changes filename to dvrHelper and executes
Loader

33. Loader in Action

34. • Written in Go
• Operates three different interfaces
• Command
• API port on 101
• Interactive Telnet session (port 23)
• Control
• Uses Telnet as well
• AAA is stored in MySQL DB
C2 (CNC) Server

35. • Listener on port 23
• If three NULL’s it is a bot
• otherwise start an admin session
• Bot starts keepalive protocol
• Admin session sends a greeting
followed by username/password
prompt.
CNC versus Operator

36. • What do you do when have a new protocol?
• RFC!
Wait…. New Botnet Protocol?

37. RFC Botnet - handshake

38. RFC Botnet heartbeat

39. RFC Botnet – start attack

40. Botnet – Attack Options

41. Now with color!

42. What are some of the attacks on the menu?

43. Now we’ve figured out how the
network works, let’s start
figuring out ways to fight back
Let’s start messin’ with Sasquatch

44. • Sequence Number == your IP address
• We can recognize bots easily with no interaction
• Maybe there are other scanners out there that do the same thing
• Created a scapy based MHN collector
• pew pew map!
messin’ with the raw socket I/O

45. • Table of IP addresses with open ports doesn’t search for
existing entries of same IP
• You can respond with more than one packet
• Insert same IP address multiple times
• We can fill the table, get all the responses
messin’ with the socket scanner

46. You flood me?!? NO I FLOOD YOU!!!

47. OK, NOW YOU FLOOD ME

48. • Remember how we said the XOR encryption was only one byte?
• Brute force the binary to find CNC and Loader DNS entries
quick dirty binary analysis to find c2

49. • Harvester does not check input
• Can enter all kinds of data
• incorrect hosts and ports
• usernames and passwords up to 255 characters long each
• any kind of binary data for user/pass combos
• Can be useful to check if harvester is still active
• ID new loader IP addresses by feeding harvester at regular intervals
messin’ with the harvester

50. messin’ with the harvester

51. messin’ with loader

52. • Since we can ID the CNC through the binary we can connect back
• Flood the CNC with fake clients
• Test if CNC is still alive by connecting to API port
• quicker and more reliable than trying to join botnet
messin’ with the CNC

53. • Caution
• Bot wants to scan immediately for new hosts
• Need to firewall communication
• Solution
• Pinhole communication on DNS
• Repurposed a DNS resolver that drives IP tables
• When resolution occurs, opens hole in firewall to communicate with
that IP
• Benefit
• Monitor C2 communications even if bot binary changes behavior
• Limit exposure (and liability) to infecting other networks
Cuckoo Sandbox Execution

54. • Fast Flux or similar
• Use a randomly created SYN cookie rather than IP address
• Why limit yourself to DDoS?
• Create a larger password list
• update 9/1/17 – ATT Arris hardcoded user/pass
• https://www.nomotion.net/blog/sharknatto/
• Update 10/26/17 Repear! – using vulns for fun and profit
• Fix your XOR key code
• For the novices:
• This is automated loading
• If you leave root access available, it will be rooted almost immediately
LMFTFY Final Edition

55. • @nobletrout
• cmcauley@ixiacom.com
• https://github.com/chuckixia/Mirai-Source-Code/
• FOLLOW THIS GUY: @me_high4eva
Questions?