Understanding the Mirai Botnet

Slides:



Advertisements
Similar presentations
The Malware Life Cycle. The Fascinating World of Infections.
Advertisements

By Hiranmayi Pai Neeraj Jain
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement
Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
Computer Security By Duncan Hall.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Some Great Open Source Intrusion Detection Systems (IDSs)
PROTECTING YOUR DATA THREATS TO YOUR DATA SECURITY.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Botnets A collection of compromised machines
DDoS Attacks on Financial Institutions Presentation
Chapter 7: Identifying Advanced Attacks
Common Methods Used to Commit Computer Crimes
A lustrum of malware network communication: Evolution & insights
Enterprise Network Security
Instructor Materials Chapter 7 Network Security
IoT devices as an attack vector
Configuring Windows Firewall with Advanced Security
Real-time protection for web sites and web apps against ATTACKS
Wireless Network Security
Various Types of Malware
Understanding Threat Models for Embedded Devices
Putting It All Together
Putting It All Together
State of the Internet Security – Q2 2017
Virtual Private Networks
Evaluating a Real-time Anomaly-based IDS
Who should be responsible for risks to basic Internet infrastructure?
Botnets A collection of compromised machines
How Cyber Security vulnerabilities will shape the future of Healthcare Sector Globally?
Risk of the Internet At Home
DRUPAL CON NASHVIllE 2018 DRUPALCON NASHVILLE.
Intercept X for Server Early Access Program Sophos Tester
Honeypots and Honeynets
Internet of Things Vulnerabilities
Advanced Services Cyber Security 101 © ABB February, | Slide 1.
Internet Worm propagation
Enterprise Network Security
Data security in iot devices
Chapter 4: Protecting the Organization
Ransomware in Web Apps OWASP Singapore.
Cyber Security Challenges
Network hardening Chapter 14.
Enterprise Network Security
DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64
Presented by John Johnson
Introduction to Internet Worm
6. Application Software Security
Botnet of Things: Cybersecurity
Cleaning Up the Internet of Evil Things
Presented by Shashank Shekhar Sahoo
Presentation transcript:

Understanding the Mirai Botnet Presented by John Johnson

Why this paper? Not a theoretical paper Demonstrates real world consequences Expected creation of billions of IOT devices

The Dark Arts are many, varied, ever-changing, and eternal The Dark Arts are many, varied, ever-changing, and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible. - Severus Snape

How do botnets propagate? Scan a target Leverage known exploits Install the botnet software Rinse and repeat

Fighting back We must identify these devices and shut them down But there are so many devices And we have limited resources And users are clueless

Network Telescope Watch the unindexed portions of the internet for suspicious traffic Use fingerprinting to selectively ID 116 billion probes 55 million probers

Identifying infections Detect a vulnerability scan from the infected device Banner scan the device for unclosed services Only tag devices ID’d within 20 minutes of a scan

Honeypots Invaluable for analyzing malware infections Can determine attacker sophistication and behavior based on malware reverse engineering Can dissect infection process

Got Milk? Milkers are similar to honeypots Figure out what commands a C2 server will send Identify additional C2 servers 15,194 attacks identified

Mirai protected itself better than the IOT devices it infected Mirai disables all common unused services Fingerprinting can’t be done by the usual banner grabbing Still able to banner grab lesser known services

Your tired your poor, your low bandwidth DVRs, routers, and cameras are all fair game Atypically composed of devices from non-US countries More like shambling zombies than a pack of cheetahs (bandwidth limits matter)

Not your average botnet Botnet owners didn’t care for persistence This is highly unusual, but makes the botnet much harder to detect A rebooted device would simply be re-infected later

Evolution Why log in when you can steal a devices soul? (RCE variant) It is easy to tack on new infection methods We will continue to see variants of Mirai for some time

But wait! There’s more! Abuse DNS and residual trust Make reversing harder by using complex packers Add support infrastructure, command relays

Attackers suffer from the same pains as regular IOT users Slow initial growth due to the restricted capability of infected devices Infrastructure is required to manage half a million devices 1000 devices to 1 C2 servers

Scalin’ on Up

Notable achievements Knocked Liberia off the internet for a period of time Forced Cloudflare to abandon their deal with Brian Krebs Harassed DDoS mitigation companies Knocked Minecraft servers and other gaming services offline

Script kiddies do not an Advanced Persistent Threat make Mostly childish attacks on people the attackers disliked Minimal if any lasting damage We were very lucky no important services were targeted We could have done better to protect against Mirai

Not the sharpest tools in the shed When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. - One of the Mirai authors

It will probably get worse Attacks get more sophisticated New attacks come out of nowhere (ransomware) Mirai was only 600k devices (imagine a billion) We don’t know how new attacks will leverage IOT

Heterogeneity makes for a juicy attack surface Easy to target cheap-on-security IOT vendors Startup vendors have less resources/experience to orchestrate patching Spending time to develop exploits for a single device can net you thousands of infected hosts It also makes it harder to compromise the entire market

How do we fix this? Basic hardening (ASLR, priv. separation etc) Teach about patching, make it easier Find a way to reliably take unsupported devices offline Identification? What about privacy?

xkcd.com

It could get better Vendors are slowly replacing hardcoded passwords with generated ones Our society is coming to terms with managing vulnerable devices in a digital age We can educate consumers about how to care for devices better

The Internet of Garbage

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.