Presentation is loading. Please wait.

Presentation is loading. Please wait.

US-CERT Network Analysis Lions and Tigers and Bears, Mirai

Published byChristian McCormick Modified over 6 years ago

Similar presentations

Presentation on theme: "US-CERT Network Analysis Lions and Tigers and Bears, Mirai"— Presentation transcript:

1 US-CERT Network Analysis Lions and Tigers and Bears, Mirai
US-CERT Network Analysis Lions and Tigers and Bears, Mirai! Tracking IoT-Based Malware w/Netflow 12 January 2017 Kevin Breeden

2 About me B.S. Criminal Justice M.S. Information Assurance
Currently work for Northrop Grumman supporting US-CERT’s Network Analysis Department

3 Why am I up here? September 20-22 KrebsOnSecurity
Management Questions: What is Mirai? Are we vulnerable? Do we have any active infections? Are we participating in the DDoS attacks? What can we do to protect ourselves?

4 Caveats Our sensor placement will play a role in what we see
All Netflow pulls were done from 09/13/2016 – 09/27/2016 We do not have a lab environment for testing We do not have a honeypot

5 Overview Mirai is built for two core purposes:
Locate and compromise IoT devices to further grow the botnet. Brute-force default login credentials Launch DDoS attacks based on instructions received from a remote C&C Segmented command and control Loaded with a variety of configurable attacks, and utilizes basic attack methods GRE ( Generic Routing Encapsulation) SYN FLOOD GET FLOOD POST FLOOD No Amplification/Reflection identified at this time Mirai – what is being used to refer to the malware binary BusyBox – Stripped-down Unix tools in a single executable Single binary approach, typically uses ELF ELF (Executable and Linkable Format) – Command Standard File Format Flexible – Can be easily adopted to various operating systems SYN Flood UDP Flood GET Flood ACK Flood POST Flood GRE Protocol Flood Valve Source Engine (VSE) query-flooding HTTP GET attacks HTTP POST attacks HTTP HEAD attacks

6 Source Code Was released on 9/30/2016
Command and Control is coded in GO (AKA golang) free open source programming language created at Google BOTS are coded in C Appears to posses some capabilities to circumvent security solutions Has various scripts to locate/expunge other worms/trojans and botnet processes Examples: Killing all processes that use SSH, Telnet and HTTP ports Memory Scraping Hardcoded list of IP’s Mirai bots are programmed to avoid Source Code was release by Anna-senpai These offensive and defensive measures shine a light on the turf wars being waged by botnet herders.

7 Botnet Structure

8 Open Source Research Domains identified as part of Mirai Infrastructure C2 Domains: network.santasbigcandycane.cx cnc.disabled.racing b0ts.xf0.pw imscaredaf.xyz swinginwithme.ru kankerc.queryhost.xyz gay.disabled.racing lol.disabled.racing penis.disabled.racing meme.icmp.online Report Domains: report.santasbigcandycane.cx report.disabled.racing report.xf0.pw imscaredaf.xyz swinginwithme.ru report.queryhost.xyz report.icmp.online dongs.icmp.online Malware Distribution Domains: dongs.disabled.racing imscaredaf.xyz Domains are good for E2 but I need IP’s for any E1 analysis.

9 Passive DNS on Identified Domains
IP’s that have hosted a Mirai domain at some point Report IP’s: C2 IP’s: C2 IP’s Continued: Malware Distribution IP’s:

10 What have we actually seen?
SILK Set Files to the Rescue Report IP’s Set Malware distribution IP’s Set C2 IP’s set Report IP’s in E1: C2 IP’s in E1: Malware Distribution IP’s in E1: Passive DNS? What dates did we see the IP’s in E1? What date was the Mirai infrastructure identified on the IP? How many other domains are also hosted on the IP? Talk about using IP search for this step.

11 Report/Malware Distribution IP’s observed
Report IP’s 2016/09/18 – 2016/09/19 Mirai domain first seen on 10/5/ domain last 6 months 2016/09/21 Mirai domain first seen on 10/4/ domains last 6 months 2016/09/23 Mirai domain first seen on 10/14/ domains last 6 month 2016/09/24 Mirai domain first seen on 10/14/ domains last 6 months Mirai domain first seen on 10/11/ domain last 6 months Mirai domain first seen on 10/14/ domains last 6 months Malware Distribution IP’s: 2016/09/21 and 2016/09/25 Took those IP’s we had seen on E1 and performed some additional passive DNS info to find out some more information

12 C2 IP’s observed 2016/09/13 2016/09/16 2016/09/24-2016/09/25
– First Mirai Domain seen on 10/14/ domains last 6 months 2016/09/16 Mirai domain first seen 9/16/2016 (network.santasbigcandycane.cx) - 74 domains last 6 months Mirai Domain first seen 9/16/2016 (network.santasbigcandycane.cx) - 2 domains last 6 months 2016/09/ /09/25 Mirai domain first seen 9/23/2016 (network.santasbigcandycane.cx) - 1 domain last 6 month 2016/09/26 Mirai domain first seen 9/25/2016 (network.santasbigcandycane.cx) - 1 domain last 6 months 2016/09/27 Mirai domain seen on IP on 9/30/ domains last 6 months Mirai domain seen on 10/11/ domains last 6 months 2016/09/ /09/22 and 2016/09/ /09/27 First Mirai domain seen on 9/23/2016 (network.santasbigcandycane.cx), 13 domains last 6 months

13 What do we know so far Infected bots scan for other vulnerable devices on 23, 2323 That C2’s have been linked to port 101 and 23 Report servers and infected devices often use port 48101 We know the IP’s linked to Mirai that have been seen in E1 We’ve gathered some passive DNS info Lets create 3 new set files and do a little more digging

14 No suspicious communication to any known report servers
Report IP’s – Port 48101 We looked at the one outbound flow to determine who it was talking to and if there were any additional flow records between the two IPs We wanted to verify that the agency did not initiate the outbound activity. The agency R A was in response to the original Syn No suspicious communication to any known report servers

15 C2 IP’s – Port 101 Interesting: Now I have questions
Is there any additional traffic between these source and dest IP on any ports? What sort of outbound traffic are we seeing from these destination IP’s linked to (network.santasbigcandycane.cx) 9/23/2016

16 Outbound traffic from Agency IP’s
(Agency 2) only showed inbound activity (Agency 1) Was curious to see if there was any suspicious outbound activity from either of these IP Rwfilter with source address (Agency 1 ) going outbound across all sensors, No agency initiated traffic from this IP did not resolve to any domains that had been previously linked to Mirai or displayed any characteristics of Mira Port Cisco Skinny Client Control Protocol (SCCP) There was no suspicious outbound traffic identified

17 No agency initiated traffic identified
C2 IP’s – Port 23 rwfiltered the Set File for C2 seen on E1 for any port 23 Rwstats for the directionality of the traffic Rwfiltered the .bin file for port 23 and passed it to rwstats to give stats on if port 23 was the source of destination Rwfilted to rwstats to check the initial flags for inbound traffic (Syn Ack activity is interesting cause it makes us think that it may have been agency initiated. Ran an Rwuniq to determine how many distinct agency Dest Ips the c2 we identified were scanning Rwfilted our .bin file for outbound activity initial flags, just a bunch of resets No agency initiated traffic identified

18 Malware Distribution Activity
Back in 2014 there was a backdoor that was found in routers produced by Netcore, the backdoor was simply an Open UDP port listening on 53413 So this is obviously not Mirai related it does look like some probing for this backdoor. All agency outbound traffic was ICMP error codes

19 File Overview - rwappend
Combined the 3 .bin files Rwappend lets you take separate files and combine them into a specific target file. .bin files – C2ips, report ips, malware distribution ips

20 Key take a way's The majority of the traffic is inbound
The .gov gets scanned a lot No full connections identified No evidence to suggest a Mirai infection

21 Inbound TCP 23/2323 When it comes to worms, or other malware that spreads via a "scan and 'sploit" method, the most important of the 3 main stats (bytes, packets, flows) is flows A 'netflow' is an arbitrary grouping of packets (and the totaled bytes) that is based around a tuple. (The tuple is a collection of unchanging characteristics. If one or more of them changes in the next packet, you create a new netflow, otherwise append the packet to an existing netflow with those characteristics.) Tuple Consists of SIP, DIP, SPORT, DPORT, PROTO, SENSOR, + must be within 30-minute window So if is scanning the entire Internet for port 23, then during lots of the scanning these general things will be true: 1. The DIP value will change constantly. That's how you switch from scanning host A to host B. 2. The SIP value will remain static. That's so the 3-way handshake can be completed. 3. The SPORT value may or may not change. 4. The DPORT value will remain static. (If you switch to something other than 23 then you're not scanning for 23 anymore.) 5. The PROTO value will remain static. (Switching from TCP to something else will just fail in this case.) 6. The SENSOR value will remain static while that sensor's footprint (ie visible network) is scanned, and then will change when the scanner moves to another network that we can see via another sensor.

22 Outbound Traffic to Krebs
Krebs IP Pre-Attack Days: Attack Days: No Protocol 47 (GRE) activity identified The .gov did not participate in DDOS attacks on Krebs

23 Krebs Traffic Visually

24 Indicator Monitoring

25 Mirai Variant (Nov 2016) Uses a modified version of the Mirai Code
Exploits a newly discovered router vulnerability Commands are sent based on the TR-069 and TR064 Protocols Used by ISP to remotely manage network The flaw is in Simple Object Access Protocol (SOAP) embedded in the routers and the way they are handling incoming traffic

26 Network Characteristics
Inbound Port 7547 and 5555 traffic HTTP POST /UD/act?1 Utilizing WGET, TFTP and FTP to retrieve binaries

27 PCAP from Variant

28 Content Data wget wget

29 Inbound 7547 – Bytes 500-

30 Inbound 5555 – Bytes 500-

31 Top countries scanning Variant
Open Source reporting had said that Brazil was a top country for this activity.

32 Recommendations Ensure all default passwords are changed
If you have an IoT device, make sure you have no telnet service open and running If you are utilizing telnet, monitor the connections Blocking the used TCP/48101 port if you don’t use it If you think you have an infected device, reboot after changing default credentials Update IoT devices with security patches as soon as they become available

33 Acknowledgements Chad Hein Matt Swaar

34 Questions

Download ppt "US-CERT Network Analysis Lions and Tigers and Bears, Mirai"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems

Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.

Networking Basics TCP/IP TRANSPORT and APPLICATION LAYER Version 3.0 Cisco Regional Networking Academy.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,

Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Similar presentations

Ads by Google