Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding the Mirai Botnet

Published by诸采 晏 Modified over 5 years ago

Similar presentations

Presentation on theme: "Understanding the Mirai Botnet"— Presentation transcript:

1 Understanding the Mirai Botnet
Presented by John Johnson

2 Why this paper? Not a theoretical paper
Demonstrates real world consequences Expected creation of billions of IOT devices

3 The Dark Arts are many, varied, ever-changing, and eternal
The Dark Arts are many, varied, ever-changing, and eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible. - Severus Snape

4 How do botnets propagate?
Scan a target Leverage known exploits Install the botnet software Rinse and repeat

5 Fighting back We must identify these devices and shut them down
But there are so many devices And we have limited resources And users are clueless

6 Network Telescope Watch the unindexed portions of the internet for suspicious traffic Use fingerprinting to selectively ID 116 billion probes 55 million probers

7 Identifying infections
Detect a vulnerability scan from the infected device Banner scan the device for unclosed services Only tag devices ID’d within 20 minutes of a scan

8 Honeypots Invaluable for analyzing malware infections
Can determine attacker sophistication and behavior based on malware reverse engineering Can dissect infection process

9 Got Milk? Milkers are similar to honeypots
Figure out what commands a C2 server will send Identify additional C2 servers 15,194 attacks identified

10 Mirai protected itself better than the IOT devices it infected
Mirai disables all common unused services Fingerprinting can’t be done by the usual banner grabbing Still able to banner grab lesser known services

11 Your tired your poor, your low bandwidth
DVRs, routers, and cameras are all fair game Atypically composed of devices from non-US countries More like shambling zombies than a pack of cheetahs (bandwidth limits matter)

12 Not your average botnet
Botnet owners didn’t care for persistence This is highly unusual, but makes the botnet much harder to detect A rebooted device would simply be re-infected later

13 Evolution Why log in when you can steal a devices soul? (RCE variant)
It is easy to tack on new infection methods We will continue to see variants of Mirai for some time

14 But wait! There’s more! Abuse DNS and residual trust
Make reversing harder by using complex packers Add support infrastructure, command relays

15 Attackers suffer from the same pains as regular IOT users
Slow initial growth due to the restricted capability of infected devices Infrastructure is required to manage half a million devices 1000 devices to 1 C2 servers

16 Scalin’ on Up

17

18 Notable achievements Knocked Liberia off the internet for a period of time Forced Cloudflare to abandon their deal with Brian Krebs Harassed DDoS mitigation companies Knocked Minecraft servers and other gaming services offline

19 Script kiddies do not an Advanced Persistent Threat make
Mostly childish attacks on people the attackers disliked Minimal if any lasting damage We were very lucky no important services were targeted We could have done better to protect against Mirai

20 Not the sharpest tools in the shed
When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping. - One of the Mirai authors

21 It will probably get worse
Attacks get more sophisticated New attacks come out of nowhere (ransomware) Mirai was only 600k devices (imagine a billion) We don’t know how new attacks will leverage IOT

22 Heterogeneity makes for a juicy attack surface
Easy to target cheap-on-security IOT vendors Startup vendors have less resources/experience to orchestrate patching Spending time to develop exploits for a single device can net you thousands of infected hosts It also makes it harder to compromise the entire market

23 How do we fix this? Basic hardening (ASLR, priv. separation etc)
Teach about patching, make it easier Find a way to reliably take unsupported devices offline Identification? What about privacy?

24 xkcd.com

25 It could get better Vendors are slowly replacing hardcoded passwords with generated ones Our society is coming to terms with managing vulnerable devices in a digital age We can educate consumers about how to care for devices better

26

27 The Internet of Garbage

28 Questions?

Download ppt "Understanding the Mirai Botnet"

Similar presentations

The Malware Life Cycle. The Fascinating World of Infections.

The Malware Life Cycle. The Fascinating World of Infections.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 13 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.

Speaker : YUN–KUAN,CHANG Date : 2009/10/13 Working the botnet: how dynamic DNS is revitalising the zombie army.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Similar presentations

Ads by Google