Tracking Mirai variants

Presented at VB2018, Oct. 5, 2018, 9:30 a.m. (30 minutes).

Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by *MalwareMustDie* in August 2016. This made it easy for other threat actors to craft new DDoS malware which we call Mirai variants. Our data shows that such crafting work has not stopped since September 2016. Some variants, such as Mirai.Satori, were even equipped with more effective distribution methods and returned Mirai to the centre of public attention for being able to turn hundreds of thousands of IoT devices into zombies in a very short time. In the post-Mirai era it would be routine work for the security community to fight new threats posed by Mirai and its variants. Keeping a tight watch on the variant development would help us deliver a better performance. We began tracking Mirai and its variant botnets soon after it was found, and as of March 2018 we have collected over 16,000 Mirai samples. Detailed studies have been carried out on the collected samples in terms of configurations, C&C communication, attack methods, scanning and its username/password dictionaries. Attempts to automatically detect and classify variants have also been made, with dozens of variants found. We think the analysis we have done would help to better fight future Mirai threats and uncover the actors behind it. Some preliminary findings include: * How many Mirai variants exist. * Whether the C&C communication changed among variants. * How the attack methods were reserved by various variants. What new methods were added. * How the variants update the scanning module by targeting non-Telnet ports and adding new usernames/ passwords to the brute-force attacking purposed dictionary. * Whether the configuration encryption algorithm was changed and what keys were used. * How the configuration varied among variants in terms of size and contents. * Whether it's possible to correlate a fresh Mirai sample to its variant family in an automatic way.

Presenters:

  • Ya Liu - Qihoo
    Ya Liu Ya Liu has over eight years of network security experience in honeypot development, malware and botnet analysis. Currently he works at netlab.360.com as a threat analyser on botnet detection and tracking. Before joining Qihoo 360 he worked at NSFOCUS on honeypot development and malware analysis. @liuya0904
  • Hui Wang - Qihoo
    Hui Wang Hui Wang is a sofware engineer with a passion for honeypot development. He has a wealth of experience in web development and data analysis. Now he works at netlab.360.com on large-scale honeypot deployment and related threat mining. @huiwangeth

Links:

Similar Presentations: