SESSION ID: HTA-W10
Mirai and IoT Botnet Analysis
http://blog.erratasec.com
Copyright By PowCoder代写 加微信 powcoder
@ErrataRob
What this talk will cover?
Brief overview of Mirai
The cameras themselves
Step by step from infection to attacks
The Dyn attack
How to protect yourself
How tech details fit into government policy debate
Robert botnet
Terabit scale attacks end of 2016 ~600mbps against
~1 terabit against OVH
~1.2 terabit against DYn
Infects cameras Most cameras
Also printers, routers
Hundreds of thousands of devices
Robert the botnet resides
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
CnC servers
192.227.222.73 192.227.222.74 192.227.222.75 192.227.222.76 188.166.65.12 188.166.189.189 185.25.51.115 185.144.29.7 118.89.41.125 93.158.216.170 54.187.144.227 52.163.49.59 46.166.185.34 46.183.223.229 45.119.127.190 35.162.249.35 5.249.154.190
Ordering camera
from at CNN
Packaging from Shenzhen
What do the cameras look like?
HiSilicon HI3518 CPU
Which ports are listening
What does the camera look like?
23: Telnet
9527: some weird shell with no auth 8899: some other web interface
0f539bd5d3ab8a
0f539bd5d3ab8a
0f539bd5d3ab8a
0f539bd5d3ab8a
Camera/Phone firewalled
54.163.237.146 ec2-54-163-237-146.compute-1.amazonaws.com
Configure firewall
Use RaspberryPi-class device as NAT/firewall to create an isolated subnet
http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.html
98 seconds to infection!
Infection process
The ECHI trick
Generates error message
It’s how the bot recognizes that the output is done
Different devices have different command-prompts, so it’s harder parsing output for a command prompt
What is busybox?
Most common shell on IoT devices
Find out CPU:
x86, ARM, MIPS, PowerPC
Download bot
Download bot
Now run the bot
Kills Telnet
/bin/busybox telnetd –p 2323
Kills rival bots
Connect to command/control
List of possible attacks
Attack on Google Project Shield
130 million SYN per second
450 million HTTP queries per second From 175,000 IP addresses
4 million ACK flood GRE floods
UDP floods
https://arstechnica.com/security/2017/02/how-google-fought-back-against-a- crippling-iot-powered-botnet-and-won/
Classic “hit the root name servers” …except one layer down
Port 53 UDP flood ~600gpbs to ~1.2tbps
Amplified by failed DNS lookups No cached failed response
Dyn uses ‘anycast’
http://dyn.com/dns/network-map/
Atlanta -> North Virginia
Add own second DNS
Add Amazon DNS
All eggs in one basket
BGP changes
https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16
Increase TTLs
Resolver caching
Resolvers cache responses
Drops records after TTL seconds And get a new one
Change: if you can’t get a new one, don’t drop record
Everybody’s doing it
No persistence in botnet
Many fight to take control of the devices
Many splintered botnets rather than one large botnet
Conclusion
The same attack won’t work again
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
Complicated
Paras Jha, 20 year old student
Minecraft server maintainer, then anti-DDoS company Way to drive customers from other anti-DDoS companies Complicated interactions with the underground
Source code
Amateurish, like that of 20 year old students
Doesn’t mean “stupid”, just not features of professional coders. Multiple coders https://github.com/jgamblin/Mirai-Source-Code
Apply: How to protect yourself?
You probably don’t have cameras
Vuln scanning for it on your network is probably pointless
You need a DNS strategy You need a DDoS strategy You need a UPnP strategy
DNS server strategy
Use redundant servers
One should be a server than can handle DDoS Set longer TTLs
DNS client strategy
Setup your own resolver
Disable discarding stale records after TTL if no response
Make sure services can keep running if DNS fails The DNS supply chain
Apply: Policy question
For government policy makers crafting laws/regulations What can government do to ward off IoT botnets.
It’s a complicated answer
Only 10.9% are in the United States
Unbranded grey market, where they ignore regulation anyway
IoT is behind firewall, cameras are exposed. This was not an IoT botnet
Cameras need remote reset (aka. Backdoor) Dyn fixed itself, without government help
An IoT threat model, part 1
No user interaction
Clicking on links/emails is how you infect your desktop/laptop But not iPhones, mostly
No exposed ports
At least, as the norm
So no direct vulnerable services, OWASP, etc.
An IoT threat model, part 2
Cross Site Request Forgery Clicking on links/emails
Cloud service
Phishing of username/password
Cloud provider gets owned
— IoT autoupdate considered harmful
Local WiFi
UPnP etc. for inbound
An IoT threat model, part 3
Vendors demand inbound connection Old IoT like medical devices, HVAC, etc.
IoT on non-private networks Hospitals, bars, universities, etc.
IPv4 vs IPv6
IPv4 for IoT increasingly costly, moving to IPv6
Details on how Mirai works Means knowing how cameras work
How to protect yourself from Mirai No Mirai itself, but the attacks it does Fix your DNS
What is the future? What’s the threat model? How can regulations help?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com