This time I will discuss about Mirai IoT Botnet, one of the malware to launch DDoS attack.
Botnets can be said to be a collection of bot (robot) applications that are configured to run automatically on a network. Each of the computers that are incorporated in the botnet network run commands or instructions provided by the botnet bot (herder bots or master bots) that are carried out remotely. Or in a simpler language, if your computer is infected with a botnet, then when your computer is connected to a network, your computer will run instructions provided by the Master Bot.
There is also the recently discovered – and powerful – botnet, variously nicknamed IoTrooper and Reaper, which is able to compromise IoT devices at a much faster rate than Mirai. The Reaper is able to target a larger number of device makers, and has far greater control over its bots.
the various of botnet :
If you think of a botnet as a theatrical play, the C&C (Command and Control Server, also known as the C2) server is its director. The actors in this play are the various bots that have been compromised by malware infection, and made part of the botnet.
When the malware infects a device, the bot send out timed signals to inform the C&C that it now exists. This connection session is kept open till the C&C is ready to command the bot to do its bidding, which can include sending out spam, password cracking, DDoS attacks, etc.
In a centralized botnet, the C&C is able to convey the botmaster’s commands directly to the bots. However, the C&C is also a single point of failure: If taken down, the botnet becomes ineffective.
Botnet control may be organized in multiple tiers, with multiple C&Cs. Groups of dedicated servers may be designated for a specific purpose, for example, to organize the bots into subgroups, to deliver designated content, and so on. This makes the botnet harder to take down.
Peer-to-peer (P2P) botnets are the next generation of botnets. Rather than communicate with a centralized server, P2P bots act as both a command server, and a client which receives commands. This avoids the single point of failure problem inherent to centralized botnets. Because P2P botnets operate without a C&C, they are harder to shut down. Trojan.Peacomm and Stormnet are examples of malware behind P2P botnets.
This Botnet has the privilege, because it is not too detrimental to the computer that he covers directly, but the loss of this Botnet will obviously feel to the next target or real target of the master Botnet, well than speaking at length, more Right away, here’s the loss that the botnet generates:
For computers infected with botnet (zombie computer):
- The computer will slightly decrease its performance, because it is used background by botnets
- Network connection or your network connection will be considerably decreased performance
- Your computer will be wasteful bandwidth (this will be felt if you use a volume based Internet service (volume based) or if your Internet service has a quota
- Your Internet will weaken known
Mirai, in Japanese “The Future ” is a malware that can transform a computer system that runs Liux into a bot controller remotely. which can be used for botnets in large-scale attacks. The main targets of this malware are online IoT devices such as CCTV and home raouter.
This Mirai botnet has already been used in some of the biggest DDoS attacks. Among the attacks on the computer security Reporter website, Brian Krebs. Then the attack on the French web host, DVH. and managed to spit out Dyn server.
To date Mirai Botnet has already created 500,000 population botnets originating from IoT devices around the world. The highest population is in the countries of China, Hongkong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brasilia, Spain and some in the North American region and Europe.
Mirai is able to do some kind of DDoS attack. Among them are SYN-flooding, UDP flooding, GRE flooding, Query flooding, Velve Source Engine (VSE), ACK flooding, pseudo-random DNS, HTTP GET attack, HTTP POST attack and HTTP HEAD attack.
The source code for Mirai was published on Hack Forums as open-source.Since the source code was published, the techniques have been adapted in other malware projects.
Mirai is a self-propagating botnet virus.The source code for Mirai was made publicly available by the author after a successful and well publicized attack on the Krebbs Web site. Since then the source code has been built and used by many others to launch attacks on internet infrastructure (ref Dyn).
The Mirai botnet code infects poorly protected internet devices by using telnet to find those that are still using their factory default username and password.The effectiveness of Mirai is due to its ability to infect tens of thousands of these insecure devices and co-ordinate them to mount a DDOS attack against a chosen victim.
There are two main components to Mirai, the virus itself and the command and control center (CnC).The virus contains the attack vectors, Mirai has ten vectors that it can launch, and a scanner process that actively seeks other devices to compromise.The CnC is a separate image that controls the compromised devices (BOT) sending them instructions to launch one of the attacks against one or more victims.The scanner process runs continuously on each BOT using the telnet protocol (on TCP port 23 or 2323) to try and login to IP addresses at random. The login tries up to 60 different factory default username and password pairs when login succeeds the identity of the new BOT and its credentials are sent back to the CnC. The CnC supports a simple command line interface that allows the attacker to specify an attack vector, a victim(s) IP address and an attack duration. The CnC also waits for its existing BOTs to return newly discovered device addresses and credentials which it uses to copy over the virus code and in turn create new BOTs.The virus is built for multiple different CPU architectures (x86, ARM, Sparc, PowerPC,
Motorola) to cover the various CPUs deployed in IoT devices.The image itself is small and employs several techniques to remain undiscovered and to obscure its internal mechanisms from reverse engineering attempts.Once the virus is loaded into memory on the BOT it deletes itself from the BOT’s disk. The virus will remain active until the BOT is rebooted. Immediately after a reboot the device is free of the virus however it only takes a few minutes before its once again discovered and re-infected.
The attack vectors are highly configurable from the CnC but by default Mirai tends to randomize the various fields (port numbers, sequence numbers, ident etc) in the attack packets so they change with every packet sent.
The Mirai is mutating. Though its original creators have been caught, their source code lives on. It has given birth to variants such as the Okiru, the Satori, the Masuta and the PureMasuta. The PureMasuta, for example, is able to weaponize the HNAP bug in D-Link devices. The OMG strain, on the other hand, transforms IoT devices into proxies that allow cybercriminals to remain anonymous.