Date: 18th June 2019
In September 2016, a French cloud computing company (OVH) suffered a distributed denial of service (DDoS) attack with a total capacity of up to 1.5 terabits per second and one month later, there was a another DDoS attack that affected the majority of the US East Coast and left much of the internet inaccessible for its users. Domain Name System (DNS) provider Dyn was targeted by the Mirai Botnet and the attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. This resulted in the unavailability of websites and services of many international companies; such as Amazon, Netflix and Spotify. After the attack, the source code for Mirai was released into the wild and this enabled many hackers to copy and further develop the code, which has resulted in new variants. Due to the amount of new variations, tracing those responsible became much more difficult.
In March 2019, the security community discovered a new Mirai variant and it is primarily aimed at Internet of Things (IoT) devices within companies. This can increase the attack power as cybercriminals gain access to greater bandwidth over corporate networks. The latest sample contains a total of 27 exploits, some of which are new to Mirai and these additional features give the program an even larger attack surface.
The availability of the Mirai source code allows authors to create their own version, Mirai is now used as a framework and botnet authors can quickly add in new exploits and functionality. Within two months of the source codes release, the number of bot instances more than doubled from 213,000 to 493,000. Since 2016, new variants of the botnet have emerged in the wild; Satori, JenX, OMG, Matusa, Wicked and Yowai.
Recent reports show that there has been a rise in DDoS related attacks. During Q1 of 2019, Link11 (a cloud security platform) registered 11,177 DDoS attacks on European targets. DDoS attacks achieved volumes of over 100 Gbps with the peak DDoS attack bandwidth reaching 224 Gbps. The mean bandwidth was 3.8 Gbps and this represents an increase of more than 70%, compared with the 2.2 Gbps that was recorded during the same period in the previous year.
IoT botnets continue to expand their attack surface. This is achieved by incorporating multiple exploits to target a plethora of IoT devices, or by adding to the list of default credentials they brute force, or both. The new Mirai variant is a continuation of efforts by Linux malware authors to scout for a wider range, so they can add a large number of IoT devices to form larger botnets, thus resulting in greater firepower for DDoS attacks.
Tactics, Techniques and Procedures
2016 was not the first time an IoT botnet hit the market. There have been Mirai-like predecessors since 2014; such as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The code of Mirai was created from the improved codes of its forerunners and it was compiled by several developers. In 2014 it was finalised by a group of hackers and by using the Mirai botnet, they were able to slow down video game servers such as Minecraft and even take them off the internet. This cost their operators a lot of money.
Mirai scans the internet for IoT devices that run on the ARC processor and this processor runs a stripped-down version of the Linux operating system. If the default username and password have not been changed, then Mirai is able to log into the device and infect it. Although the original creators have been caught, their source code remains in the wild and new variants have evolved from Mirai such as; Okiru, Satori and Masuta, to name a few. One variant, OMG, transforms IoT devices into proxies and this allows cyber criminals to remain anonymous.
The Mirai botnet comprises four major components. The bot component (1) is the malware that infects devices and its twofold aim is to propagate the infection to misconfigured devices, then to attack a target server as soon as it receives the corresponding command from the person controlling the bot (Botmaster). There is also a command & control (C&C) server (2) and this provides the botmaster with a centralised management interface, this is used to check the botnet’s condition and orchestrate new DDoS attacks. With the use of the anonymous Tor network, communication with other parts of the infrastructure take place and a “loader” (3) facilitates the dissemination of executables which target different platforms by communicating with new victims. Finally, a report server (4) maintains the database which details all devices in the botnet.
Phase One: Reconnaissance Mirai first scans random public IP addresses through TCP ports 23 or 2323 where it will send asynchronous stateless TCP SYN probes to pseudorandom IPv4 addresses, excluding those that are in a hard-coded IP blacklist, this helps to avoid detection. The scan looks for devices that run Telnet or SSH and attempts to log in using a hardcoded dictionary of IoT credentials. It will utilise this technique to verify whether a response was obtained and upon verification, the botnet attempts to take control of the device.
Phase Two: Brute Force After reconnaissance, the bot then initiates a brute force attack to discover the default credentials of weakly configured IoT devices. It will attempt to establish a Telnet connection using username and password pairs that are selected randomly from a pre-configured list of 62 credentials. The bot will forward various characteristics of the device to the report server through a different port. After authentication, the host then reports its IP address, port and authentication credentials back to the C&C server.
Phase Three: Command & Control Using a C&C server, the botmaster will check for new victims to target as well as the botnet’s current status by communicating with the report server, usually through Tor. After a decision has been made on what devices to infect, an “infect” command is issued by the botmaster in the “loader” which contains all necessary details that include; IP address and hardware architecture. The loader then logs into the target device and instruct is to download and execute the corresponding binary version of the malware.
Phase Four: Execution When the malware executes it will attempt to protect itself from other malware, this process involves shutting down points of intrusion such as Telnet and Secure Shell (SSH) services. To retrieve attack commands, the newly recruited bot instance will communicate with the C&C server by resolving a domain name hardcoded in the executable, rather than a static IP address. This results in the botmaster being able to change the IP address over time without modifying the binary and without extra communication. From here the botmaster will instruct all bot instances to commence an attack against a target by issuing a command through the C&C server. The bots will start attacking the target, utilising different attack variations such as; TCP & HTTP flooding and Generic Routing Encapsulation (GRE).
Echobot Echobot evolved from Mirai, it is based upon the same source code and targets flaws in enterprise tools. On top of the vulnerabilities that Mirai exploits, Echobot is working on expanding its exploit arsenal in order to cast a wider net than its predecessors, potentially infecting systems found within businesses. Mirai preyed upon the default credentials in consumer IoT devices, but Echobot and similar variants are creeping into the enterprise space. Echobot is also looking further back in time to find long-forgotten security flaws that can be exploited. Researchers have discovered more than 20 different exploits in Echobot, all of which are used for its infection vectors. On top of Mirai’s source code, Echobot adds extra modules and it is now using vulnerabilities in enterprise web and networking software to infect and propagate malware.
Indicators of Compromise
- 185[.]25[.]51[.]115 – This IP has two detections in 2019 (Virus Total) and has been used as a C&C server in the past
- 93[.]158[.]216[.]170 – This IP has had one detection in 2019 (Virus Total), it has been blacklisted (IP Void) once and has been used in the past to host C&C server
- 46[.]166[.]185[.]34 – This IP is associated with malicious activity and has had many detections in 2019 (Virus Total), it has been used as a C&C server in the past
- 45[.]119[.]127[.]190 – This IP is associated with malicious activity and has many detections in 2019 (Virus Total), it has been used to host C&C server in the past
|http[:]//cnc[.]disabled[.]racing/||URL has four detections (Virus Total), Zscaler class this as malicious|
|Fucklua[.]fbisupport[.]com||URL has three detections (Virus Total), Zscaler class this as malicious|
|Im[.]lateto[.]work||URL has four detections (Virus Total), Zscaler class this as malicious|
|Imscaredaf[.]xyz||URL has four detections (Virus Total), Zscaler class this as malicious|
|Network[.]santasbigcandycane[.]cx||URL has three detections (Virus Total), Zscaler class this as malicious|
|Netwxrk[.]org||URL has four detections (Virus Total), Zscaler class this as malicious|
|New[.]swinginwithme[.]ru||URL has three detections (Virus Total), Zscaler class this as malicious|
|Report[.]laatmaarzittenjoh[.]cf||URL has three detections (Virus Total), Zscaler class this as malicious|
|Report[.]santasbigcandycane[.]cx||URL has four detections (Virus Total), Zscaler class this as malicious|
|Report[.]xf0[.]pw||URL has four detections (Virus Total), Zscaler class this as malicious|
|Youre[.]lateto[.]work||URL has three detections (Virus Total), Zscaler class this as malicious|
|http[:]//cmdmirai[.]tk/||URL has one detection (Virus Total), Zscaler class this as malicious|
|http[:]//cnc[.]mirai[.]com/||URL has one detection (Virus Total), Zscaler class this as malicious|
|http[:]//iotmirai[.]tk/||URL has one detection (Virus Total), Zscaler class this as malicious|
|http[:]//miraibotnet[.]ml/||URL has three detections but is has been associated with malicious shell scripts (Virus Total), Zscaler class this as malicious|
|http[:]//miraibotnet[.]online/||URL has four detections (Virus Total), Zscaler class this as malicious|
|http[:]//miraihoneypot[.]tk/||URL has two detections (Virus Total), Zscaler class this as malicious|
|Mirainet[.]ml||URL has several detections relating to file downloads (Virus Total), Zscaler class this as malicious|
|Mirainet[.]tk||URL has several detections relating to file downloads (Virus Total), Zscaler class this as malicious|
|1||CVE-2009-0545||‘cgi-bin/kerbynet’ ZeroShell allows remote attackers to execute arbitrary commands via shell metacharacters|
|2||CVE-2009-5156||ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.|
|3||CVE-2009-5157||On Linksys WAG54G2 1.00.10 devices, there is authenticated command injection via shell metacharacters|
|4||CVE-2009-2765||httpd.c in httpd in the management GUI in DD-WRT 24 sp1, allows remote attackers to execute arbitrary commands via shell metacharacters|
|5||CVE-2010-5330||Ubiquiti Nanostation5 (Air OS), Command Injection exists via a GET request to stainfo.cgi|
|6||CVE-2013-7471||D-Link UPnP SOAP Command injection vulnerability via shell metacharacters in the NewInternalClient, NewExternalPort, or NewInternalPort element of a SOAP POST request|
|7||CVE-2013-5758||Yealink CoIP Phone SIP-T38G remote command execution|
|8||CVE-2014-8361||SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.|
|9||CVE-2016-6255||Portable UPnP SDK before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler|
|10||CVE-2016-10760||Seowon Intech routers, there is a Command Injection vulnerability in diagnostic.cgi via shell metacharacters in the ping_ipaddr parameter|
|11||CVE-2017-18377||Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable|
|12||CVE-2017-5173||Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 126.96.36.199. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.|
|13||CVE-2017-14135||opendreambox 2.0.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters|
|14||CVE-2017-18377||Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters|
|15||CVE-2018-20841||HooToo TripMate Titan HT-TM05 and HT-05 routers allow remote command execution via shell metacharacters|
|16||CVE-2018-6961||VMware NSX SD-WAN Edge contains a command injection vulnerability in the local web UI component. Successful exploitation of this issue could result in remote code execution|
|17||CVE-2018-11510||ASUSTOR NAS portal suffers from an unauthenticated remote code execution vulnerability|
|18||CVE-2018-15887||ASUS Wireless-N300 ADSL Modem Router is prone to Authenticated Remote Command Execution, which allows a remote attacker to execute arbitrary OS commands via service parameters, such as shell metacharacters|
|19||CVE-2018-7841||SQL Injection vulnerability exists in U.motion builder, could lead to remote code execution when an improper set of characters is entered.|
|20||CVE-2018-11138||Quest KACE System Management Appliance is accessible by anonymous users and can be abused to execute arbitrary commands on the system|
|21||CVE-2018-14933||NUUO NVRmini devices allows Remote Command Execution via shell metacharacters|
|22||CVE-2018-17173||LG SuperSign CMS allows remote attackers to execute arbitrary code|
|23||CVE-2019-3929||Crestron AM-100 & AM-101, Blackbox HD, Barco WePresent WiPG-1000P, vulnerable to command injection. A remote, unauthenticated attacker can use this vulnerability to execute operating system commands as root|
|24||CVE-2019-2725||Oracle WebLogic Server component of Oracle Fusion Middleware, easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.|
|25||CVE-2019-12780||The Belkin Wemo Enabled Crock-Pot allows command injection in the Wemo UPnP API via the SmartDevURL argument to the SetSmartDevInfo action. A simple POST request can allow an attacker to execute commands without authentication.|
|Mirai and Echobot Hashes (SHA-256)|
This section refers to known IOCs that were detected and used in the past, to either distribute malicious content or host C&C servers. They have since been inactive or classed as ‘benign’.
|192[.]227[.]222[.]73||These IPs now have zero detections (Virus Total), but they have been used in the past to host C&C server|
|118[.]89[.]41[.]125||This IP has zero detections (Virus Total) and it has not been blacklisted, but it has been used to host a C&C server in the past|
|54[.]187[.]144[.]227||This IP had detections in the past mainly relating to downloading files (Virus Total), it hasn’t had any detections in 2019 but it has been blacklisted once (IP Void), it was used in the past for C&C server|
|46[.]183[.]223[.]229||This IP was last detected towards the end of 2018 (Virus Total), no detections in 2019 but was used as a C&C server in the past|
|35[.]162[.]249[.]35||These IPs have zero detections (Virus Total), they have been blacklisted (IP Void) once and they were used as a C&C server in the past|
|35[.]162[.]249[.]35||These IPs have zero detections (Virus Total), they have been blacklisted (IP Void) once and they were used as a C&C server in the past|
|188[.]166[.]65[.]12||These IPs have been blacklisted (IP Void) by at least one vendor, but they have zero detections (Virus Total), they have been used in the past to host C&C server|
|208[.]146[.]44[.]1||This IP was last detected in 2018, no detections in 2019 (Virus Total), it was used in the past for C&C server|
|http[:]//dongs[.]disabled[.]racing/||URL has one detection (Virus Total), Zscaler class this as benign|
|http[:]//gay[.]disabled[.]racing/||URL has two detections (Virus Total), Zscaler class this as benign|
|Kankerc[.]queryhost[.]xyz||URL has two detections (Virus Total), Zscaler class this as benign|
|Lol[.]disabled[.]racing||URL has two detections (Virus Total), Zscaler class this as benign|
|Penis[.]disabled[.]racing||URL has two detections (Virus Total), Zscaler class this as benign|
|Report[.]disabled[.]racing||URL has three detections (Virus Total), Zscaler class this as benign|
|Report[.]queryhost[.]xyz||URL has two detections (Virus Total), Zscaler class this as benign|
The nature of bots and botnets requires specific awareness and attention from businesses and security professionals. The Echobot variant of Mirai targets network-attached storage devices, routers, IP cameras, Ip Phones, network video recorders and wireless presentation systems. It then looks to propagate through an Enterprise network space. The following advice will help in defending against bots and botnets.
- Use intrusion detection (IDS) or intrusion prevention system (IPS) monitoring. IDS and IPS running on the internal network can identify suspicious activity and it can act to halt the event.
- Block unsolicited inbound traffic at the perimeter firewall. If a computer system(s) inside the network are compromised, blocking the traffic at the perimeter firewall means malicious actors cannot communicate with the botnet.
- Block outbound traffic on port 25. On the network, only known email servers should be allowed to distribute SMTP email traffic. Blocking outbound SMTP traffic from unknown email sources can help stop the spread of malware threats, it can also prevent devices on the internal network from being used as spam distribution points.
- Run up-to-date Antivirus software. Known bot threats can be detected and removed by antivirus products. Performing these scans on a regular basis with up-to-date software can locate and remove most bot infections.
- Implement filters at the email gateway. Filter out emails with known malspam indicators and block suspicious IP addresses at the firewall.
- Educate and train employees on social engineering and phishing. (i.e. Don’t open suspicious emails or click on the links provided in such emails).
- If there is not a policy regarding suspicious emails, consider creating one and specify that all suspicious emails should be reported to the security and/or IT departments.
- Improve security policies and procedures for all devices, especially IoT devices as this is the main attack vector.
- Keep computer systems patched. Echobot has an army of vulnerabilities that can be exploited in order to propagate and compromise vulnerable systems. Patched systems will provide less opportunity for infection.
- Be aware of old vulnerabilities. Echobot targets systems that have possibly remained in service but had vulnerabilities that are now forgotten.