Who Makes the IoT Things Under Attack ? — Krebs on Security

What cameras, IoT and DVR devices are taking part of Mirai ?

https://krebsonsecurity.com/wp-content/uploads/2016/10/iotbadpass-pdf.png

from Krebs:

▻https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack

▻http://www.forbes.com/sites/thomasbrewster/2016/10/07/chinese-firm-xm-blamed-for-epic-ddos-attacks/#5b59fcd33bf5

But one researcher, Flashpoint’s Zachary Wikholm, today claimed to have found a single Chinese firm, Hangzhou XiongMai Technologies (XM), that shipped flawed code allowing the perpetrators to potentially amass nearly half a million bots for their malicious network.

Interesting article by F5 which goes in a bit more detail about the two types of GRE flood attacks (Ethernet and IP based)

▻https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21

They also make a reference to the origin of the Mirai name:

It seems that the bot creator named his creation after a Japanese series “Mirai Nikki (The Future Diary)” and uses the nickname of “Anna-senpai” referring to the “Shimoneta” series.

▻https://f5.com/Portals/1/Images/News/blogs/mirai-inspiration.JPG

Default password for most popular devices.
www.phenoelit.org/dpl/dpl.html

admin 123456
admin password
Cisco Cisco
login password
root password
…
Le plus drole :
Administrator changeme

Here are the 61 passwords that powered the Mirai IoT botnet
▻http://www.csoonline.com/article/3126924/security/here-are-the-61-passwords-that-powered-the-mirai-iot-botnet.html

http://images.techhive.com/images/article/2016/10/mirai_botnet_passwords-100685646-orig.jpg

Some more information on its spread, operations, and code, by Incapsulate.

▻https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans.

This list is interesting, as it offers a glimpse into the psyche of the code’s authors. On the one hand, it exposes concerns of drawing attention to their activities. A concern we find ironic, considering that this malware was eventually used in one of the most high-profile attacks to date.

US CERT Threat Alert : Heightened DDoS Threat Posed by Mirai and Other Botnets
▻https://www.us-cert.gov/ncas/alerts/TA16-288A

▻http://www.defaultpassword.com/?action=dpl

▻http://www.securityweek.com/whats-fix-iot-ddos-attacks

HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because hey, they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around some of their HTTP DDoS mitigation techniques (such as redirection).

Mirai botnet leverages #STOMP Protocol to power DDoS attacks.

▻http://securityaffairs.co/wordpress/53544/malware/mirai-botnet-stomp.html

STOMP is a simple application layer, text-based protocol [an alternative to other open messaging protocols, such as AMQP (Advanced Message Queuing Protocol] that allows clients communicate with other message brokers. It implements a communication method among for applications developed using different programming languages.

[...]

Below the steps of the DDoS STOMP attack:

• A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
• Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
• The flood of fake STOMP requests leads to network saturation.
• If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

How Mirai Uses STOMP Protocol to Launch DDoS Attacks

▻https://www.incapsula.com/blog/mirai-stomp-protocol-ddos.html

Mirai botnet with 400.000 devices now for rent

▻http://www.ibtimes.co.uk/ddos-hire-service-now-advertising-renting-out-400000-bot-strong-mirai-bot

A DDoS-for-hire service, run by two hackers going by the pseudonyms Popopret and BestBuy, is now reportedly advertising a Mirai botnet up for rent. The Mirai botnet allegedly comprises of over 400,000 infected bots and may have been sired from the original Mirai source code.

[...]

renting the botnet does not come cheap. Customers desiring to rent the botnet must do so for a minimum of two weeks. However, clients can determine the amount of bots, the attack duration and the DDoS cool down (a term which refers to the length of time between consecutive attacks).

[...]

Popapret and BestBuy’s Mirai botnet is a more evolved version of the original botnet. The two hackers have added new features, such as brute-force attacks via SSH and support for exploiting zero-day vulnerabilities. According to two security researchers, going by handle 2sec4u and MalwareTech on Twitter, some of the newly created Mirai botnets can now carry out DDoS attacks by spoofing IP addresses and may also be capable of bypassing DDoS mitigation systems.

Source:
▻http://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots

Understanding the Mirai Botnet

▻https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

In this paper, we provide a seven-month retrospective analysis
of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims. By combining a variety of measurement perspectives, we analyse how the botnet emerged, what classes of devices were affected, and how Mirai variants evolved and competed for vulnerable hosts. Our measurements serve as a lens into the fragile ecosystem of IoT devices. We argue that Mirai may represent a sea change in the evolutionary development of bonnets—the simplicity through which devices were infected and its precipitous growth, demonstrate that novice malicious techniques can compromise enough low-end
devices to threaten even some of the best-defended targets.
To address this risk, we recommend technical and nontechnical
interventions, as well as propose future research directions.

#DDoS