Tracking Mirai variants

Friday 5 October 09:30 - 10:00, Red room

Ya Liu (Qihoo)
Hui Wang (Qihoo)



Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016. This made it easy for other threat actors to craft new DDoS malware which we call Mirai variants. Our data shows that such crafting work has not stopped since September 2016. Some variants, such as Mirai.Satori, were even equipped with more effective distribution methods and returned Mirai to the centre of public attention for being able to turn hundreds of thousands of IoT devices into zombies in a very short time. In the post-Mirai era it would be routine work for the security community to fight new threats posed by Mirai and its variants. Keeping a tight watch on the variant development would help us deliver a better performance.

We began tracking Mirai and its variant botnets soon after it was found, and as of March 2018 we have collected over 16,000 Mirai samples. Detailed studies have been carried out on the collected samples in terms of configurations, C&C communication, attack methods, scanning and its username/password dictionaries. Attempts to automatically detect and classify variants have also been made, with dozens of variants found. We think the analysis we have done would help to better fight future Mirai threats and uncover the actors behind it.

Some preliminary findings include:

  • How many Mirai variants exist.
  • Whether the C&C communication changed among variants.
  • How the attack methods were reserved by various variants. What new methods were added.
  • How the variants update the scanning module by targeting non-Telnet ports and adding new usernames/ passwords to the brute-force attacking purposed dictionary.
  • Whether the configuration encryption algorithm was changed and what keys were used.
  • How the configuration varied among variants in terms of size and contents.
  • Whether it's possible to correlate a fresh Mirai sample to its variant family in an automatic way.

 

Ya-Liu-web.jpg

Ya Liu

Ya Liu has over eight years of network security experience in honeypot development, malware and botnet analysis. Currently he works at netlab.360.com as a threat analyser on botnet detection and tracking. Before joining Qihoo 360 he worked at NSFOCUS on honeypot development and malware analysis.

@liuya0904

 

Hui-Wang-Web.jpg

Hui Wang

Hui Wang is a sofware engineer with a passion for honeypot development. He has a wealth of experience in web development and data analysis. Now he works at netlab.360.com on large-scale honeypot deployment and related threat mining.

@huiwangeth


   Download slides    Read paper

Other VB2018 papers

Conference closing session

Martijn Grooten (Virus Bulletin)

Botception: hire a botnet to spread one's own botnet

Jan Sirmer (Avast Software s.r.o)
Adolf Streda (Avast Software s.r.o)

Panel discussion: Will WHOIS go dark? Threat intelligence in the post GDPR era.

Michael Osterman (Osterman Research)
Norm Ritchie (Secure Domain Foundation)
Tom Bartel (Return Path Data Services)
Mark Kendrick (DomainTools)

Back to VB2018 Programme page

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.