Understanding the

Mirai Botnet
✝ ◆ ★ ‡ ✱
Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein
△ ‡ ‡ ✱
Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi
! ★ ✝ ★ ★
Michalis Kallitsis , Deepak Kumar , Chaz Lever , Zane Ma , Joshua Mason
✱ ◆ △ ✱ ★
Damian Menscher , Chad Seaman , Nick Sullivan , Kurt Thomas , Yi Zhou

◆ △ ✝ ✱
Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, ●Merit Network
★ ‡
University of Illinois Urbana-Champaign, University of Michigan

1 Understanding the Mirai Botnet ▪︎ Zane Ma

 Mirai

2 Understanding the Mirai Botnet ▪︎ Zane Ma

 Growing IoT Threat

2016 2020
6 - 9 Billion ~30 Billion

3 Understanding the Mirai Botnet ▪︎ Zane Ma

 Research Goals
Snapshot the IoT botnet phenomenon

Reconcile a broad spectrum of botnet data perspectives

Understand Mirai’s mechanisms and motives

4 Understanding the Mirai Botnet ▪︎ Zane Ma

 Lifecycle
Attacker
Send command

Command Report Loader

Dispatch
Infrastructure & Control Server

  Relay Load

Report

Devices Scan Victim

Bots

 Attack

DDoS Target

5 Understanding the Mirai Botnet ▪︎ Zane Ma

 Measurement
Attacker Data Source Size
Send command
Network Telescope 4.7M unused IPs

Command Report Active Scanning 136 IPv4 scans

Dispatch Loader
Infrastructure & Control Server
Telnet Honeypots 434 binaries
  Relay Load

Report
Malware Repository 594 binaries
Active/Passive DNS 499M daily RRs
Devices Scan Victim C2 Milkers 64K issued attacks
Bots
Krebs DDoS Attack 170K attacker IPs
 Attack
Dyn DDoS Attack 108K attacker IPS

DDoS Target
July 2016 - February 2017

6 Understanding the Mirai Botnet ▪︎ Zane Ma

 What is the Mirai botnet?

7 Understanding the Mirai Botnet ▪︎ Zane Ma

 Population
700,000
Total Mirai Scans
# network telescope scans

600,000

500,000

400,000

300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

8 Understanding the Mirai Botnet ▪︎ Zane Ma

 Rapid Emergence
140,000

120,000

# network telescope scans

700,000
1:42 AM Single Scanner Total Mirai Scans
# network telescope scans

600,000 100,000
500,000 80,000 23:59 PM 64,500 scanners
400,000
60,000
300,000
40,000 3:59 AM Botnet Expands
200,000
Mirai TCP/23 scans
100,000 Non-Mirai TCP/23 scans
0
0

08

08

08

08

08

08

08

08

08

08

08

08
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17

-0

/0

/0

/0

/0

/0

/0

/0

/0

/0

/0

/0
1

3
1
Date

06

12

18

00

06

12

18

00

06

12

18
00

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0

:0
:0

0
0
Date

9 Understanding the Mirai Botnet ▪︎ Zane Ma

 Many Ports of Entry
700,000
Total Mirai Scans
# network telescope scans

600,000 TCP/23
TCP/2323
500,000

400,000
“IoT Telnet” TCP/2323
300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

10 Understanding the Mirai Botnet ▪︎ Zane Ma

 Many Ports of Entry
700,000
CWMP TCP/7547
600K peak Total Mirai Scans
# network telescope scans

600,000 TCP/7547
500,000

400,000

300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

11 Understanding the Mirai Botnet ▪︎ Zane Ma

 Many Ports of Entry
700,000
CWMP TCP/7547
~1 month = 6.7K Total Mirai Scans
# network telescope scans

600,000 TCP/7547
500,000

400,000

300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

12 Understanding the Mirai Botnet ▪︎ Zane Ma

 Many Ports of Entry
700,000
Total Mirai Scans TCP/443
# network telescope scans

600,000 TCP/23231 TCP/5555

TCP/22 TCP/6789
500,000 TCP/2222 TCP/8080
TCP/37777 TCP/80
400,000

300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date
9 Additional Protocols

13 Understanding the Mirai Botnet ▪︎ Zane Ma

 200K-300K Mirai Bots
700,000
Total Mirai Scans TCP/6789
# network telescope scans

600,000 TCP/23231 TCP/8080

TCP/22 TCP/80
500,000 TCP/2222 TCP/23
TCP/37777 TCP/2323
400,000 TCP/443 TCP/7547
TCP/5555
300,000
Steady state
200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

14 Understanding the Mirai Botnet ▪︎ Zane Ma

 Modest Mirai
700,000
Total Mirai Scans
# network telescope scans

600,000

500,000
Carna botnet
400,000

300,000

200,000 Mirai botnet

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

15 Understanding the Mirai Botnet ▪︎ Zane Ma

 Global Mirai
Mirai TDSS/TDL4

South America + North America +

Southeast Asia = Europe =
50% of Infections 94% of Infections

16 Understanding the Mirai Botnet ▪︎ Zane Ma

 Cameras, DVRs, Routers
Targeted Devices Infected Devices
Source Code Password List HTTPS banners
# Targeted Device Type # HTTPS banners
Device Type Examples
Passwords
Camera / DVR 36.8%
Camera / DVR 26 (57%) dreambox, 666666
Router 6.3%
Router 4 (9%) smcadmin, zte521
NAS 0.2%
Printer 2 (4%) 00000000, 1111
Firewall 0.1%
VOIP Phone 1 (2%) 54321
Other 0.2%
Unknown 13 (28%) password, default Unknown 56.4%

17 Understanding the Mirai Botnet ▪︎ Zane Ma

 Who ran Mirai?

18 Understanding the Mirai Botnet ▪︎ Zane Ma

 Divergent Evolution
48 unique
password dictionaries
Source code
release

19 Understanding the Mirai Botnet ▪︎ Zane Ma

 Divergent Evolution
48 unique
password dictionaries
Source code
release

20 Understanding the Mirai Botnet ▪︎ Zane Ma

 Divergent Evolution
48 unique
password dictionaries
Source code
release

Binary Packing

DGA

21 Understanding the Mirai Botnet ▪︎ Zane Ma

 How was Mirai used?

22 Understanding the Mirai Botnet ▪︎ Zane Ma

 KrebsOnSecurity

23 Understanding the Mirai Botnet ▪︎ Zane Ma

 Largest Reported DDoS

24 Understanding the Mirai Botnet ▪︎ Zane Ma

 Dyn Attacker Motives

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal
group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”

25 Understanding the Mirai Botnet ▪︎ Zane Ma

 Dyn Attacker Motives

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal
group that wanted to extort the company. Or it could have been done by “hacktivists.”
Or a foreign power that wanted to remind the United States of its vulnerability.”

Targeted IP rDNS Passive DNS • Top targets are linked

208.78.70.5 ns1.p05.dynect.net ns00.playstation.net to Sony PlayStation
204.13.250.5 ns2.p05.dynect.net ns01.playstation.net
208.78.71.5 ns3.p05.dynect.net ns02.playstation.net • Attacks on Dyn
204.13.251.5 ns4.p05.dynect.net ns03.playstation.net interspersed among
198.107.156.219 service.playstation.net ns05.playstation.net attacks on other game
216.115.91.57 service.playstation.net ns06.playstation.net services

26 Understanding the Mirai Botnet ▪︎ Zane Ma

 Booter-like Targets
Games: Minecraft, Runescape, game commerce site

Politics: Chinese political dissidents, regional Italian politician

Anti-DDoS: DDoS protection service

Misc: Russian cooking blog

27 Understanding the Mirai Botnet ▪︎ Zane Ma

 Unconventional DDoS Behavior
Arbor Networks global DDoS report
65% volumetric, 18% TCP state, 18% application attacks

Mirai
33% volumetric, 32% TCP state, 34% application attacks

Valve Source Engine game server attack

Limited reflection/amplification
2.8% reflection attacks, compared to 74% for booters

28 Understanding the Mirai Botnet ▪︎ Zane Ma

 Overview
200,000 - 300,000 globally distributed IoT devices compromised
by default Telnet credentials

Evidence of multiple operators releasing new strains of Mirai

Mirai follows a booter-like pattern of behavior that is capable of

launching some of the largest attacks on record

29 Understanding the Mirai Botnet ▪︎ Zane Ma

 New Dog, Old Tricks

30 Understanding the Mirai Botnet ▪︎ Zane Ma

 Security Hardening
Username Password Username Password Username Password
root xc3511 admin 1111 root zlxx.
root vizxv root 666666 root 7ujMko0vizxv
root admin root password root 7ujMko0admin
admin admin root 1234 root system
root 888888 root klv123 root ikwb
root xmhdipc Administrator admin root dreambox
root default service service root user
root juantech supervisor supervisor root realtek
root 123456 guest guest root 0
root 54321 guest 12345 admin 1111111
support support guest 12345
admin 1234
root (none) admin1 password
admin 12345
admin password administrator 1234
admin 54321
root root 666666 666666
admin 123456
root 12345 888888 888888
admin 7ujMko0admin
user user ubnt ubnt
admin (none) root klv1234 admin 1234
root pass root Zte521 admin pass
admin admin1234 root hi3518 admin meinsm
root 1111 root jvbzd tech tech
admin smcadmin root anko mother fucker

31 Understanding the Mirai Botnet ▪︎ Zane Ma

 Automatic Updates
700,000
CWMP TCP/7547
600K peak Total Mirai Scans
# network telescope scans

600,000 TCP/7547
500,000
CWMP TCP/7547
400,000
~1 month = 6.7K
300,000

200,000

100,000

0
08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17
Date

32 Understanding the Mirai Botnet ▪︎ Zane Ma

 Device Attribution

55.4M Scanning IP addresses

1.8M Protocol Banners
587K Identifying Labels

33 Understanding the Mirai Botnet ▪︎ Zane Ma

 End-of-life

2016 2020
6 - 9 Billion ~30 Billion

34 Understanding the Mirai Botnet ▪︎ Zane Ma

 Understanding the Mirai Botnet
✝ ◆ ★ ‡ ✱
Manos Antonakakis , Tim April , Michael Bailey , Matthew Bernhard , Elie Bursztein
△ ‡ ‡ ✱
Jaime Cochran , Zakir Durumeric , J. Alex Halderman , Luca Invernizzi
! ★ ✝ ★ ★
Michalis Kallitsis , Deepak Kumar , Chaz Lever , Zane Ma , Joshua Mason
✱ ◆ △ ✱ ★
Damian Menscher , Chad Seaman , Nick Sullivan , Kurt Thomas , Yi Zhou

◆ △ ✝ ✱ ●Merit
Akamai Technologies, Cloudflare, Georgia Institute of Technology, Google, Network
★ ‡
University of Illinois Urbana-Champaign, University of Michigan

zanema2@illinois.edu

35 Understanding the Mirai Botnet ▪︎ Zane Ma