EP 31: Stopping the Mirai IoT Botnet, One CnC Server At A Time

EP 31: Stopping the Mirai IoT Botnet, One CnC Server At A Time

In 2016, the Mirai IoT botnet shut down part of the internet, yet variations still plague us today. Maybe our current approach to IoT botnets isn’t working? 

Ali Davanian and Ahmad Darki join the Hacker Mind podcast to discuss their Black Hat USA 2021 talk and their tool, CnCHunter, which looks for active CnC servers that can be discovered, so law enforcement can take them down, or at least networks can block them, effectively denying them access to the 100s of thousands of compromised devices worldwide.

Vamosi:  The internet. Where would we be without it today 24 Seven news and sports updates streaming movies, ordering stuff anytime you want. It’s designed to be robust to withstand a nuclear war. Yeah, for a couple times in history, parts of the internet have actually gone down, such as the distributed denial of service attack that occurred in 2016 Your CMBC targeted denial of service attack,

CNBC: Throughout the day, it has been affecting internet traffic up and down the East Coast, in particular, take a look at this list of companies that have been affected so far today, the earlier attack began at about 7am, East Coast time Amazon cloud services, Netflix Twitter and Spotify all reporting that they were having difficulty with internet access today, the company that is being attacked is called Dyn, they provide, among other things domain name services and they say, the original attack this morning was mitigated and customer service was restored they said just a few minutes ago. We are currently mitigating a second attack we also have a statement here from the Department of Homeland Security, which says, we are aware and investigating all potential causes so no information at this point, guys, exactly who is behind this massive denial of service attack on internet service, up and down the East Coast of the United States but clearly a targeted effort, beginning with a pulse in the morning, and now it pulls here in the mid afternoon we’ll see what happens throughout the rest of the day to day go 

Vamosi:  Dyn was an internet performance management and web application security company that has since been bought by Oracle. Taking out Dyn would therefore impact many services, and that’s what happened. To do this, it’s estimated that the distributed denial of service attack had an attack strength of 1.2 terabits per second. That would make this denial of service attack roughly twice as powerful as any similar previously recorded DDoS attack at the time. What if I told you that this forceful distributed denial of service attack wasn’t from a compromised, set of computers. It was for 1000s of compromised, Internet of Things, enabled devices, such as surveillance cameras, residential gateways, internet connected printers, and even in home baby monitors these devices themselves are often thought of as not having much in the way of resources, and really they don’t have many computing resources. But when you start to link 1000s and 1000s of compromised devices together into what’s called a botnet, and then orchestrate that botnet to fire on a single target. The results can be massive enough to bring down parts of the internet.

[music]

Vamosi:  Welcome to The Hacker Mind and original podcast from ForAllSecure, it’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi and in this episode I’m digging deeper into those IoT botnets, and I’m going to talk to two researchers who are looking at creative ways to defend against IoT malware, and a key piece of that puzzle is finding and stopping what’s known as command and control server, or the CnCS behind those botnets.

[music]

Vamosi:  There are a couple ways to address the botnet problem to prevent attacks such as the one at Dyn. One is to attack the compromised computers themselves to block or remove the actual malware, but after more than 20 years, the anti malware approach clearly isn’t working. We still have malware. We still have botnets. And what if you then had 1000s and 1000s of mindless devices not computers as part of your botnet, how are you going to put anti malware on that, let alone even update those devices. Clearly, there needs to be another approach. So I reached out to two researchers from the University of California at Riverside. They spoke at BlackHat USA 2021 where they launched a new tool to find IoT based CnC servers.

Davanian:  This is Ali. I’m a fourth year PhD candidate at the University of California Riverside.

Darki:  My name is Ahmad Darki and I recently graduated from University of California, Riverside, a PhD. And thank you for having us.

Vamosi: It’s probably good to start with how all this works, malware gets installed on a computer or in this case a device, and it can be done a number of different ways, from a phishing attack to a direct install with the Internet of Things, it’s possible to scan the IP v for range and identify devices that are out there, then, because it’s the Internet of Things and it’s still young and security is often thought of as an afterthought, it’s possible to do credential stuffing, which means you simply supply a username and password, often baked into the firmware to get access to these devices, boom. Now you’ve just installed your malware on 1000s and 1000s of devices worldwide, but you’re not done.

Darki:  So imagine malware is something like a Swiss knife. It has a lot of functionality. It has a lot of things inside of it, but we need to eventually try to get the knife or the scissors, something like that to get up and start working. And then imagine that the person that can handle that. Like, you know, Swiss Army Knife is a very, you know, specific person like it has a fingerprint or something like that for them to start working with that swiss army knife.

Vamosi:  So if a small piece of malware can be made to do a variety of different things. What determines that after the malware is installed, it calls out to an internet address. This is what’s known as a command and control server. And this is what tells the malware, what to do.

Davanian:  The thing is that the CnC server is the one that will connect with that malware, and tells it that Hey, start this communication or start doing this malicious activity. These are the functions that are built in within the malware, and the CNC server is the one that is, you know, asking to do this. Now, do function A to do function B. So that’s how the CnC server plays a bigger role in the lifecycle of the malware, telling you what to do. These are the steps, and yeah,

Vamosi:  such a process is slow.

Davanian:  Now, you attack by itself within, you know, happen just after the infection, right, so you might have to hide it with the devices that are infected by the malware, but they don’t, you know, perform the DDoS attack. When you’re talking about matter, usually, not always but usually there’s a server, command and control server that gives the commands to the malware to do the malicious stuff on the victim system. These are really the keys to the battle against the malware. If we know where these command and control servers are in short CNCS located. Then, defending would be as easy as blocking the traffic from those addresses in this research, you’re trying to provide a tool and also a general approach that is your portunity to find a live CnC server to DDoS attack or DDoS attack happens when the CnC command and control server sends the command to the malware and says, Okay, this is the address I want you to us, you know, take it down. And as I mentioned, if you know what this ad is is just block the traffic. That said, there would not be any DDoS attack, and the targets, say, on the other hand, if you lock the traffic from the c&c server, you might not be infected. And the first read because there wouldn’t be any profit and there’s a good chance that malware dipwad wouldn’t come to your network and infect your family,

Vamosi: So the malware is deposited on the compromised computer or device. It then calls out further instructions. In this case of a botnet, the CNC server is used to focus all of these compromised devices on a single target, and then start flooding it with requests.

Davanian:  Maybe we can provide an example so for instance, in our case, you’re targeting IoT malware, and in case of IoT malware, one of the very destructive things that can happen is denial of service or deep DDoS attacks happened in 2016, and major service providers like, then they’re out, and then the result was GitHub was unavailable for some time, we thought about it, and we found that the key here that is missing is knowing the command and control server, because the audio TV devices on themselves don’t have enough processing power, you know, to provide the security. You cannot go ahead and install an antivirus on the IoT device, they don’t have enough processing power.

[music]

Vamosi:  So far we’ve heard about the Mirai botnet, the malware that was used to shut down time, and subsequently significant parts of the internet. Where did Moroi come from. In one word, gaming Moroi, which is named for the Japanese word, the future was first seen before time, and attack in September of 2016 when security journalist Brian Krebs website KrebsOnSecurity was hit with a massive DDoS attack of about 62 gigabits per second. A few days later, the French web host VH was hit with a one terabyte per second attack. One thing you don’t want to do is piss off a writer. Krebs, whose own site was down for four days, started looking for a cause behind these attacks. And that’s when the source code for Mirai IoT botnet, was released to the public. Okay. Why would a criminal hacker make the source code public. Well, there are a lot of theories. Often this is done because the code no longer has street value, which clearly doesn’t make sense in this case since it was used. A month later. Well, sometimes the author wants to make the origin more ambiguous, by simply saying, I got it off the internet. Clever. However, source code has fingerprints, meaning you can see how it was cobbled together. And over time, Krebs was able to trace parts of the source code back to other earlier IoT botnet families.

Darki:  So, in 2014 That’s when my advisor told me like hey, we never thought about securing home routers have we. And that’s what I was that then I decided to read if there are papers on that then I never heard anyone talking about that. And then when, when we started looking at the time that was, you know, a malware button, it was called a Gafgyt. But it wasn’t as successful, and infecting a lot of devices because it wasn’t as insane in propagation as it is with the right

Vamosi:  Gafgyt was one of the early botnets, meant for targeted purposes. So, the ability to propagate from one device to another. Well, that wasn’t really mature. 

Darki:  So there were things happening, you know, for a long time, I guess, like 2009, I guess, was the first ones that came for IoT, but with Mirai. It got crazy with the speed that he can infect devices. And also there’s another factor to it that are a lot more IoT devices integrated with our everyday life. So we see a lot more devices and more opportunities for the attackers to infect them.

Vamosi:  So what might have nudged these middle level IoT botnets, into the big time.

Davanian:  And there, there’s always this. I call it the money factor right there might be a threat. Right, but there’s not enough incentive for actors, you know. But then you can monetize it. But that’s when you can see the damage that they could do the same thing with ransomware, was the same thing with IoT malware, you know, DDoS attack. At some point, you know, money is made.

Vamosi:  That’s something that Krebs discovered. He found that these early botnets were used by a group operating under the name, Li dos to launch a series of large, sustained DDoS attacks around one target Minecraft. Minecraft is a multiplayer online game. If you have never played it, well, think of it more like digital Legos. You manipulate colored blocks to build something pretty amazing, and I mean really amazing, such as rendering the entire University of California at Berkeley campus, online, and recently. Reporters Without Borders, created a Minecraft anti censorship library full of censored books, actual text that can be read from around the world as kind of a lost Library of Alexandria. So there’s lots of cool stuff being done with Minecraft today, but to do all that requires some pretty serious hosting services, you need to rent servers that can handle the load of your particular world. And while you can’t sell stuff directly within Minecraft, you can sell server surfaces. And this is how people are making money off of Minecraft. Some of these server services can make up to 50k a month. Problem is, there are a lot of server services on the market today. So, how do you make your new server service stand out among the crowd?  Uptime.  Apparently the Liedos group would go and target rival servers with DDoS campaigns, by denying the services long enough, serious gamers would then leave those services and go somewhere else, preferably to a server service where leaders had a stake. Another way to make money off of Minecraft selling anti DDoS services. What if both the attacks and the defenses were being sold by the very same company. This is where the story gets interesting. The online entity that released the Mirai botnet, and attacked KrebsonSecurity, using the name, Anna-Senpai. Well, social media posts to hacker forums with Anna-Senpai actively attacked anybody using Qbot, and suggested instead that thought killer should remove any instance of Qbot from the server. One such company, Protraf, advertises itself as protecting these Minecraft server services from denial of service attacks. According to crypt the self admitted, author of Qbot, also known as bash like with someone named Josiah White, who happens to run protract and White had at least one other partner had protrack, a 20 year old named Piras Jha. As Krebbs put it “like firemen getting paid to put out the fires, they started shot and White would target organizations with DDoS attacks, and then extort them for money to call off the attacks, or sell those company services. They claimed it would uniquely help fend off these attacks.

Davanian:  I remember I was reading the post that the author of your eye matters and you publish the source code that was writing that made millions out of it right. He made the money just by launching a DDoS attack. Right, yeah. I think she, you know here is, it’s not actually that that threat is not there right at any point or any fruit I guess it’s one of the key things is that can packers monetize, right, and if they can, then you can see the damage that

Vamosi:  Krebs started looking through other social media sites. He noted what little was known about Anna-Senpai was very similar to what was publicly known about Ferris Jha, as is the case with another poster on Reddit, someone named Dreddiscool, who posted his like of Japanese anime, one anime series in particular its name. Mirai Nikki. There’s another curious angle to the story as well. Dreadisschool noted on Reddit that Rutgers University in New Jersey had been suffering through various DDoS attacks, suggesting that they too needed to get some anti DDoS protection. That’s important because Jha happened to be a computer science student at Rutgers, at the time. And remember, he happened to work with white at the anti DDoS company Protraf. Okay, that was no coincidence. Jha dropped out of Rutgers and never actually completed a degree. It turns out he was arrested for using Miraii to stage various DDoS attacks, including the Dyn. Jha is one of the original authors of the Mirai botnet, along with white and the third person, Dalton Norman. And in September of 2018. They each were sentenced to five years probation and 2500 hours of community service in order to pay $127,000 in restitution for the damage caused by their malware. In other words, getting caught off is really easy. I mean, seriously, they knocked out the internet service on the East Coast for a series of hours, and they only paid $127,000 each, but if the Mirai case was light, the records case was heavy. In its sentencing memo, the US government said that Jha “revealed in the uproar caused by the first attack, which he launched to delay an upperclassman registration for an advanced computer science class, he really wanted to take the second attack to delay his calculus exam. And the last two attacks were motivated in part by publicity and outrage.” That’s a total of four DDoS attacks against the university system. And for that job didn’t get off so easily. In October of 2018, the US government revealed guilty pleas in the records investigation and Jha was sentenced to 2500 hours of community service, six months of home confinement, and for repeatedly using Mirai to take down Internet services at Rutgers was ordered to pay 8.6 million in restitution.

Davanian:  Quite a you know law enforcement and several other authorities to affirmative action to take down some well known, but one of the, you know, key enablers, is there our server command and control server, right, and it is still I mean, the wars on this for a while but it’s still, when I think about it, it gets me excited right, imagine that you can you know have a map of the war, and you have no insight on their oldest CnC servers are low, right then. It’s just, you know the matter of taking the decision, right, you have the cover up taking down the button. If you are law enforcement, it’s just speed. You have the power. You know where they’re located, to stick it down. Right. And on the other hand, you know, so high to allow law enforcement to get a better insight on who you are behind these. We have some evidence that some of these, you know, malware samples are different malware samples with probably the same accuracy. These matters. Right. So it’s not you know, a lot of work all the hate on a few teams or individuals fault. The problem, at least for now.

[music]

Vamosi:  With the source code out there in the wild, the ride continues, even if its authors have been caught. There was, for example, a variant of MRI in the fall of 2019 that went after Android TVs.

Davanian:  You had a version of Gafgyt or Mirait, you know some people classify it as Mirai, some people have Gafgyt. It started in Android TV, right. And the reason again, there are lots of that. And the number of IoT devices is growing every year. Right, you will see more and find that you are vulnerable, and could be your potential target.

Vamosi:  Part of it is that the barrier to entry for criminals is low. I mean, if the source code for IoT botnets is available, and in many cases it c&c servers are out there just waiting for a signal. Well, how easy is that thing is we’re not aware of most of those CRC servers, and how many of them are alive. We don’t exactly know where they are, but the botnets, deepen their source code, they know exactly where those c&c servers reside. 

Darki:  Yeah, that’s the, that’s the fascinating thing about this IoT malware, you know, This is like. It’s super easy to work with them, you get the source code is available, everyone can find it. You can get them, you can modify it a little bit, and then you release it for a while, and within hours you can recruit as many as 1000s of IoT devices in a while. The thing about these ones is that the source code of these IoT malware. It also provides you with the CNC server. So, like, the source code of the CNC server exists. The only thing that is up to you to do is to find the IP address to deploy the CNC server there, Or in some cases do a VGA or register a domain for it. So it continues to exist.

Vamosi:  So what did Allie and Ahmed, start with, well, very little as academics as independent security researchers not backed by a large anti malware company, they had access to some malware binaries, access to some IP blacklist, and they had partial information about the malware communication itself. What they didn’t have was access to the network traffic or access to the antivirus companies, sensors,

Darki:  That’s the, that’s the thing about this, you know, line of work, that wasn’t at the time when we started working on the IoT network, it wasn’t. Basically, 2014 or 15 There wasn’t any tool that will allow you to do analysis and these, you know, IoT malware, like everyone knows, Windows, Linux malware. There’s so many online services cloud based services that can help you with that but what motivates us to think about coming up with a systematic solution coming up with something that we can think that it doesn’t matter what is the malware, we’re going to get it to start executing, regardless of whatever target is trying to hit. But when it comes to IoT, we can, we can get it to start talking and get it to start executing and communicate with this CNC server.

Vamosi:  The way, Allie and Ahmed, ultimately decided to do this was by activating the IoT malware. This means they actually executed the IoT malware and let it communicate with the outside world. Then they use a person in the middle technique to redirect the CNC traffic to some candidate addresses that they’ve created. You do

Davanian:  have a tool. It’s open source, and we fully automated every piece of what you need is only, you know, a malware sample. And if you want to use it in the session that we provide that is scanning you know IP addresses. You don’t even need to have very recent numbers with the example that was the other part of why we did this work, wanted to you know be able to pull malware samples that are out there, recognize them and then search for cancer. But our solution, you know we come, we have academies backgrounds, and for us it’s you know, the general method, you know this solution, right, people want a solution, it’s an algorithm you know an approach. It works, you know, it doesn’t really depend on every single, you know, line of code. You can take the approach, integrated with your own dynamic analysis system or malware analysis system that you have in place, but we also provided a prototype. The approach that we have and as I said it’s fully automate

Vamosi:  the CNC Hunter has two parts. First being the sandbox which contains and runs

Darki:  the malware, going a little bit into details of how the sandbox and profile module would look like. So in this project, using Quemu. Quemu enables me to emulate some of the not common CPU architectures like MIPS powerPC or MIPS cell. So this is something that we chose to go with, and that we are, we are attaching Kirtle to us and that Google has running, and then we will also attach a file system to it. This will allow us to have some sort of a recording and snapshotting of whatever the malware is doing and the current recording gets, you know, a system called traces and so on and so forth. We also attach a device to the commune, so that we can redirect the traffic to the proxy that later we will get into and TAP device would also allow us to do a recording got network traffic.

Vamosi:  The second part is the man in the middle module, which intercepts the communication with the CNC server. 

Davanian:  The goal of the man in the middle of the MiTM component is to redirect the CNC traffic to candidate addresses. As we mentioned a few times, these candidates address our inputs, right, we suspect that they are hosting CNC servers. The man in the middle is IP based here, and we are gonna tap the traffic, and also provide internet for the sandwich right. So we are actually man in the middle in the real traffic that goes to Canada,

Vamosi:   As we mentioned, obtaining the malware samples isn’t too hard.

Davanian: There are many malware repositories that allow you to see what malware is active in the wild. right now. This date is small and you observed that usually UI. It’s a very old malware family. The one responsible for the beat back that I mentioned, against major service providers is still one of the most seen malware samples and they’re one, right. You have just like a virus just like for instance, covid 19 You would see variants, you would see more mutations, but it’s still, you know, UI malware. And this shows that, After five years, that we first saw Mirai UI malware, current solutions you know the defenses that we have in place are not working, as we want.

Vamosi:   Again, this is why Ali and Ahmad didn’t put much faith in the devices, they looked to the network instead.

Davanian:  If you know what this app does is just block the traffic that’s it, you know, there would not be any viewers attack, and the target, say, on the other hand, if you lock the traffic from the c&c server, you might not be infected in the first place, right because there wouldn’t be any traffic and there’s a good chance that malware dipwad wouldn’t come to your network and infect your map.

[music]

Vamosi:  One of the challenges with IoT is that we want devices to communicate over the network, but in doing so, we’re not building in security often, if anything, we’re cluding old protocols and shunting them into small outdated chipsets,

Davanian:  What we thought is that for IoT still it’s a growing industry, and you would have vendors that just came to the market, right security is their last. It’s not like we can secure it. It’s that they don’t want to or it’s not there for you. And then when we look at the endpoints, or the users, they don’t have the knowledge, probably the chance to then that’s where the network perimeter would be important and that’s why you’re motivated to do this work because as network perimeter, you have the willpower you have all heard this, you know, for instance, one of the things that could happen.  Right, if they know where the CnC servers are located, and if intelligence is timely, then they can you know block the traffic, and hopefully they can secure all the nodes that are within there.

Vamosi:  The devices themselves are becoming less and less expensive, Yay, but would you rather upgrade the firmware on a toothbrush, probably not. If you play that out across your entire home. What are you going to do, like, take a whole Saturday morning once a month, and go through all of your IoT devices and make sure they’re up and running the latest and greatest firmware. Probably not. Conversely, if you think that $40 toothbrushes even generate an update, and the software to begin with. That’s probably not true either. Yeah, that’s the

Darki:  thing like when you are thinking about IoT and the IoT ecosystem. Right now, there is not going to be a silver bullet, if you do not update to get all the IoT devices in the world updated so these vulnerabilities don’t exist anymore so that they don’t get exploited. Our choice right now, is to take down their, you know servers. Right now, let’s just take those down, and get rid of them, so that we can stop the spread and better way of defense, and consumer devices like smart TVs or the internet enabled toothbrushes. They provide a vast landscape with the commercial IoT devices you have larger you know that you can target. This allows you to know the manipulation that we just talked about, and more money, you know, just because you’re, if you are talking about data that you have more butts in your control. The attack would be more cover. So you go out there. Right. And there’s also the chance of you knowing having more things is if the number of, you know your targets are more. Even if the security mechanics catechisms improve, still you would have a large, a good chance of having a large number of vulnerable devices. Right. But if you’re targeting for instance, industrial IoT devices. Just because the number probably would be less, Then you have, you know, a less chance of having the same number of bots. 

Vamosi:  for now at least, the world of IoT is the Wild Wild West, and nobody’s really building in security. So techniques like what Aliona med came up with, are pretty brilliant. 

Darki:  You know even, it’s gonna say, economically, it’s not really of interest to the industry to come up with this updating mechanism and do an update and further because these are very devices, apparently, and they’re like okay if your devices, broken go buy the same one for like $10 Something like that. So it’s not really they’re not really interested to come up with a solution that people will keep the device forever. Right. I always think that’s the case, even if they didn’t the industry decides to update devices. I think the bots will continue becoming more and more complicated. Instead of exploiting what we call an end date type of vulnerability, it will come up with exploiting zero day vulnerabilities to exploit as many devices as they can’t. And I think the ball cannot be in their court, it should be like. He said it should be up to like ISP or law enforcement to contain these botnets. 

Vamosi:  I’d really like to thank Ali and Ahmed, for talking with me about their project. Gartner is estimating that there will be over 65 billion IoT devices connected worldwide by the year 2025. Since these devices are small, even disposable in some cases, it doesn’t make sense to focus on securing each and every one of them. Rather, flipping the model on its head and looking at the network side, the CnC servers that exploit the IoT malware, seems like a more viable solution. By focusing on the CnC servers, law enforcement can for example, shut down the more aggressive ones, and perhaps even start to identify the actors responsible for them. But at the very least, we can also lock down our networks have block the CnC servers from connecting with infected devices that we may control. It’s interesting stuff. 

Let’s keep this conversation going. DM me at Robert Vamosi on Twitter, or join me on subreddit or discord. You can find the deets at hacker mind.com 

The Hacker Mind is brought to you every two weeks, commercial free by ForAllSecure.

For The Hacker Mind, I remain your friendly neighborhood, command and control server, Robert Vamosi.