"Understanding the Mirai Botnet" chose this paper to understand the security threats faced by IoT devices today. As for the famous Mirai botnet, this paper conducts a complete analysis of the Mirai botnet. But this is an article of experimental records, which mainly talks about what aspects of Mirai they have studied, what samples they collected, how they did the experiment, and what results they got. I am not very friendly to readers who want to know about Mirai. Therefore, I combined some related articles collected on the Internet to briefly introduce Mirai and honeypots.
botnet
First of all, let’s understand what a botnet is. A botnet refers to the use of one or more means of transmission to infect a large number of hosts with bot program (bot program) viruses, thus forming a one-to-one relationship between the controller and the infected hosts. Multi-control network.
That is, attackers spread bots through various channels and infect a large number of hosts on the Internet. Infected hosts will receive instructions from attackers through a control channel to form a botnet. The reason why it is called a "zombie" network is that many infected computers are unknowingly driven and commanded, and become a tool used by people, just like the zombie group in ancient Chinese legends.
Botnet Threat to IoT
With the rapid development and wide application of the Internet of Things, the network security of the Internet of Things has become an important research hotspot. In Tencent’s report on IoT security in 2019, it pointed out that IoT devices have become a new generation of hackers’ targets, and among them, routers are the preferred target of hackers’ attacks. At the same time, the report also pointed out that IoT malware mainly uses IoT network security. Vulnerabilities spread, while DDoS attacks have also become a mainstream function of IoT malware.
Nowadays, more and more IoT devices are connected to the Internet, and the protection is difficult or even the security is neglected, which makes the application program body in the IoT devices extremely fragile, and it is easy for attackers to find and exploit loopholes. In the eyes of an attacker, an IoT sensor is the perfect botnet node: because it's ubiquitous, needs to be connected to the Internet, has poor default settings, is riddled with software bugs, and is easy to forget about.
Due to the problems of scattered devices, unclear responsibilities and rights, early devices cannot even be upgraded remotely, etc., these devices are basically in an unsupervised state after deployment, and there is no software or firmware upgrade. patch.
In addition, due to the weak computing power of IoT devices, it is more difficult to track attacks.
So, it is only a matter of time before cybercriminals start using IoT devices to carry out botnet attacks. Among them, the Mirai botnet is the first large-scale IoT botnet case, and since its appearance at the end of 2016, such attacks have appeared continuously.
Mirai botnet
IoT botnets use vulnerabilities in routers, cameras and other equipment to spread bots to the Internet, infect and control a large number of online hosts, thus forming a large-scale botnet.
In recent years, the botnet S based on Internet of Things devices has shown a growing trend. The Mirai botnet, which once caused the disconnection of the United States, is a huge network composed of a large number of controllable Internet of Things devices. Paralyzed and famous for a while. The most affected country is Mexico, followed by China, the United States, Brazil and Turkey.
Mirai Timeline
The growth of the Mirai botnet is very fast. It first appeared in August 2016, but it was not until mid-September 2016 that Mirai grabbed the headlines with a large-scale DDoS attack against Krebs. Disconnected". After that, Mirai successively launched DDoS attacks against Singapore, Liberia, and Germany.
During the network outage incident in the United States, Dyn, an American domain name resolution service provider, suffered a serious DDoS attack, which caused a large area of network paralysis in the eastern United States. Many American websites, including Twitter and Facebook, could not be accessed through domain names. The culprit responsible for the paralysis of half of the US Internet is the tens of thousands of IoT devices under the control of the Mirai botnet.
Mirai's network structure
①Mirai first enters a quick scan phase, which uses infected bots to conduct random scans. In this phase, it sends TCP SYN probes to pseudo-random IPv4 addresses on Telnet TCP/22 and TCP/23 in addition to the addresses in the hard-coded IP blacklist in an asynchronous and "stateless" manner. (Hardcoding is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining data externally or generating data at runtime.) ② If Mirai identifies a potential victim,
it It enters the brute-force login phase, where it attempts to establish a Telnet connection using 10 randomly selected username and password pairs from a pre-configured list of 62 credentials. On the first successful login, Mirai sends the victim IP and associated credentials to a hardcoded reporting server. Once the weak password is successfully cracked by brute force, Bots will send the successfully cracked device information to the Report Server.
③④It is the malicious code loading stage. The Report Server sends a command to load the malicious code to the Loader Server. After the loading is successful, the vulnerable devices will be used as new bots to randomly scan and infect the next batch of devices. A separate loader asynchronously affects these vulnerable devices by logging in, determining the underlying system environment, and finally downloading and executing architecture-specific malware.
After a successful infection, Mirai deletes the downloaded binary and fuses its process name into a pseudo-random alphanumeric string to hide its presence. Therefore, the Mirai infection does not persist across system restarts. To bolster its capabilities, the malware also kills other processes bound to TCP/22 or TCP/23, as well as processes related to competing infections, at which point the bots listen for attack commands from the command-and-control server while scanning for new victim.
Detection method
There are mainly three traditional botnet detection methods, detection based on anomaly, detection based on DNS flow and detection based on honeypot.
honey jar
To track the evolution of Mirai's functionality, this paper collects binaries installed on a set of honeypots for experimentation. A honeypot is a network bait that is closely monitored. There are many forms of honeypots, usually simulating a vulnerable system service as a bait to attract attackers, so as to provide information about the type of attack and attack tendency for the real system The data. At the same time, by analyzing the honeypots that have been attacked, the attacker's behavior can be deeply analyzed.
According to the degree of interaction, honeypots can be divided into low-interaction honeypots, medium-interaction honeypots and high-interaction honeypots.
Honeypot-based detection method
The honeypot-based detection method refers to deploying a honeypot in the network to collect information about all network nodes that try to connect to the honeypot, and from the collected logs, files, etc., through the fingerprint of the attacker's device, network topology information, device Information such as security vulnerabilities, attacker's utility tools, and attacker's intentions can be used to identify specific behavior patterns of attackers and detection methods for network nodes. Honeypots are usually deployed separately in a controlled environment, isolated from normal systems, ensuring security without affecting normal systems, and the data captured by honeypots are targeted, relatively speaking, with higher purity and concentration , and does not impose an additional burden on the normal system.
The high-fidelity and high-quality data set obtained based on the honeypot effectively avoids the cumbersome process of massive log analysis in the past, and any connection access to the honeypot is attack information, which no longer has a certain lag like the previous feature analysis, and can Effective for catching new types of attacks and methods.
In order to be able to track the attack on the Mirai botnet, the honeypot system needs to have the following functions:
(1) Be able to monitor the behavior of the system itself, and monitor the system operation and process of the honeypot itself.
(2) Be able to monitor the network traffic of the honeypot. In order to track the instructions of the DDoS attack, it is necessary to monitor the import and export traffic of all ports of the honeypot, and at the same time be able to analyze the data packets.
(3) Logs can be processed in a standardized manner. Since malicious codes generally delete themselves after spreading, the honeypot needs to have the function of restoring files deleted in a short period of time.
How to Prevent Mirai Infection
Mirai has been mutating, and the new variants are more flexible than the original and can take advantage of a wider range of targets, including enterprise-class wireless controllers, wireless presentation systems and digital signage, among others. Statistics show that about 21 percent of IoT devices are infected by the new Mirai variant.
So what measures should be taken to prevent infection?
First, take an inventory of all IoT devices connected to its network.
Second, change default passwords across the board.
Also, make sure every device connected to the network is using the latest patches.
Finally, create a comprehensive defense strategy that includes firewalls, VPNs, antivirus and antimalware software, and even hire third-party security experts to ensure the solid security of enterprise systems. And companies that don't have an in-house IT department should call in a security expert to deal with the formidable threat of Mirai.
Summarize
The network structure and tracking methods of the Mirai botnet have been introduced in detail above. Although honeypots are very effective for detecting Mirai, due to the fact that Mirai code is open-sourced, it continues to mutate. How to deal with Mirai botnets is still a further research direction in the future.