OMG - Mirai Minions are Wicked
Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in 20161. Since the release of Mirai’s source code, IoT botnet authors have used it as a framework to build new malware. Authors have expanded the original Mirai code base with new capabilities and functionality while making some improvements. In this blog post we’ll delve into four Mirai variants; Satori, JenX, OMG and Wicked, in which the authors have built upon Mirai and added their own flair. Satori leveraged remote code injection exploits to enhance the Mirai code, while JenX removed several features from the code and instead relies on external tools for scanning and exploitation. OMG was also added to the Mirai legacy. OMG adds a novel feature in the form of an HTTP and SOCKS proxy. These proxy features enable the infected IoT device to act as a pivot point. The bot author now has the flexibility to launch additional scans for new vulnerabilities, or additional attacks without having to update the original binary. Depending on the type of IoT device, and how its connected, the bot author can pivot to private networks which are connected to the infected IoT device. The latest minion to hit the scene is Wicked. Wicked’s flair is the ability to target Netgear routers and CCTV-DVR devices which are vulnerable to remote code execution (RCE) flaws. Within the RCE exploit, Wicked would include instructions to download and execute a copy of the Owari bot. Often, the scanning and exploitation of devices can be automated, resulting in any susceptible devices becoming part of the botnet.
- Satori bolts on remote code injection exploits to Mirai’s scanning feature.
- The JenX bot evolved from Mirai to include similar coding, and eliminated the scanning and exploitation capabilities.
- OMG bot, a recent entrant to the IoT malware scene, capitalizes on the Mirai source code and expands it to add HTTP and SOCKS proxy capabilities.
- Wicked, the latest Mirai minion, leverages RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.
IoT covers a wide range of devices, including (but not limited to):
- IP base cameras
- cable/DSL modems
- DVR systems
- medical devices
Any embedded device that runs an operating system and has networking ability (send/receive data over a network) can be considered an IoT device. IoT devices quickly go to market and have low costs. These factors lend them to suffer from the most basic types of vulnerabilities. Vulnerabilities including:
- hard code/default credentials
- buffer overflows
- command injection
Most consumer IoT devices contain these types of vulnerabilities. When patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017 rising to 125 billion by 2030, according to new analysis from IHS Markit2, they make an extremely attractive target for malware authors.
In the latter half of 2016, a high-visibility DDoS attack against a DNS hoster/provider was observed, which affected a number of major online properties. The malware responsible for this attack, among others, was Mirai. Mirai built its massive infrastructure by using a telnet brute force password attack against IP cameras and home routers. The credential list used by Mirai consisted of factory default credentials. On September 30, 2016 the source code for Mirai was published. Since then the Mirai source code has been a major influence on a slew of recent IoT based botnets (explained in detail below):
NETSCOUT Arbor saw several variants of Satori in the wild from December 2017 through January 2018. Each of these variants used Mirai as its foundation. Variant 2 (977534e59c72dafd0160457d802f693d) used the default credential scanning while variant 3 (440af2606c5dc475c9a2a780e086d665ca203f01) added the use of two remote code exploits. Variant 4 (9c677dd17279a43325556ec5662feba0) made the biggest splash as it was the first IoT bot to target the ARC architecture. For this example, we’ll focus on Satori variant 3. The 3rd variant of Satori uses the same configuration table as Mirai (Figure 1 & Figure 2). Variant 3 also uses the same string obscuration technique as Mirai and simply modifies the XOR key to “0x07”. These same features can be found in OMG. In the case of OMG the author utilizes the XOR key of “deadbeef,” as we’ll see later. The XOR key of “deadbeef” is the original key from the Mirai source code. Figure 1: Satori configuration table (table_init) function Figure 2: Mirai configuration table (table_init) function[/caption] We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit as show in Figure 3. Figure 3: Huawei Home Gateway Exploit[/caption] The SHA1 for the Satori variant 3 sample referenced above was 440af2606c5dc475c9a2a780e086d665ca203f01 and was first submitted to Virus Total on 12/05/2017.
JenX is another example of an IoT botnet where the underlying code originates with Mirai. JenX includes several of the Mirai’s DDoS capabilities, uses the same configuration table, and includes the same string obfuscation technique. Figure 4 and Figure 5 is a comparison between the attack_udp_generic attack code in JenX and Mirai. OMG shares several similarities with JenX, but one area OMG differs is the use of the HTTP DDoS attack which originated from Mirai. The HTTP DDoS attack has been removed from JenX, but is still available in OMG. Figure 4: attack_udp_generic DoS Attack JenX Figure 5: attack_udp_generic DoS Attack Mira[/caption] Instead of storing the C2 in the configuration table like Mirai, JenX chooses to hard code the IP address of the CNC as shown in Figure 6. Figure 6: resolve_cnc_addr Function[/caption] Notably, JenX removed the scanning and exploitation functions. A separate system handles this functionality, which is major departure from Mirai, Satori, and OMG. Currently, it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers. The SHA1 for the JenX sample referenced above was 5008b4a7048ee0a013465803f02cb9c4bffe9b02 and was first submitted to Virus Total on 02/01/2018.
One of the most interesting Mirai spawns is the OMG botnet. As with the other botnets discussed, OMG uses Mirai as its framework and supports all of the functionality in Mirai. What makes OMG stand out is how the author expanded the Mirai code to include a proxy server. OMG incorporates 3proxy, which allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device. Including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device. OMG leverages the same type of configuration table as Mirai, Satori, and JenX to enable or disable iptables rules, which allows access to the proxy servers. OMG adds two new entries into the configuration table to handle adding and removing iptables rules (Figure 7). Figure 7: OMG configuration table (table_init) function[/caption] Figure 8 is a snippet of the obfuscated iptables command referenced by the configuration table above. Using an XOR key of “deadbeef” we can retrieve the deobfuscated iptables command (Figure 9). Figure 8: OMG XOR’ed iptables command Figure 9: OMG deobfuscated iptables command[/caption] Figure 10 is the function that controls the iptables rules. The command retrieve is used to access the configuration table values (Figure 7). Figure 10: OMG iptables function[/caption] As shown in the figures above, the author of OMG has expanded on the original Mirai source code to handle the new proxy functionality. The SHA1 for the OMG sample referenced above was 0ed366c1af749cbda25ff396f28a6b7342d5dcd9 and was first submitted to Virus Total on 1/15/2018.
Wicked is the latest Mirai minion to rear its ugly head. Similar to Satori variant 3, Wicked trades in Mirai’s credential scanning function for its own RCE scanner. Wicked’s RCE scanner targets Netgear routers and CCTV-DVR devices. Figure 11 is an excerpt of the scanner function in which the RCE payloads are defined. [caption id="attachment_9569" align="aligncenter" width="477"] Figure 11: RCE exploits[/caption] Wicked continues with the long-standing tradition of using Mirai’s string obfuscation technique. As with the minions before it, Wicked also switches the XOR key from “0xdeadbeef”. As shown in Figure 12, we see the obfuscated strings ending in “0x37”. It’s a good indication that Wicked is using “0x37” as the XOR key, as C character strings should be null terminated. Figure 12: Wicked’s obfuscated strings[/caption] Using the XOR key of “0x37”, we can decode the obfuscated strings. While reviewing the decoded strings the following ASCII art was found:
- “echo '¯\_(ツ)_/¯ Oh hey there... Looks like I might of inected your device.' >> /wicked.txt.”
Wicked writes the messages to the following locations:
At this point these files do not appear to be used by Wicked. They may be used as a calling card by the author. The SHA1 for the Wicked sample referenced above was b8e8c107d242cc0b7516cf7908b67e108a7d927e, and was first submitted to Virus Total on 5/05/2018.
Mirai DDoS attack types
All of the aforementioned IoT botnets use the same attack types supported by the original Mirai source code. The following DDoS capabilities exist in Mirai, and OMG:
- TCP flooding
- UDP flooding
- Valve Source Engine (VSE) query-flooding
- pseudo-random DNS label-prepending attacks (also known as DNS ‘Water Torture’ attacks)
- HTTP GET, POST, and HEAD attacks
NOTE: Satori, JenX, and Wicked support the same DDoS capabilities, except for the HTTP attacks.
Mirai DDoS Defense
All relevant network infrastructure, host/application/service, and DNS Best Current Practices (BCPs) should be implemented by network operators with public-facing network infrastructure and/or Internet properties. Organizations that use NETSCOUT Arbor SP may ingest flow telemetry (e.g., NetFlow, IPFIX,s/Flow, cflowd/jflow, Netstream, et. al.) into the appliance, which provides the ability to detect, classify, and traceback DDoS attack traffic. Flow telemetry is used to identify IP addresses of the attacking IoT devices and the attack type(s) used. If the attacker is using non-spoofed DDoS attacks, the IP addresses of the attacking IOT devices can be blocked using Black-/White-lists on NETSCOUT Arbor APS/TMS. In addition to existing capabilities to rapidly detect, classify, traceback, and mitigate DDoS attacks launched by these IoT botnets, the latest release of NETSCOUT Arbor SP/TMS provides additional enhancements which provide increased levels of automation & provisioning.
Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients3. As seen with the four samples covered above, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets. We are likely to see remnants of Mirai live on in these new botnets as well. Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations.
- Arbor Networks - DDoS Experts