Tracking Mirai variants

Friday 5 October 09:30 - 10:00, Red room

Ya Liu (Qihoo)
Hui Wang (Qihoo)

Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016. This made it easy for other threat actors to craft new DDoS malware which we call Mirai variants. Our data shows that such crafting work has not stopped since September 2016. Some variants, such as Mirai.Satori, were even equipped with more effective distribution methods and returned Mirai to the centre of public attention for being able to turn hundreds of thousands of IoT devices into zombies in a very short time. In the post-Mirai era it would be routine work for the security community to fight new threats posed by Mirai and its variants. Keeping a tight watch on the variant development would help us deliver a better performance.

We began tracking Mirai and its variant botnets soon after it was found, and as of March 2018 we have collected over 16,000 Mirai samples. Detailed studies have been carried out on the collected samples in terms of configurations, C&C communication, attack methods, scanning and its username/password dictionaries. Attempts to automatically detect and classify variants have also been made, with dozens of variants found. We think the analysis we have done would help to better fight future Mirai threats and uncover the actors behind it.

Some preliminary findings include:

  • How many Mirai variants exist.
  • Whether the C&C communication changed among variants.
  • How the attack methods were reserved by various variants. What new methods were added.
  • How the variants update the scanning module by targeting non-Telnet ports and adding new usernames/ passwords to the brute-force attacking purposed dictionary.
  • Whether the configuration encryption algorithm was changed and what keys were used.
  • How the configuration varied among variants in terms of size and contents.
  • Whether it's possible to correlate a fresh Mirai sample to its variant family in an automatic way.