Friday 5 October 09:30 - 10:00, Red room
Ya Liu (Qihoo)
Hui Wang (Qihoo)
Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016. This made it easy for other threat actors to craft new DDoS malware which we call Mirai variants. Our data shows that such crafting work has not stopped since September 2016. Some variants, such as Mirai.Satori, were even equipped with more effective distribution methods and returned Mirai to the centre of public attention for being able to turn hundreds of thousands of IoT devices into zombies in a very short time. In the post-Mirai era it would be routine work for the security community to fight new threats posed by Mirai and its variants. Keeping a tight watch on the variant development would help us deliver a better performance.
We began tracking Mirai and its variant botnets soon after it was found, and as of March 2018 we have collected over 16,000 Mirai samples. Detailed studies have been carried out on the collected samples in terms of configurations, C&C communication, attack methods, scanning and its username/password dictionaries. Attempts to automatically detect and classify variants have also been made, with dozens of variants found. We think the analysis we have done would help to better fight future Mirai threats and uncover the actors behind it.
Some preliminary findings include:
Loucif Kharouni (Deloitte)