Friday 5 October 09:30 - 10:00, Red room
Ya Liu (Qihoo)
Hui Wang (Qihoo)
Mirai, the infamous DDoS botnet family known for its great destructive power, was made open source soon after being found by MalwareMustDie in August 2016. This made it easy for other threat actors to craft new DDoS malware which we call Mirai variants. Our data shows that such crafting work has not stopped since September 2016. Some variants, such as Mirai.Satori, were even equipped with more effective distribution methods and returned Mirai to the centre of public attention for being able to turn hundreds of thousands of IoT devices into zombies in a very short time. In the post-Mirai era it would be routine work for the security community to fight new threats posed by Mirai and its variants. Keeping a tight watch on the variant development would help us deliver a better performance.
We began tracking Mirai and its variant botnets soon after it was found, and as of March 2018 we have collected over 16,000 Mirai samples. Detailed studies have been carried out on the collected samples in terms of configurations, C&C communication, attack methods, scanning and its username/password dictionaries. Attempts to automatically detect and classify variants have also been made, with dozens of variants found. We think the analysis we have done would help to better fight future Mirai threats and uncover the actors behind it.
Some preliminary findings include:
Ya Liu has over eight years of network security experience in honeypot development, malware and botnet analysis. Currently he works at netlab.360.com as a threat analyser on botnet detection and tracking. Before joining Qihoo 360 he worked at NSFOCUS on honeypot development and malware analysis.
Hui Wang is a sofware engineer with a passion for honeypot development. He has a wealth of experience in web development and data analysis. Now he works at netlab.360.com on large-scale honeypot deployment and related threat mining.
Zoltan Balazs (MRG Effitas)
Jose Miguel Esparza (Blueliv)
Norm Ritchie (Secure Domain Foundation)