Hunting Mirai Control Servers Using Known Shell Scripts
The Mirai Botnet hit the Internet hard in late 2016, infecting hundreds of thousands of Internet of Things (IoT) devices and attacking several high-profile targets with distributed denial-of-service (DDoS) attacks. Effectively, the botnet made several popular sites like AirBnB, Twitter, Github, Reddit, Netflix, and many others inaccessible for most of the East coast, which led investigators to believe that a nation-state was behind the attack at first. Lo and behold, the attackers were actually students who wanted to see if they could get ahead in Minecraft by attacking Sony Playstation’s name servers. The students assert that they didn’t intend to cause the massive disruption that they did.
Regardless of the intention, many modern botnets like Mirai rely on unreliable and insecure IoT devices. Pressures mount for IoT manufacturers to be “first in the market” and to develop devices at the lowest possible cost and, as a result, devices are released with insecurities and problems built in, making them easy targets for attackers.
While the number of devices controlled by Mirai malware has shrunk, these devices have not been secured. Rather, other, more advanced bots have begun to take over IoT devices, slowly building an army of bots that can be used for similar if not more devastating attacks. We set out to find servers that host Mirai-like malware using some commonly known traits and searching the Internet for anything that looks suspicious. We’ll walk you through the process below.
Finding Mirai Control Servers with Censys
Mirai infects new devices by installing a piece of malware. The binary---the piece of malware itself---is typically downloaded from an attacker controller web server. Interestingly, there are some common traits among the control servers used for hosting this malware for download. Some descendents of the Mirai malware, which can be useful for locating similar malware across the Internet (and, potentially, in your own environment). For this article, we focused on a shell script named “bins.sh” and an open directory on a web server as our indicators to search on.
This Censys search looks at web servers with some strings we see in these situations: “Index Of” (e.g. the default Apache directory index page) and the presence of a filename “bins.sh” in a hit:
Searching today brings up about a dozen servers hosting the malware from installation — a small enough set of results that we can manually review them. Here’s one on a host in Moscow. Note, when we were researching for this post, this host was active and has since been removed (success for security!). It’s still a useful example for us to examine:
Sure enough, when we visited that page we found that the Mirai executable compiled for various architectures and processors found on servers and embedded Linux devices like routers, DVRs, and more.
While gathering more evidence about this page, we downloaded the files and evaluated them using the multi-AV tool at VirusTotal. They did, in fact, come back with a negative reputation on VirusTotal.
It’s great to see that in the span of a few days, this IP was killed and the threat remediated, though this is just one threat removed and the search is still helpful for threat hunters.
This list of URLs that Censys uncovers is, of course, useful for hosting providers who want to ensure their networks are clean, but also for any network security operator from a threat hunting perspective. If you have flow or proxy logs from network monitoring that capture outbound traffic and those logs show clients that contacted these servers, those clients are most likely infected.
How to determine if any of this malware is a threat to your organization
These results can be used as a piece of threat data to hunt your network for infections by cross-referencing these search results with your outbound flow logs, proxy logs, or even for the binary hashes in transaction logs. Basically, what you’re looking for is whether there are clients in your network hitting Mirai distribution sites. If you find any, investigate them immediately for signs of compromise. Using a search such as this can provide some additional threat data that might have been otherwise unavailable because these samples didn’t yet hit a honeypot.
Further reading on the Mirai Botnet
A full-length paper on finding Mirai using Censys’ Internet data was presented at the 26th USENIX Security Symposium, where the authors did “a seven-month retrospective analysis of Mirai’s growth to a peak of 600k infections and a history of its DDoS victims.” Using Censys data, the researchers (including several of Censys’ founders) were able to understand the types of devices that were infected by Mirai and study the malware’s behavior and track its activities.
If you’re interested in really understanding the full impact of Mirai, this should be your go-to resource. You can watch their presentation and read the full research paper to understand the Mirai botnet, what can be learned from this attack, and how the attack has broken new ground, requiring a significant shift in how we think about security going forward. The impact reaches far beyond this one attack that disrupted our Internet usage back in 2016.
On a somewhat related topic, you might be interested in our blog about finding Magecart malware with Censys.