记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Mirai Source Code Analysis Report

2016-10-20 08:45

As shown in Figure 1, there are two folders. The loader folder, as its name implies, is a loader that creates servers and monitors the status of connections.

Code Structure

As shown in Figure 1, there are two folders. The loader folder, as its name implies, is a loader that creates servers and monitors the status of connections. The mirai folder implements major malicious functions, including such tool implementations as establishing network connections, executing DDoS attacks, and downloading data, and operations from the main control terminal.

Code structure

Code structure

Infection Path

Attackers can use an SSH or Telnet account and default passwords to compromise Internet of Things (IoT) devices.

Function Implementation

The source code reveals that the following malicious functions can be implemented:

  • bot folder: performs such operations as anti-debugging, hiding of its own process, configuration of initial port numbers for domain names, configuration of default weak passwords, establishment of network connections, and DDoS execution.
  • tools folder: performs tool-based operations such as wget, file updating, and XOR operations.
  • cnc folder: monitors the successfully infected bots from the main control terminal, parses instructions as a receiver, and launches DDoS attacks.

When implementing functions, the code in the bot folder opens PF_INET (TCP raw socket for UNIX networks) and binds it to TCP port 48101 at the local host IP address of 127.0.0.1. Then it can listen for incoming connections. When one device on a network is infected, the infection will spread to other devices on the same network via the Telnet service.

bot Folder

In terms of functionality, the code in the bot folder can perform the following operations:

Anti-GDB debugging, CC address parsing, establishment of network connections, and DDoS execution.

If detecting GDB debugging, the program deletes its own execution file, prevents the watchdog from restarting the device, and prompts a CC address connection failure.

To ensure that each time only one instance is running (by connecting to the local port 48101) and kill the process corresponding to port 48101:

To hide the process:

To initialize attack type parameters and provide various attack types (UDP, VSE, DNS, SYN, and other DDoS attack types) for attackers to choose:

To initialize port settings by shutting down ports to terminate other processes that use Telnet, SSH, and HTTP services and prevent them from restarting:

To initialize scanning parameters and scan other devices on the LAN with weak passwords and with port 23 opened:

The cryptographic algorithm for user names and passwords is as follows:

When detecting a new instance running, the program kills its own process and stops scanning and all attack tasks.

Connected Domain Names and Port Numbers

The connected domain names and port numbers are hardcoded into source code. In this case, domain name strings can be decrypted by using the algorithm shown in enc.c in the tools folder.

The target is devices that use busybox.

DDoS Attack Methods

User Name and Password Configuration

cnc Folder

The code in this folder listens for ports 23 and 101 and performs different operations accordingly from the main control terminal.

When listening for port 23, the program determines what to do next based on the received data. If the received data contains 4 bytes, which are 00 00 00 x (x > 0), the program determines that such data is from a bot and adds the related host as a new bot. Otherwise, the program finds out whether access with an admin account is allowed. After successful login, an attacker can create admin accounts and configure bots and bot hosts by using different commands.

When port 101 is involved, the program parses the received information to obtain commands for launching a new round of attack. Attacks that can be launched include UDP, DNS, SYN, ACK, STOMP, GRE IP, GRE Ethernet, and HTTP floods and Valve Source Engine (VSE) specific floods.

tools Folder

Single_Load.c That Loads Files

Execution result

Execution result

Wget.c That Obtains Remote Files

 

Execution result

Execution result

Nogdb.c That Updates File Information

 

Execution result1

Execution result1

Execution result2

Execution result2

Badbot.c That Displays Information of a Specified Bot

Enc.c

XOR algorithm:

loader Folder

The code in this folder serves to create a server and monitor the status of connections.

Workarounds

Mirai mainly targets devices with Linux as the operating system and busybox installed. To protect against this malware, we recommend the following workarounds:

  1. Enhance security of user names and passwords by changing initial passwords and weak passwords.
  2. Disable port 48101.
  3. Disable Telnet connections that use port 23.
  4. Restrict the use of busybox to specific users.
知识来源: blog.nsfocus.net/mirai-source-code-analysis-report/
想收藏或者和大家分享这篇好文章→复制链接地址

“Mirai Source Code Analysis Report”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云