rjvanderat May 01,2018 Very detailed analysis of one of the more notorious botnets out there. Mirai did up the ante for botnet creators and helped realize some of the major concerns regarding the potential for IoT devices to become infected. It’s cire function was very simple but effective. All made possible by a lack of security in IoT devices
rgully4at June 24,2018 Ron gives a high-level detail about how the infamous Mirai botnet began it's attack (i.e. the initial C2 and ScanListen servers), and how people can hook into the Mirai API to lease some of the botnet in exchange for goods (e.g. money).
Eventually, Ron went over his lab setup to test Mirai against a Linksys WRT54G, and to learn more about how it functions. The Botnet consists of a scanning process (to find targets in a specified range), a password list (for brute-forcing IoT device logins), and the loader process (to keep track of bot loading). Ron quickly learned that not all devices are infectible via Mirai. After many devices, he finally infected a Sricam AP003 that he purchased.
New bots will initially start scanning, and shuts down vulnerable processes used to gain access to the device so no one else can gain access to the device. Mirai users have a long list of attack vectors to take advantage of as well: UDP flooding, SYN flooding, ACK flooding, TCP stomp, UDP "plain" flooding, VSE flooding, GRE IP flooding, GRE Eth flooding, and HTTP flooding. Some of these attack vectors can cause a bothost to crash upon use due to lack of resources. Because Mirai is not persistence, once a bot crashes the code is wiped from memory.
Since Mirai's infancy, there have been many variants. Ron discusses how one can catch or block Mirai botnet activity on their network (e.g. honeypots, blocking ports, etc.). Ron closes his talk by urging the audience to be mindful about the topography of our network. We should also be forward thinking about attacks from botnets such as Mirai.