rgully4
at June 24,2018
Ron gives a high-level detail about how the infamous Mirai botnet began it's attack (i.e. the initial C2 and ScanListen servers), and how people can hook into the Mirai API to lease some of the botnet in exchange for goods (e.g. money).
Eventually, Ron went over his lab setup to test Mirai against a Linksys WRT54G, and to learn more about how it functions. The Botnet consists of a scanning process (to find targets in a specified range), a password list (for brute-forcing IoT device logins), and the loader process (to keep track of bot loading). Ron quickly learned that not all devices are infectible via Mirai. After many devices, he finally infected a Sricam AP003 that he purchased.
New bots will initially start scanning, and shuts down vulnerable processes used to gain access to the device so no one else can gain access to the device. Mirai users have a long list of attack vectors to take advantage of as well: UDP flooding, SYN flooding, ACK flooding, TCP stomp, UDP "plain" flooding, VSE flooding, GRE IP flooding, GRE Eth flooding, and HTTP flooding. Some of these attack vectors can cause a bothost to crash upon use due to lack of resources. Because Mirai is not persistence, once a bot crashes the code is wiped from memory.
Since Mirai's infancy, there have been many variants. Ron discusses how one can catch or block Mirai botnet activity on their network (e.g. honeypots, blocking ports, etc.). Ron closes his talk by urging the audience to be mindful about the topography of our network. We should also be forward thinking about attacks from botnets such as Mirai.
