Mirai DDoS Botnet: Source Code & Binary Analysis

Posted on October 27, 2016 by Simon Roses

Mirai is a DDoS botnet that has gained a lot of media attraction lately due to high impact attacks such as on journalist Brian Krebs and also for one of the biggest DDoS attacks on Internet against ISP Dyn, cutting off a major chunk of Internet, that took place last weekend (Friday 21 October 2016).

Besides the media coverage, Mirai is very interesting because we have both binary samples captured in the wild, but also because the source code was released recently – for sure we can expect many variants of Mirai code soon. Having both binary and source code allows us to study it in more detail.

It is quite amazing that we are in 2016 and still talking about worms, default/weak passwords and DDoS attacks: hello Morris Worm (1988) and Project Rivolta (2000) to mention a few.

Source Code Analysis

We have compiled Mirai source code using our Tintorera, a VULNEX static analysis tool that generates intelligence while building C/C++ source code. This gives us the big picture fast.

From Tintorera we get an application detail summary counting compiled files, lines of code, comments, blanks and additional metrics; Tintorera also calculates the time needed to review the code. Mirai is a small project and not too complicated to review. (Figure 1)

srf_mirai_sc1
Figure 1

Mirai is using several functions from the Linux API, mostly related to network operations. (Figure 2)

srf_mirai_sc2
Figure 2

In the Tintorera intelligence report we have a list of files, functions names, basic blocks, cyclomatic complexity, API calls and inline assembly used by Mirai. By examining this list we can get an idea of the code. (Figure 3)

srf_mirai_sc3
Figure 3

In file killer.c there is a function named killer_init that kills several services: telnet (port 23), ssh (port 22) and http (port 80) to prevent access to the compromised system by others. (Figure 4)

srf_mirai_sc4
Figure 4

In same file, killer.c, another function named memory_scan_match search memory for other Linux malwares. (Figure 5)

srf_mirai_sc5
Figure 5

In file scanner.c function named get_random_ip generates random IPs to attack while avoiding a white list addresses from General Electric, Hewlett-Packard, US Postal Service and US Department of Defense. (Figure 6)

srf_mirai_sc6
Figure 6

Mirai comes with a list of 62 default/weak passwords to perform brute force attacks on IoT devices. This list is setup in function scanner_init of file scanner.c. (Figure 7)

srf_mirai_sc7
Figure 7

In main.c file we can find the main function that prevents compromised devices to reboot by killing watchdog and starts the scanner to attack other IoT devices. In Figure 8 we see a callgraph of file main.c

srf_mirai_main_callgraph
Figure 8

Mirai offers offensive capabilities to launch DDoS attacks using UDP, TCP or HTTP protocols.

Binary Analysis

Now let’s move to binary analysis. So far we have been able to study 19 different samples obtained in the wild for the following architectures: x86, ARM, MIPS, SPARC, Motorola 68020 and Renesas SH (SuperH).

For the binary analysis we have used VULNEX BinSecSweeper platform that allows analyzing binaries among other things/files in depth combining SAST and Big Data.

In Figure 9 we see a chart showing all the files magic to give us an idea of the file types/ architectures. All samples are 32 bits.

srf_mirai_bin2
Figure 9

By using BinSecSweeper we obtained a lot of information for each sample, similarities between them and different vulnerabilities. Currently not many Antivirus identify all the samples, so beware what Antivirus you use! In Figure 10 we have a visualization of file sizes in bytes.

srf_mirai_bin1
Figure 10

We analyzed all section names in the samples and Figure 11 is the result.

srf_mirai_bin3
Figure 11

As mentioned before the samples are for different architectures so in this post we are not showing you the code analysis results.

We have updated BinSecSweeper analysis engine to identify Mirai malware samples. A full binary analysis report is available from VULNEX Cyber Intelligence Services to our customers, please visit our website or contact us.

Conclusions

Despite being a fairly simple code, Mirai has some interesting offensive and defensive capabilities and for sure it has made a name for itself. Now that the source code has been released, it is just a matter of time we start seeing variants of Mirai.

Mirai Botnet is a wakeup call to IoT vendors to secure their devices. Unfortunately millions of devices have been already deployed on Internet and there are insecure by default, so embrace yourself for more IoT attacks in the near future.

What do you think about IoT security?

— Simon Roses Femerling / Twitter @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , , , | 4 Comments

Fristileaks 1.3 CTF Writeup

Posted on December 18, 2015 by Simon Roses

This vulnerable VM is a fun and simple CTF that can be downloaded from the awesome portal VulnHub.

Note: For vmware you may need to set the MAC address to 08:00:27:A5:A6:76 to get it working. I did, see Fig 1.

srf_fristileaks_1

Let’s get ready to rumble…

As I knew the IP address let’s launch an nmap scan. From the scan we can see only 1 open port (HTTP) and the robots.txt file with some folders.

srf_fristileaks_2

Let’s open the website.

srf_fristileaks_3

Nothing interesting so far. Now let’s try robots.txt

srf_fristileaks_4

In these folders we only find a picture of Jedi Obi-Wan Kenobi and nothing else.

srf_fristileaks_5

Giving some thought and this is the fristi game, we arrive to the following URL; a login/password admin portal.

srf_fristileaks_6

Let’s check the HTML source code, we can find that the image is encoded in Base64 and also a possible login name: eezeepz

srf_fristileaks_7

Looking more closely at the HTML source code we find another potential base64 encoded text.

srf_fristileaks_8

Let’s put the base64 encoded text into a decoder like Burp Proxy. We see a PNG header. Sounds like an image!

srf_fristileaks_9

Let’s write a Python script to obtain the image.

srf_fristileaks_10

Open the image and looks to me a password 

srf_fristileaks_11

So now we have a login and a password. Let’s continue!

srf_fristileaks_12

Great, we have log in into the portal.

srf_fristileaks_13

We can upload an image.

srf_fristileaks_14

Why not a webshell? :) I modify one of Kali webshells to set my IP address.

srf_fristileaks_15

Upload the webshell but an error happens. Some kind of filter!

srf_fristileaks_16

Let’s fire up Burp Proxy to bypass the filter, change the filename to add a png extension.

srf_fristileaks_17

Great, filter bypassed and we have a webshell uploaded.

srf_fristileaks_18

Let’s call our webshell

srf_fristileaks_19

Remember before calling the webshell to set up a Netcat listener! Awesome, we got shell :)

srf_fristileaks_20

Good place to start is checking the web app code, PHP in this case. In /var/ folder we can see a /fristigod/ folder by fristigod user, interesting.

srf_fristileaks_21

Poking around /var/www/ folder we find a notes.txt file.

srf_fristileaks_22

In /home/ folder we see several users.

srf_fristileaks_23

Moving to /eezeepz/ folder we find another notes.txt file with an interesting message. We can execute commands, great!

srf_fristileaks_24

Let’s execute a command so we can access /admin/ folder by using the /tmp/runthis file trick.

srf_fristileaks_25

Inside /admin/ folder we see a bunch of interesting files.

srf_fristileaks_26

We got some encrypted files and a Python script used to encrypt the files.

srf_fristileaks_27

Time for more Python scripting, let’s modify the encrypt script to decrypt the files.

srf_fristileaks_28

Now we have some passwords, let’s change our user to fristigod user. Remember one of the encrypted files was “whoisyourgodnow.txt”. We don’t have a real terminal so let’s get one, a good cheat sheet here.

srf_fristileaks_29

Moving to /fristigod/ folder reveals nothing.

srf_fristileaks_30

Recall in /var/ folder we had a /fristigod/ folder, let’s check that folder and we can find some interesting files, a root binary we can execute!

srf_fristileaks_31

Checking the .bash_history file we learn how to execute the previous root binary.

srf_fristileaks_32

Time to see the /root/ folder content by using the root binary we can execute.

srf_fristileaks_33

Jackpot! We got root shell and the Flag :)

srf_fristileaks_34

Kudos to the author for this fun CTF!

Did you get root shell and the Flag by using other tactics?

— Simon Roses Femerling / Twitter @simonroses

Posted in Pentest, Security, Technology | Tagged , , , , , | Leave a comment

Equation APT analysis using Security Data Science platform: BinSecSweeper

Posted on September 24, 2015 by Simon Roses

As many readers already know, at VULNEX we have been working on our BinSecSweeper project whose development began in 2013 thanks to an award by US DARPA within its pilot program Cyber Fast Track (CFT) and we were the only Spanish startup to win a research award. In May 2014 I was invited to The Pentagon by DARPA to present my project, together with the other CFT participants. It was a unique and awesome experience!

Since then BinSecSweeper has changed in every way possible due to a strong engineering effort. With the rise of so many APT, I thought it would be interesting to analyze using Data Science techniques a recent APT that has gained a lot of media coverage: Equation APT Group.

For this analysis, I have got 419 Windows executables of this APT that we will proceed to examine with BinSecSweeper, let’s look at the results!

In Fig. 1 we have the project dashboard and we can see a summary of the analysis. BinSecSweeper has identified malware and high-risk vulnerabilities establishing a severe threat level alert (based on the US Homeland Security System). It draws our attention to different characteristics of the executables such as Packers, Personal Identifiable Information and binary similarities.

binsecsweeper_Online1
Fig. 1.

In metrics (Fig. 2) we see more details of the analysis, the metric that most interests us, at least to me, are the risks identified and the number of affected files. BinSecSweeper has identified interesting risks in this APT.

binsecsweeper_Online2
Fig. 2.

In BinSecSweeper we can deepen the analysis of one, several or all files, but for this high-level analysis our current objective is to obtain the big picture. So let’s look at the analytics data, a very powerful tool, see Fig. 3.

binsecsweeper_Online3
Fig. 3.

BinSecSweeper offers stunning graphics that help us to understand data very quickly and visually. In Fig. 4 we see a visualization of the entropy of the binaries. Most binaries are around 0.80 with some binaries in the 0.65 and 1.00 ranges.

binsecsweeper_Online4
Fig. 4.

In Fig. 5 we can see the different types of binaries and should call our attention that most files are DLL and there is also one Driver, no doubt a file we should analyze in more detail.

binsecsweeper_Online5
Fig. 5.

In Fig. 6 we see a very interesting metric, section names of the executables. It helps us to identify suspicious sections and packers.

binsecsweeper_Online6
Fig. 6.

Fig. 7 is related to the previous metric, in this case we have the number of sections. There is a file with 10 sections.

binsecsweeper_Online7
Fig. 7.

The following metric (Fig. 8) we have the number of imported libraries by the executables.

binsecsweeper_Online8
Fig. 8.

Imported functions of the executables are interesting to understand functionality. In Fig. 9 we have this metric, specifically the Top 15 functions.

binsecsweeper_Online9
Fig. 9.

We can also see the exported functions, Fig. 10.

binsecsweeper_Online10
Fig. 10.

In Fig. 11 we see the identified compilers. It is interesting to understand the tools used by the APT authors.

binsecsweeper_Online211
Fig. 11.

The last metric that we are going to see is the compilation timestamp of the executables organized by years. Clearly in 2008 the authors were very busy.

binsecsweeper_Online212
Fig. 12.

Very quickly and easily we have obtained a good understanding of this APT without entering into complex/costly analysis or reverse engineering, which would be our next step.

Today, with millions of malware circulating and the complexity of software, it is necessary to have in our arsenal powerful analysis tools such as BinSecSweeper, which uses advanced Data Science techniques to analyze the security and privacy of software.

Perhaps it would be interesting to analyze all antivirus with BinSecSweeper ;)

Hasta la vista Baby, I’ll be back soon with more analysis 

For more information about BinSecSweeper you can contact us at BinSecSweeper@vulnex.com

Does your organization use Security Data Science? What would you like to analyze?

— Simon Roses Femerling / @simonroses

Posted in Privacy, Security, Technology | Tagged , , , , , , , | Leave a comment