Last Updated: 2016-10-24 17:55:35 UTC
by Johannes Ullrich (Version: 1)
Since Friday, the Mirai botnet has become kind of a household name. I have been continuing to watch the botnet infect my test DVR over and over. A couple of things I have seen over the weekend:
- Overall port 23/2323 scanning activity seems to have gone down a bit. It looks like the countermeasures ISPs are taking show some limited success
- At least some of the host names Mirai uses for C&C no longer resolve.
- However, the host my copy uses to pull down the actual malware, 126.96.36.199 seems to be still active.
- So far I have observed versions for ARM, MIPS, and PowerPC (which would work for some Cisco equipment). Mirai is going after other devices then DVRs, but given the hard coded "xc3511" password, DVRs appear to be the richest source of vulnerable hosts.
- SHA1 hashes for the different versions:
- We get a lot of requests from people asking how to identify infected devices. The simplest method is to look for devices that establish *a lot* of new outbound connections on port 23 and 2323. So just look for "tcp=2 and (port 23 or port 2323)". They will stick out... look for dozens/hundreds of packets per second. But as a rule of thumb: if you know how to do this, chances are you are not vulnerable.
Prior articles about Mirai:
ISC Briefing: Large DDoS Attack Against Dyn (with PPT slides for you to use)
The Short Life of a Vulnerable DVR Connected to the Internet (includes full packet capture of an infection)