This paper is included in the Proceedings of the 26th usenix security Symposium August 16–18, 2017 • Vancouver, bc, Canada
Yüklə 382,3 Kb. Pdf görüntüsü
|
cloud provider. As a final source of samples, we included 594 unique binaries from VirusTotal [90] that we scanned for using the YARA rules mentioned above. In total, we collected 1,028 unique Mirai samples. We analyzed the binaries for the three most common ar- chitectures — MIPS 32-bit, ARM 32-bit, and x86 32-bit — which account for 74% of our samples. We extracted the set of logins and passwords, IP blacklists, and C2 do- mains from these binaries, identifying 67 C2 domains and 48 distinct username/password dictionaries (containing a total 371 unique passwords). 3.4
Passive & Active DNS Following the public release of Mirai’s source code, com- peting Mirai botnet variants came into operation. We disambiguated ownership and estimate the relative size of each Mirai strain by exploring passive and active DNS data for the 67 C2 domains that we found by reverse engi- neering Mirai binaries. We also leveraged our DNS data to map the IP addresses present in attack commands to victim domain names. From a large U.S. ISP, we obtained passive DNS data consisting of DNS queries generated by the ISP’s clients and their corresponding responses. More specifically, we collected approximately 209 million resource records (RRs) — queried domain name, and associated RDATA — and their lookup volumes aggregated on a daily basis. For our active DNS dataset, we obtained 290 million RRs per day from Thales, an active DNS monitoring system [44]. Both datasets cover the period of August 1, 2016 to February 28, 2017. Using both passive and active DNS datasets, we per- formed DNS expansion to identify shared DNS infrastruc- ture by linking related historic domain names (RHDN) and related historic IPs (RHIPs) [5]. This procedure be- gan with the seed set of C2 domains and IPs extracted during reverse engineering of our honeypotted binaries. For a given seed foo.com, we identified the IP addresses that foo.com previously resolved to and added them to a growing set of domains and IPs. We additionally per- formed the reverse analysis, starting from an IP and find- ing any domain names that concurrently resolved it. Thus, even from a single domain name, we iteratively expanded the set of related domain names and IP addresses to con- struct a graph reflecting the shared infrastructure used by Mirai variants. In total, we identified 33 unique DNS clusters that we explore in detail in Section 5. 3.5
Attack Commands To track the DDoS attack commands issued by Mirai operators, Akamai ran a “milker” from September 27, 2016–February 28, 2017 that connected to the C2 servers found in the binaries uploaded to their honeypots. The service simulated a Mirai-infected device and communi- cated with the C2 server using a custom bot-to-C2 proto- col, which was reverse engineered from malware samples prior to source code release. In total, Akamai observed 64K attack commands issued by 484 unique C2 servers (by IP address). We note that a naive analysis of attack commands overestimates the volume of attacks and tar- gets: individual C2 servers often repeat the same attack command in rapid succession, and multiple distinct C2 servers frequently issued the same command. To account for this, we heuristically grouped attack commands along two dimensions: by shared C2 infrastructure and by tem- poral similarity. We collapsed matching commands (i.e., tuples of attack type, duration, targets, and command op- tions) that occur within 90 seconds of each other, which yielded 15,194 attacks from 146 unique IP clusters. Our attack command coverage includes the Dyn attack [36] and Liberia attacks [45]. We did not observe attack com- mands for Krebs on Security and OVH, which occurred prior to the milker’s operation. 3.6
DDoS Attack Traces Our final data source consists of network traces and ag- gregate statistics from Akamai and Google Shield (the providers for Krebs on Security) and Dyn. These attacks cover two distinct periods in Mirai’s evolution. We used this data to corroborate the IP addresses observed in at- tacks versus those found scanning our passive network telescope, as well as to understand the volume of traf- fic generated by Mirai 1 . From Akamai, we obtained an aggregate history of all DDoS attacks targeting Krebs on Security from 2012–2016, as well as a small sam- ple of 12.3K IPs related to a Mirai attack on September 21, 2016. For Google Shield, we shared a list of IP ad- dresses observed by our network telescope and in turn received aggregate statistics on what fraction matched any of 158.8K IP addresses involved in a 1-minute Mirai HTTP-flood attack on September 25, 2016. Finally, Dyn provided us with a set of 107.5K IP addresses associated with a Mirai attack on October 21, 2016. 4 Tracking Mirai’s Spread As a first step towards understanding Mirai, we analyzed how the botnet bootstrapped its initial infections, what types of devices it targeted, and how it eventually infected an estimated 600K hosts. To contextualize the properties of Mirai, we compare it against prior botnets and worms. 1 We overlapped attack traces with every Mirai scanning IPs on our network telescope. The overlap may have been inflated by non-Mirai attack IPs being assigned to Mirai devices over time through DHCP churn. USENIX Association 26th USENIX Security Symposium 1097 Yüklə 382,3 Kb. Dostları ilə paylaş:
|