Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Mon, Oct 24th):#Dyn DNS DDoS Attack;

Latest Diaries

A few Mirai Updates: MIPS, PPC version; a bit less scanning

Published: 2016-10-24
Last Updated: 2016-10-24 17:55:35 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Since Friday, the Mirai botnet has become kind of a household name. I have been continuing to watch the botnet infect my test DVR over and over. A couple of things I have seen over the weekend:

  • Overall port 23/2323 scanning activity seems to have gone down a bit. It looks like the countermeasures ISPs are taking show some limited success
  • At least some of the host names Mirai uses for C&C no longer resolve. 
  • However, the host my copy uses to pull down the actual malware, seems to be still active.
  • So far I have observed versions for ARM, MIPS, and PowerPC (which would work for some Cisco equipment). Mirai is going after other devices then DVRs, but given the hard coded "xc3511" password, DVRs appear to be the richest source of vulnerable hosts.
  • SHA1 hashes for the different versions:
    8924926be722b5c50a16ed3c8a121dd81d229539  mirai.arm7
    8c56f28cbe59724a7e63ecc4273dd1f661da8b7a  mirai.mips
    c0c18e56bbf4c514f34ed8f6204fbe1dba351efe  mirai.ppc
  • We get a lot of requests from people asking how to identify infected devices. The simplest method is to look for devices that establish *a lot* of new outbound connections on port 23 and 2323. So just look for "tcp[13]=2 and (port 23 or port 2323)". They will stick out... look for dozens/hundreds of packets per second. But as a rule of thumb: if you know how to do this, chances are you are not vulnerable. 

Prior articles about Mirai:

ISC Briefing: Large DDoS Attack Against Dyn (with PPT slides for you to use) DDoS Attack

The Short Life of a Vulnerable DVR Connected to the Internet (includes full packet capture of an infection)

The Internet of Evil Things: How to Detect and Secure Your Vulnerable Devices from the Mirai Botnet (Webcast)

Johannes B. Ullrich, Ph.D.

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

ISC Briefing: Large DDoS Attack Against Dyn
1 day ago by Dr. J. (6 comments)

Request for Packets TCP 4786 - CVE-2016-6385
2 days ago by Guy (0 comments) DDoS Attack
3 days ago by Dr. J. (9 comments)

How Stolen iOS Devices Are Unlocked
3 days ago by Dr. J. (0 comments)

Malspam delivers NanoCore RAT
4 days ago by Brad (1 comment)

Spam Delivered via .ICS Files
5 days ago by Xme (3 comments)

OpenSSH Protocol Mismatch In Response to SSL Client Hello
6 days ago by Dr. J. (0 comments)

Maldoc VBA Anti-Analysis: Video
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Any experience with hyper-v ram forensic?
created 3 days ago by DrGreen (0 replies)

Question about faux news websites
created 1 week ago by Marko (0 replies)

Event Logging Requirements
created 3 weeks ago by Circadian (4 replies)

Configuring 'cvtwin': Windows 10 and Norton 360 Premier
created 4 weeks ago by Anonymous (0 replies)

Best way to reduce spam?
created 1 month ago by RafealHenco (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
3 days ago by Dr. J. (9 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
8 months ago by Dr. J. (25 comments)

How Stolen iOS Devices Are Unlocked
3 days ago by Dr. J. (0 comments)

New tool:
1 week ago by Jim (4 comments)

Spam Delivered via .ICS Files
5 days ago by Xme (3 comments)