Mirai: An IoT DDoS Botnet How To Protect and Disguise Itself As Aggressive Attacker Analysis

 

Summary

Since 2016, when the Mirai source code was published, similar family botnets have emerged; more and more botnets have appeared. and IoT security has become a big challenge. That makes me care about botnet development and do research. Recently, Mirai attracts me again; I like to do analysis with it in a different way, so here it is.

 

Analysis

 

Protect and Disguise Itself

Like any other malware that does anti-debug from an analyst, Mirai uses the function anti_gdb_entry with one parameter to monitor gdb debug. If it discovers debugging, it executes the function unlink to delete itself and tries to prevent the watchdog from rebooting the device and keep itself running all the time, not offline.

Figure1-anti-debug, delete self and keeping running

 

Using a random string which the length can be either 12, 16, 20, or 24 as name of processes and execute util_strcpy function for copying string to args[0] and hiding a real name.

Figure2-Hide argv0

 

Using a random string with the number from 12 to 32 as the name of processes and executing the prctl function for changing the name of a process.

Figure3-Hide process name

 

 

Aggressive Attacker

Mirai kills known anime botnet processes in order to ensure it is the only executing on the victim host or compromise IoT devices.

Figure4-kill anime botnet

 

Mirai kills telnet, SSH, and HTTP services and prevents them from restarting and also prevents the other botnet's attempt.

Figure5-kill tcp/23 telnet

 

More advanced technology is used to check and kill the other malware binary in memory.

Figure6 scan in memory for binary

 

 

End.