Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today’s biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down.
Last week, security researchers from Qihoo 360’s NetLab discovered a variant of the Mirai IoT malware that used a DGA (Domain Generation Algorithm) as a backup communications system to its command and control (C&C) servers.
Typically, all Mirai variants used a list of domains hardcoded in the malware’s source code to tell infected devices to report to the attacker’s server, so he can keep track of active infections, and send commands to launch DDoS attacks.
When NetLab researchers spotted the DGA, and later researchers from OpenDNS, this came as a surprise.
DGA systems are highly complex and are often found in top-shelf malware, such as banking trojans, sophisticated backdoors used for cyber-espionage operations, or top ransomware families such as Locky or CryptoLocker.
DGA-based malware botnets are hard to take down
A DGA is an algorithm that generates a random domain name, which the malware uses to talk to its C&C server. DGA algorithms are configurable, so they can generate new domain names at regular intervals.
Only the malware’s author knows how this a DGA works, and they use it to predict which domains the DGA will generate, buy the domain names in advance, and then install the C&C server backend in advance, waiting for the infected bots to switch to the new domain.
Because the C&C changes at a regular period, it’s very hard for law enforcement authorities to shut down these types of botnets. This usually involves buying hundreds or thousands of domains in advance and requires a high-level of coordination between law enforcement, security firms, and domain registrars.
You can see the advantages of running malware with a DGA, even if used as a backup system.
Chinese researchers crack Mirai Botnet #14’s DGA
Besides spotting new Mirai variants, NetLab researchers have also broken the malware’s DGA algorithm. In a blog post from last week, the Chinese security researchers published details about how the DGA
worked, and all the domains this Mirai variant was about to use in the upcoming weeks.
According to security researcher MalwareTech, this wasn’t a random Mirai variant, but the one responsible for building the biggest Mirai botnet known to date, which at one point in late November, early December, reached 3.2 million infected bots.
Nicknamed Botnet #14, or Annie, this is the same botnet that attempted a huge DDoS attack against several Liberian ISPs and attempted to hijack 900,000 routers from German ISP Deutsche Telekom. Similarly, a few days later, Mirai Botnet #14 also attempted to hijack 100,000 routers from UK ISPs Postal Office and TalkTalk.
Adding a DGA to this massive botnet gave researchers the shivers, most knowing they would have a monumental task ahead of them if they ever wanted to shut it down.
Botnet #14 removes DGA to everyone’s surprise
But to everyone’s surprise, in less than a week, the DGA feature had been removed, as the same MalwareTech had also observed.
Bleeping Computer had been in contact with BestBuy, the name of the hacker that manages Botnet #14. BestBuy had previously been renting access to his botnet.
“We don’t use it anymore, it does not matter,” BestBuy told Bleeping Computer in a private conversation in regards to NetLab researchers cracking the DGA.
“It was used from [December] the 4th until the 10th,” he added. “One variant still had it by mistake.”
Furthermore, BestBuy said researchers might have made an error in their calculations when cracking the DGA. “They practically bought 365 wrong domains,” the hacker said.
DGA was used only a week to avoid a takedown attempt
“It was just temporarily,” BestBuy also said about the DGA, “it had no authentication method or anything, meaning anyone could take control of those bots.”
The hacker also shot down any theory that this was just a test. “No, not a test,” he said. “Level3 and other’s were all over us. We just needed to assure control during those days, that’s all.”
But BestBuy is certainly not new at this. The hacker knows very well that botnets that rely on hardcoded domains are easy pickings. In fact, that was what Level3 and others were trying to do.
As a result, he created the C&C server backup communications channel. First, he used the DGA, now he uses something else.
Botnet #14 switches to Tor
“Smart [security] firms will see the Tor variant kicking in,” he said. “It’s all good now. We don’t need to pay thousands to ISPs and hosting. All we need is one strong server.”
“Try to shut down .onion ‘domains’ over Tor,” BestBuy boasted, hinting at the difficult task of finding servers hidden on the Tor network, something that the FBI has had a hard time tracking for years.
Contacted by Bleeping Computer, Jamz Yaneza, Trend Micro’s Threat Research Manager, provided the same insight.
“The use (or rather the abuse) of the Onion network is quite common as it provides a measure of anonymity for the bot-herder,” Yaneza said. “It also poses significant challenges to anyone trying to identify the real culprit behind DDoS attacks.”
This isn’t something new. The Trend Micro expert pointed us to a talk at the Defcon 18 security conference that took place back in 2010 when researchers first detailed the usage of Tor for a botnet’s communications channel.
Some users, commenting on an article about Mirai on the KrebsOnSecurity blog, had expected this.
“The cyber-criminals will just start using TOR to connect to a command and control server via a proxy, which then take downs will be next to impossible,” a user wrote.
On the other side of the spectrum, there are some people that will doubt BestBuy’s comments, saying that IoT devices don’t have the physical resources to run Tor’s software package.
No Mirai + Tor variant detected by security firms, as of yet
To be fair, no security firm or individual researcher has reported seeing a Mirai variant that uses Tor as a backup C&C system. Bleeping Computer has reached out to several security firms this week, in the hopes of confirming BestBuy’s comments, but we haven’t received an answer to our inquiries.
Nevertheless, the fact that Botnet #14 is still standing serves as a testament to BestBuy’s coding skills. A botnet that has launched several high-profile DDoS attacks and router hijacking attempts, and is still standing, surely has one or more tricks up its sleeve.
According to BestBuy’s yet unconfirmed claims, one of them is the usage of Tor to control the bots when security firms take down his main C&C domains.
If this is true or just a false claim remains to be determined, but Botnet #14 is still standing, and Christmas is getting closer for Steam, Xbox, and the PlayStation Network.