Mapping the Mirai Botnet.

Hey everyone!

So this week I wanted to share something with you that is in part an impulse project. It is also in part something I have been meaning to do for a very, very long time.

This week we are going to spend some quality time with the Mirai Botnet.

First off, let’s recap on some terminology and naming stuff before we dive into the weeds.

What is a botnet? Well the word is a portmanteau of ‘bot’ from robot, and ‘net’ from network. It is quite literally a network of robots. The Mirai botnet is comprised of hundreds of thousands of compromised DVR’s, IP-Cameras and other such “Internet of Things” devices.

You may remember that we reversed the firmware package for one of these things in an earlier post, here.

The reason these devices are all in this botnet is that they have hard-coded login credentials. That means they cannot be changed other than by re-installing the operating system. They also have a service running called Telnet.

Usually these devices are installed in such a way that they are directly accessible to the internet. I suppose if you have a IP-Camera installed at your house, perhaps you want to be able to monitor your driveway from the comfort of your seat at work.

Some of these devices also use cloud services operated by the provider, so that you can go and see what your DVR has recorded at a handy online portal.

We saw how easy it was to get the password for the telnet service from the DVR. We didn’t even need the actual DVR to do it, just a copy of the firmware. That ease of access coupled with these devices always-on/always-connected nature makes them perfect slaves for an army of robots.

The network propagates itself by constantly scanning all known IP(V4) addresses. You are being scanned at this precise moment. Right now.

It’s not actually scanning though, its just constantly attempting to connect to you on port 23. If there is no reply, then it will just move along to the next ip address it has generated for itself.

If there is a reply though, it will attempt to login with a few pre-programmed username/password combos, and if successful, will attempt to infect your device. Your device will then become part of the botnet, and start the process all over again.

I really, really wanted to know where these robots were. I imagined they would mostly be in places where having an IP-Camera was useful. I was guessing the USA, maybe some other wealthy nations, like Germany, Japan. Something like that.

So if we want to find out where they, we need a plan. Perhaps plan is a strong word. I had a post-it note.

img_0193

Pretty sweet, right?

So first things first, we are going to need a honeypot. A honeypot is exactly what it sounds like. A target that is very attractive to all these robots. So attractive that they try and hack into it.

I was trying to figure out how to do this myself, when I saw a Tweet by an awesome security engineer called Rob Graham. If you have heard his name before, it may be from one of his previous projects called massscan, which can scan the entire internet (IPV4) in not too much time, r maybe just because he is awesome.

Rob Graham created a short program called telnetlogger, which does exactly what it sounds like; logs telnet connection attempts. It is also specifically designed for tracking the Mirai botnet, as it has some peculiarities about how it wants to talk to devices.

You can find his program here on Github.

So I forgot that I was initially intending to do this on a Raspberry Pi (something for me to try later on this week) and spun up a VM to track these Telnet login attempts. I had a snapshot of Ubuntu that was relatively recent, so after some apt-get update/upgrade action, I downloaded Rob’s telnetlogger, and compiled it.

After starting it up, I added a rule to my router to forward packets destined for port 23 (telnet) to this VM. I was not exactly sure how long I would have to wait, but thought it would be fun to start timing to see how long before I got “attacked”.

After ten minutes I realised that I had created the rule in the router, but not activated it. Great job, Hugo.

So after restarting my timer, and activating the rule-set in the router, I sat in anticipation of incoming hacks.

17 seconds.

Seventeen seconds from opening the flood gates to receiving my first connection attempts. I was pretty shocked to be honest. I mean I knew going into this that the botnets were scanning all the time, I just had no idea that my tiny home router in Sweden would be targeted so quickly.

It’s not really targeting though, as these botnets are just attempting to connect to every single IP address they can generate. This is happening to you, on the device you are reading this on, right now.

I restarted the logging, this time instead of just watching the attacks coming in (which was fascinating in of itself) I saved the output to a file so that I can rip out the IP addresses later.

The syntax for the tool was as follows

 

There were two kinds of output, the IP address of the attacking node, and the username/password combo that it attempted to login with. I left it on overnight, but the VM it was in seemed to freeze up a bit, so I only got around 57 thousand in the initial logging session.

I will leave it running on a Raspberry Pi some time in the coming week for a couple of days to see if I can get much else out of it.

So now we have a file with thousands of IPaddresses, but a cursory check of it reveals that there are hundreds of duplicates. This is not surprising, as the logic for the botnet probably dictates that once a connection is found, multiple attempts are made to login using different username/passwords.

We can even see in the tail end of the password file the credentials we discovered whilst reverse engineering the DVR firmware.

passwds

So now we have all this data, it is time to process it. Obviously this is where step two of the “plan” comes in, and we get our hands dirty with some Python.

Our Python pseudo code is going to essentially be

1) Extract all IP’s from a file, into a list.
2) Ask some magical internet resource for the location of that particular IP address.
3) Draw the co-ordinates onto a map.

The first part is pretty trivial, and is covered with this code.

 

The next part is slightly more tricky, as we need a magical internet resource that we can ask for the geo-location of the IP. After some googling I came across http://ip-api.com which seems to do exactly what we need. We can use the requests library (as always) to make a GET request to this website, and ask that it returns the data to us in a JSON format.

It is as difficult as the following linea:

 

We can then assign the response to a dictionary, and then ask the dictionary what kind of entry it has for “lat” and “long”, the latitude and longitude. These are dealt with here:

So far, so good.

But how do we get this onto a map? This is actually something I have been searching (non-commitally) around fornow  going back a couple of years. After installing some libraries, namely matlibplot and Basemap, I had a pretty decent “Map 101” up and running.

Let’s take a look at some of the code here.

 

Essentially we start off by making a map object, called, imaginatively, m. We give it some properties, such as the projection type, upper and lower reaches of latitude and longtitude, and a resolution. I chopped off Antarctica, I don’t think there are many botnet nodes there.

That takes care of the map object, but we might want some human distinguishable features in there, like countries, coastlines, boundaries, and a colour for the continents.

We give the projection a name, and we a re pretty much done with the map base. All that remains is to draw the points on it. We can do that with the m.plot() method. Now we finish it all off with plt.show() to bring up a pop-up of the map. So let’s run it and see what happens!

This is a rough image of what the distribution of nodes in the Mirai botnet looks like, according to what I have seen on my home router. You should be able to click it to em-biggen.

map

Not bad for a day of inattentive logging and an afternoon of coding (mostly trying to figure out how to draw maps).

There are some things that I learned along the way, and other bits and pieces I already knew that didn’t really fit into any particular section here, but bear mentioning.
1) Geo-location if IP addresses is incredibly vague as to where someone actually is. Anyone who tells you they can find out exactly where someone is by IP address is either lying, or is an ISP with subpoena. The location data here is probably accurate to around +/- 20 kilometers. Good enough resolution to determine country.

2) These are not Botnet masters who are directly connecting to my network, these are probably thousands and thousands of cameras, DVR’s and thermostats. These are most likely victims.

3) In the EU, IP addresses are personally identifiable information, which means that it should not be given out. I don’t personally agree with that, but the law is the law. For this reason, I will not be publishing other peoples IP addresses, or giving out lists of IP’s I have harvested.

http://www.enterprisetimes.co.uk/2016/10/20/ecj-rules-ip-address-is-pii/

4) Always read the documentation of API’s you intend to use. My code didn’t work when I tried it out with a larger set of IP addresses for the first time. I tried with 2, then 25, then 50, then all 1000. It failed at 1000. I managed to get them to block me, but fortunately they have an un-banning method available on their website.

5) The botnet nodes are everywhere.

6) I need to get better at drawing post-it-plans.

My full code, in all it’s horror, is here:

 

I think I will revisit this project at some point in the next couple of weeks, depending on how the logging goes with the Raspberry Pi. Obviously the code needs some work, as this is just a rough script to get the job done. I have a feeling it won’t freeze up as much as my Ubuntu VM did. A VM like that is complete overkill, resource-wise, for a project like this.

I also think the map needs a lot of work. I am going to try to do some kind of heat mapping with the libraries I have here, and see where that takes me. It would certainly make the map look a lot more awesome.

That is all for now, I hope you have a really great week. Also, happy Thanks Giving to my three American readers!

Leave a Reply

Your email address will not be published. Required fields are marked *