Tracking Mirai Botnet Traffic
If you have been following events during and after the US Elections, you may remember some of the things we posted about “weird” traffic and “attacks” on communications networks that HDN members including yours truly reported on. During the morning of November 8 at ca. 9AM attacks started to “appear” that had signatures of a recent friend called Mirai. If you don’t know what Mirai is then here is a link to some basic information on it: https://en.wikipedia.org/wiki/Mirai_(malware) and one of the alerts from CERT here: https://www.us-cert.gov/ncas/alerts/TA16-288A to say the least, its not unknown and certainly has been in many folks minds recently because of multiple attacks that hit the Krebs website: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ Like the Krebs attack we saw multiple garbage Web based attack packages being sent through to targets, testing specific ports and also checking a fixed or finite list of hardcoded passwords for known vulnerable webcams, DVRs, etc.
To give you an idea of how bad this problem really is (one of my customized crawls):
At the heart of this particular attack we “only” saw about 12,000 attacking PCs that infected huge numbers of vulnerable devices and slowly included those into the initial attack in waves. At the end we were able to collect about 900,000 IPs and added our 70,000 known malicious hosts to this group for further tracking. In addition to these numbers we still have millions of at risk IPs based on breached accounts at major companies and institutions based on previous and recent hacked services like dropbox, Ashley Madison, Mate, various Dark-Web dumps and Twitter as well as other well known “online brands”. These recent and previous attacks make for an interesting situation that can result in peculiarities in an election as well as other critical infrastructure relevant services.
November 8, USA…
During the morning hours I recently reported in another post that communications for common cellular networks and other communications companies along with longer than normal queries for some social media sites experienced attacks that where interestingly not being discussed when they happened. As the day went on these attacks came back in 15-20 minute bursts that got bigger and bigger, infecting massive amounts of vulnerable targets as they went through the internet. While looking at these attacks we thought that it was the same type of attack that was 1Tbs in strength then recently happened:
So where do we go from here?
We have been thinking about how we can help as many people as possible and the answer is now clear. We have decided to release two packages via our partner Soc Prime for the 3 main SIEM solutions (Archsight, Splunk and Radar) so that people can protect themselves against this threat. The information we are releasing tomorrow includes more than 300,000 IPs in the free version and an even bigger static IP list in the subscription version that we are constantly updating as new infected portions of the botnet are found.
For details on the package and how we can help you implement the free and subscription version please contact us and also view additional information at https://socprime.com/en/blog
Here is an example of how the ruleset or use-case looks like on your SIEM:
This package has just been released today! Register at the Soc Prime Website and get your basic package for FREE!!!!!
Archsight, IBM Q1Radar and Splunk Basic Packages :
screen-shot-2016-11-24-at-1-59-14-pm screen-shot-2016-11-24-at-1-59-38-pm screen-shot-2016-11-24-at-1-59-55-pm
I want to thank the HDN Dedicated Researchers, Malwaremustdie and Soc Prime Dev Teams for hard work getting you all deliverables that actually work and are NOT
CybeVUE – Virtual CISO / Sensors
Besides one of the best Research and Partner Networks (Thanks AC, HP, Malcolm,CD, Jon, et.al.) we also collect data through our own custom-built sensors that use modified opensource components along with our IP and experience in actionable intelligence. This is a three part system that includes the sensors along with CyberNSight and our NeedleStack search technologies copyright and TM HDN/M.Goedeker 2016).
And our CybeVUE stack which includes tools to help you gather information about your attackers: