Question

What can we do about Mirai?

So, a DDoS attack affecting much of America was launched via IoT devices infected with Mirai. What do we do about it? Will a major informative article from CNET be forthcoming?

Does Mirai affect only LINUX-based devices? Who needs to be concerned? How can the owner of an internet-connected device prevent Mirai and other malware from taking over? How can Mirai be removed once it's in? Is there any general malware protection available for internet-connected devices like refrigerators and security cameras?

NTG

Discussion is locked
Follow
Reply to: What can we do about Mirai?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: What can we do about Mirai?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Answer
There's a link in this post by Lee.
- Collapse -
That's the news, but none of my questions are answered in it

Right. That's the basic news about the attack. But there is nothing in any of the news articles about how we can deal with it. None of my questions above are specifically addressed in the articles that I have seen, nor have I found any answers with Google. Searching "how to remove Mirai" gets a lot of hits, but none of the hits actually tell how to remove Mirai. Can any CNET admins tell us whether there are any answers to be found?

- Collapse -
Answer
Probably not much

If the maker of these devices does not think security is an issue your stuck.

I suppose you could not give these things direct access to the net but route them through a pc with av/am installed.

No idea how to do that or if it would work.

- Collapse -
Answer
Mirai author bragging.
https://github.com/0x27/linux.mirai/blob/master/post.txt

"Greetz everybody,
When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there's lots of eyes looking at IOT now, so it's time to ****. However, I know every skid and their mama, it's their wet dream to have something besides qbot.
So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.
So, I am your senpai, and I will treat you real nice, my hf-chan.
And to everyone that thought they were doing anything by hitting my CNC, I had good laughs, this bot uses domain for CNC. It takes 60 seconds for all bots to reconnect, lol
Also, shoutout to this blog post by malwaremustdie
(the sites deleted at cnet) <- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol
Had a lot of respect for you, thought you were good reverser, but you really just completely and totally failed in reversing this binary. "We still have better kung fu than you kiddos" don't make me laugh please, you made so many mistakes and even confused some different binaries with my. LOL
Let me give you some slaps back -
1) port 48101 is not for back connect, it is for control to prevent multiple instances of bot running together
2) /dev/watchdog and /dev/misc are not for "making the delay", it for preventing system from hanging. This one is low-hanging fruit, so sad that you are extremely dumb
3) You failed and thought FAKE_CNC_ADDR and FAKE_CNC_PORT was real CNC, lol "And doing the backdoor to connect via HTTP on 65.222.202.53". you got tripped up by signal flow Wink try harder skiddo
4) Your skeleton tool sucks ***, it thought the attack decoder was "sinden style", but it does not even use a text-based protocol? CNC and bot communicate over binary protocol
5) you say 'chroot("/") so predictable like torlus' but you don't understand, some others kill based on cwd. It shows how out-of-the-loop you are with real malware. Go back to skidland
5 slaps for you
Why are you writing reverse engineer tools? You cannot even correctly reverse in the first place. Please learn some skills first before trying to impress others. Your arrogance in declaring how you "beat me" with your dumb kung-fu statement made me laugh so hard while eating my SO had to pat me on the back.
Just as I forever be free, you will be doomed to mediocracy forever."


I removed some links in his blather. His reference to "chroot" command and the root "/" is probably in reference to "Jailbreak" methods of breaking out of what's similar to a "********" or "sandboxed" system by creating a third method of using root access on certain daemons which have ability to "break" out of the "jail" of a sandboxed system. His reference to "senpai" is what we typically speak as "sensai" (sin-say) in English.

In Japan, senpai (先輩 ?) is an upperclassman, someone of a higher age, or senior and kōhai (後輩 ?) is a protégé or junior. The mentor system is found at all levels of education, and in sports clubs, businesses, and informal or social organizations.

His reference to QBOT is probably a reference to a worm.

Researchers at BAE Systems have published a report investigating the return of the Qbot network-aware worm, revealing infections on some 54,517 PCs. 85% of the affected systems are based in the United States, with academic, government and healthcare industry networks particularly badly hit.

Seems to be a brag his Mirai is better than hacker who came up with QBOT.

skid and skiddo.

No doubt when he's located, arrested, he'll wet his panties and beg his mommy to wipe his sniveling nose drips, LOL.

Have some fun watching the "better kid kung fu" and read this about Mirai.

http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
- Collapse -
Answer
How?
"How can Mirai be removed once it's in?"

http://securityaffairs.co/wordpress/50929/malware/linux-mirai-elf.html

The name of the malware is the same of the binary,”mirai.*,” If you have an IoT device, please make sure you have no telnet service open and running. (IOT = Internet of Things, such as DVR's and anything connected to internet besides just personal computers) Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage. CNC = Computer Numeric Control, as typically used refers to digital controlled devices, using embedded chips which also have flash which can be overwritten (unlike older ROM) some are connected to the internet. Now imagines someone reprograms various ones to do things that are harmful or destructive, such as having manufacturing robots make moves on assembly lines which can harm the workers near them before there's any notice the computer or CNC controlled device is malfunctioning. Kill people in hospitals by shutting off life saving devices which are monitored on a hospital's LAN. Maybe everyone's DVR's begin to fail en masse, imagine all those needing to be reflashed, or exchanged by Comcast, Verison, etc with devices which are protected against attacks like Mirai. So many ways it could be used to take control not just for a DDOS bot, but more. Perhaps in future unrewritable ROM will be preferred in these devices even if it means not easily reflashing a device to add new capabilities, requiring instead a ROM replacement for such upgrades.

Running a search on all binaries for "mirai" might detect if it's on one's computer.

Finally, this is what ELF means.

CNET Forums

Forum Info