Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/15/2018
09:00 AM
David Holmes
David Holmes
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

The Mirai Botnet Is Attacking Again

And the spinoff bots - and all their command and control hostnames buried in the morass of digital data - are hilarious.

The Mirai botnet is kind of like Madonna. They both were huge once. Then the adoring public shifted their attention to younger, newer acts, but they keep on performing anyway. We wrote about Mirai extensively after we predicted its construction in our first IoT report, DDoS’s Newest Minions: IoT Devices in 2016.

Mirai has been in the news again recently. In December, Brian Krebs reported that two men pleaded guilty as the co-authors of the IoT botnet. A new botnet, Satori (Japanese for "the awakening") is a possible successor to Mirai. The source code for Satori was recently posted to Pastebin as a Christmas gift to the IoT hacker community. Like Reaper, Satori weaponizes exploits beyond simple brute-force default password guessing.

F5 Labs and our data partner, Loryka, still monitor Mirai (but not Madonna!). Even though Satori and Reaper might be the interesting new acts, Mirai and its children are still actively attacking from the Internet of Things. Our honeypots grab configurations from each botnet and we compile the list of command and control (C&C, aka C2 or CNC) hostnames that are used to control each bot. Attacks from the C&C host themselves are rare, but they make good indicators of compromise (IOC) because any requests for those hosts from inside a protected network can be traced back to the infected devices themselves.

So, we were looking through last quarter’s list of Mirai spinoff bots and all of their command and control hostnames and had a bit of a laugh. Of course, we take this botnet stuff seriously, but we couldn’t help snickering a little at some of the domain names.

Of the 203 C&C hostnames we sampled in the last quarter of 2017, about 70 are still active in DNS. And of that original 203, 71% were registered (and almost certainly hosted) by Freenom, Namecheap (an Enom reseller), or Cloudflare. If you were a cybercriminal, why not use "free" domain registration services like Freenom for your C&C hosts? A simple Google search will tell you they care little about what you do with the domain as long as you use it (or they will eagerly park your domain and start collecting ad revenue).

When it comes to domain registrars like Enom that offer reseller services to companies like Namecheap, the layers of domain management and orchestration from the registrant to the controller can make it harder to track down and process abuse complaints. Because cyber criminals know this, they often favor resellers instead of direct registrars. A simple Google search for Namecheap will turn up a history of complaints alleging they do little about abuse complaints, so it’s not surprising cybercriminals would chose to use them. Cloudflare, on the other hand, has drawn fire from Brian Krebs for their continued hosting of obvious DDoS-for-hire services.

Mirai C&C Hosting Providers
Image Source: F5
Image Source: F5

Sure, the C&C list is a small sample size, and C&C hosts come and go quickly. This list is in no way exhaustive — it’s just a snapshot in time from last quarter. But for a breakdown of the domain hosting services, see the end of this article.

Yes, I really am a C&C server
A disturbing number of the C&C servers brazenly scream out that they are, indeed, nefarious "cnc" servers. Check out this subset:

cnc.bigbandsinmyvault.tk
cnc.bigbotpein.ru
cncbot.cnbot.space
cncbot.ddns.net
cnc.changeme.com
cnc.linux.lol
cnc.nutsz.club
cnc.skidsec.org
cnc.spamtech.win
 
There’s a whole other category of hosts that identify not just as C&C servers, but as Mirai C&C servers. Thanks for the specificity, dudes! How much more obvious do you need to be?

cmdmirai.tk
cnc.mirai.com
iotmirai.tk
lolzsecsshittymirai.tk
miraibotnet.ml
miraibotnet.online
miraihoneypot.tk
mirainet.ml
mirainet.tk
 
For those of you security engineers out there, it’s probably not a terrible idea to flag any computer in your network that is looking up hosts that begin with "cnc" or "mirai.

And somebody really likes boats. (We like boats, too.)

bigboats.club
bigboatz.us
boatnet.xyz
boat.racoon.ml
gammaboat.us
ssh.gammaboat.us
www.trapboat.club
 
We’ve been saying that the Internet of Things is the attacker platform of the future. The world of IoT botnets is highly automated. And, of course, our defenses are getting more automated as well. It’s computers attacking and computers defending. But every now and then you get a glimpse of the humanity buried in the morass of digital data. Take these cnc hostnames for example:

cnc.tonguepunchfartbox.life
cnc.smokemethallday.tk
cnc.urgay.cf

Sure, they’re completely juvenile, but that’s how you know they’re human. And humans make mistakes. Sometimes those mistakes are other humans, and those humans end up building IoT botnets controlled by C&C hosts whose names offend the senses or offer dubious advice.

What’s Up with all the .tk Domains?
In theory, the .tk top level domain (TLD) represents the Tokelau island chain of New Zealand, a place so small it doesn’t even have a regional airport. In reality, .tk domains are free and are used by the poor, as well as a huge number of spammers, phishers, and stressors. The .tk TLD is now, incredibly, the third most popular after .com and .net. That’s right, more popular than .uk, .org, and .sex. The massive popularity of .tk domains has increased the GDP of Tokelau by 10% and some of the increased revenue goes to provide the local poor their own Internet access. Such a strange, circular world we live in.

A complete list of these hosts are available on the F5 Labs site.

Get the latest application threat intelligence from F5 Labs.

David Holmes is the world-wide security evangelist for F5 Networks. He writes and speaks about hackers, cryptography, fraud, malware and many other InfoSec topics. He has spoken at over 30 conferences on all six developed continents, including RSA ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.