Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of
Thousands of Internet Businessesand Millions of Users in October 2016
WilliamFavreSlater,III,M.S.MBA,PMP,CISSP,CISASr.CybersecurityConsultantandAdjunctProfessor,IITSchoolofAppliedTechnology
April20,2017 MiraiBotnet- WilliamFavreSlater,III 1
Agenda• Introduction• WHYIsThisimportant?• InternetofThings– SizeandTypicalDevices• WhatisaBotnet?• DDoSAttacks• LittleKnownRootsoftheMiraiBotnet• Pre-AttackEvents• WhatDidtheMiraiBotnetDoin
October2016?• HowDidMiraiWork?• Post-AttackEvents• HowCananOrganizationProtectAgainstMiraiandotherBotnetAttacks?• Hajime!SomeRecent“GoodNews”• Conclusion• Questions• References• Bio
April20,2017 MiraiBotnet- WilliamFavreSlater,III 2
Introduction
• MiraiistheJapanesewordfor“TheFuture”• TheMiraiBotnetAttackofOctober2016usedknownsecurityweaknessesin
tensofmillionsofInternetofThings(IoT)DevicestolaunchmassiveDistributedDenialofServicesAttacksagainstDYN,whichisamajorDNSServiceprovider.TheresultwasanotableperformancedegradesintensofthousandsofbusinesseswhorelyheavilyontheInternet,andmillionsofuserswhousedtheseservices.Ashorttimebeforetheattack,theMiraiBotnetcodewassharedontheInternetasitwasplacedintoOpenSource.WiththeexponentialriseofthepopulationofIoTdevices,whatdoestheMiraiBotnetattackmeanforthefutureofInternetSecurity?
• ThispresentationwillexaminetheimplicationsoftheMiraiBotnetcodeandtheexplosionofIoT.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 3
WHY Is this Presentation Important??• TheInternethasbeenbusinesscriticalsince1997• TheInternet,theWorldWideWeb,webapplications,data,and
resourcestheyrepresentareoftenconsideredbymanytobecriticalinfrastructure
• Outages(any)cancostmoney,lostcustomers,andevenbranddamage
• EveryonewhousestheInternetinabusinesscapacityshouldbeawareoftheDDoSThreatthattheMiraiBotnetandsimilarprogramsrepresent
• TheInternetofThingsthatplaysamajorroleinthissaga,continuestogrowexponentiallyinpopularityandincapability
April20,2017 MiraiBotnet- WilliamFavreSlater,III 4
April20,2017 MiraiBotnet- WilliamFavreSlater,III 5
How Big is the “Internet of Things”?
April20,2017 6MiraiBotnet- WilliamFavreSlater,III
Typical IoT Devices
• CCTVcameras• DVRs• DigitalTVs• Homerouters• Printers• Alexa• Securitysystems• Garagedoors• Industrialsystems• Medicalsystems• Homeappliances• SmartUtilityMeters• Cars• OtherstuffApril20,2017 7MiraiBotnet- WilliamFavreSlater,III
Often “Internet of Things” Devices and Typically Cell Phones are Accessing the Internet Via IPv6
April20,2017 MiraiBotnet- WilliamFavreSlater,III 8
Comparing IPv4 and IPv6
9April20,2017 MiraiBotnet- WilliamFavreSlater,III
What is a Botnet?• Abotnet isanumberofInternet-
connecteddevicesusedbyabotnetownertoperformvarioustasks.BotnetscanbeusedtoperformDistributedDenialOfServiceAttack,stealdata,sendspam,allowtheattackeraccesstothedeviceanditsconnection.Theownercancontrolthebotnetusingcommandandcontrol(C&C)software.Thewordbotnetisacombinationofthewordsrobotandnetwork.Thetermisusuallyusedwithanegativeormaliciousconnotation.
• Botnetshavebeenaroundsince2004.• Attackermachinesareusuallyrunning
theLinuxoperatingsystem.
Sources:Wikipediahttps://en.wikipedia.org/wiki/BotnetCheng,G.(2005).http://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150
StachledrahtDDoSAttack
April20,2017 MiraiBotnet- WilliamFavreSlater,III 10
Sources:Wikipediahttps://en.wikipedia.org/wiki/Botnet
April20,2017 MiraiBotnet- WilliamFavreSlater,III 11
DDoS Attacks
Source:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
April20,2017 MiraiBotnet- WilliamFavreSlater,III 12
DoSAttack DDoSAttacks
Types of DDoS Attacks
• HTTPFloods• DNSQueryFloods• SSLAbuse• TCPSYNFloods• TCPACKFloods• TCPNULLFloods• StreamFlood• UDPFlood• UDPReflection• SmurfAttack• ICMPPINGFloods• GREIPFloods• GREETHFloodsSources:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdfCheng,G.(2005).http://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150Herzberg,B.,Bekerman,D.,andZeifman,Ihttps://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html.
TheMiraiBotnetinfectedandharnessedmillionsofIoTDevicestoattack17DYNDNSProviderDataCentersandimpairtheirabilitytoresolveDNSrequests.
MiraiisdesignedandwasimplementedtoemploySEVERALoftheseDDoSattackmethods.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 13
Types of DDoS Attacks
Source:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
April20,2017 MiraiBotnet- WilliamFavreSlater,III 14
DDoS Attack CostsMoney, Time and Risk Brand Damage
Source:Kaspersky
April20,2017 MiraiBotnet- WilliamFavreSlater,III 15
Little-Known Roots of the Mirai Botnet
• The2012CarnaBotnetCensusexploitedoverpublic-facing420,000IPv4devicesthathadnopasswordsorweakpasswords
• Ofthe4.3billionpossibleIPv4addresses,CarnaBotnetfoundatotalof1.3billionaddressesinuse,including141millionthatwerebehindafirewalland729millionthatreturnedreversedomainnamesystemrecords.Theremaining2.3billionIPv4addressesareprobablynotused.[Wikipedia]
• Thewebsiteathttp://internetcensus2012.github.io/InternetCensus2012/paper.htmlshowsthepaperwrittenwhichdescribesthemethodsusedanddatacollected
• Theauthoradmittedinhispaperthatheenjoyedthe“feelingofpower”beingabletosimultaneouslycontrolover400,000devicesfromasingledesktop.
• Over4TBofdevicedataandIPaddresseswerecollected• Thisdataremainsastandardfor“checkup”toensurethatadministratorshavenopublic
facinginsecuredevices• Theauthor,whoremainsasecret,couldfaceprosecutionineverycountrythathas
applicablenetworkintrusionlaws
April20,2017 MiraiBotnet- WilliamFavreSlater,III 16
Source:CarnaBotnetCensusof2012http://census2012.sourceforge.net/paper.htmlApril20,2017 MiraiBotnet- WilliamFavreSlater,III 17
Little Known Roots of the Mirai Botnet
Source:https://web.archive.org/web/20130324015330/http://gawker.com:80/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like
April20,2017 MiraiBotnet- WilliamFavreSlater,III 18
Pre-Attack Events
• August 2016 - Bruce Schneier predicts, based on his research and observations that a DDoS attack or series of attacks would take down the Internet
• September 2016 - Brian Krebs’ website and his Provider were hit with DDoS attacks at about 665 Gbs
• October 2016 - Mirai Source Code placed in Open Source
April20,2017 MiraiBotnet- WilliamFavreSlater,III 19
DDoS Attack Prediction in September 2016 by Bruce Schneier
• SomeoneIsLearningHowtoTakeDowntheInternet- byBruceSchneier,Excerpt:“Whatcanwedoaboutthis?Nothing,really.Wedon'tknowwheretheattackscomefrom.ThedataIseesuggestsChina,anassessmentsharedbythepeopleIspokewith.Ontheotherhand,it'spossibletodisguisethecountryoforiginforthesesortsofattacks.TheNSA,whichhasmoresurveillanceintheInternetbackbonethaneveryoneelsecombined,probablyhasabetteridea,butunlesstheUSdecidestomakeaninternationalincidentoverthis,wewon'tseeanyattribution.Butthisishappening.Andpeopleshouldknow.”– https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html
BruceSchneier
Note:WhenDr.BruceSchneiersayssomething,Ibelieveit.HeisoneofthegreatestCybersecurityResearchersandWritersintheWorld.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 20
The Security Economics ofInternet of Things (IoT)
Sources:https://www.schneier.com/blog/archives/2016/10/security_econom_1.html
}ExcellentCommentaryaboutIoT,Economics,AndSecuritybyInternationallyknownSecuritywriterandResearcher,Dr.BruceSchneier
BruceSchneier
April20,2017 MiraiBotnet- WilliamFavreSlater,III 21
DDoS Attack on Brian Krebs’ Website
• KrebsOnSecurityHitWithRecordDDoS– https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
• DDoSattacktakesdownBrianKrebs'site- www.krebsonsecurity.com .At665GbpsoftrafficitwasthelargestDDoSAttackinInternetHistory- AttackwassopowerfulthatAkamaithrewupitshands– http://www.csoonline.com/article/3123785/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html
• WillIoTfolkslearnfromDDoSattackonKrebs’Website?– http://www.csoonline.com/article/3124436/security/will-iot-folks-learn-from-ddos-attack-on-krebs-web-site.html
• Someone,whomhesubsequentlyspentmonthsworkingtotrackdown,hadseizedcontrolofhundredsofthousandsofinternet-connecteddevices,includinghomerouters,videocameras,DVRs,andprinters,tocreateabotnet,asortofdigitalzombiearmy.– https://hub.jhu.edu/magazine/2017/spring/internet-personal-cyberattacks/
BrianKrebs
Note:WhenBrianKrebs,ofwww.krebsonsecurity.comwritesaboutCybersecurity,andthengetshitwiththeInternet’slargestDDoSattackever,itgetseveryone’sattention,especiallyCybersecurityResearchers.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 22
WHAT DID THE MIRAI BOTNET DO IN OCTOBER 2016?
April20,2017 MiraiBotnet- WilliamFavreSlater,III 23
DDoS Attacks of October 21, 2016
}TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.
Screenshotsfrom:http://downdetector.com/Hint:AGREATResource!
April20,2017 MiraiBotnet- WilliamFavreSlater,III 24
DDoS Attacks of October 21, 2016 –The Major Internet-Related Businesses Affected
April20,2017 MiraiBotnet- WilliamFavreSlater,III 25
DDoS Attacks of October 21, 2016
} TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.
Note:OracleboughtDYNinNovember2016Source:https://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/
April20,2017 MiraiBotnet- WilliamFavreSlater,III 26
DDoS Attacks of October 21, 2016
}TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.
Note:OracleboughtDYNinNovember2016Source:https://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/
April20,2017 MiraiBotnet- WilliamFavreSlater,III 27
How Did Mirai Work?DDoS Attacks of October 21, 2016
April20,2017 MiraiBotnet- WilliamFavreSlater,III 28
How Did Mirai Work?DDoS Attacks of October 21, 2016
InfectedIoTDevices:1) LaunchDDoS
Attacks2) Reportdatato
C2Servers3) InfectotherIoT
Devices
April20,2017 MiraiBotnet- WilliamFavreSlater,III 29
How Did Mirai Work?DDoS Attacks of October 21, 2016
• TheMiraiInternetofThings(IoT)botnethasbeenusingSTOMP(SimpleTextOrientedMessagingProtocol)floodstohittargets,aprotocolthatisn’tnormallyassociatedwithdistributeddenialofservice(DDoS)attacks.
• MiraihasbeenresponsiblefortakingmajorwebsitesofflineformanyusersbytargetingtheDynDNSservice,inadditiontohostingfirmOVHinattacksthatsurpassed1.2Tbps(terabitspersecond).MiraiwasalsoinanattackagainstBrianKrebs’blogina665Gbps+(gigabitspersecond)assault.Thebotnetusesvariousattackvectorstopowerthesemassiveattacks,includingSTOMPfloods.
Source:http://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks
April20,2017 MiraiBotnet- WilliamFavreSlater,III 30
Mirai’s Purposes and Some Source Code
Analysis
Source:https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
April20,2017 MiraiBotnet- WilliamFavreSlater,III 31
Mirai’s “Don’t Mess With” List and a look
at the Coder’s Psyche
Source:https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
April20,2017 MiraiBotnet- WilliamFavreSlater,III 32
Where were the Mirai Botnet Attacks Coming From on October 21, 2016?
Source:https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
April20,2017 MiraiBotnet- WilliamFavreSlater,III 33
Post-Attack Events
• October 2016 - Twitter Account to Monitor Mirai in Real-Time• November 2016 - Chinese claim Mirai Botnet attack hit Chinese-
made IoT Devices, especially CCTVs• November 2016 - DHS published guideline documents for
implementing Secure IoT devices• Windows Mirai botnet variant identified in 2017
– TheWindowsvariantoftheinfamous MiraiLinuxbotnet istheoffspringofamoreexperiencedbotherder,possiblyofChineseorigin,KasperskyLabsecurityresearcherswarn.
– RecentlydetailedbyDoctorWeb,itsmainfunctionalityisto spreadtheMiraibotnet toembeddedLinux-baseddevices.ThemalwarealsoabusesWindowsManagementInstrumentation(WMI)toexecutecommandsonremotehosts,andtargetsMicrosoftSQLServerandMySQLserverstocreateadminaccountsandabusetheirprivileges.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 34
The Basics:How to Protect our IoT Devices Against Mirai and
Other Botnet Attacks• ChangeYourPassword.Thisisnotonlygoodadviceforthoseofuswhoshoponlineorwhohave
beennotifiedthatthee-commercesitewerecentlyshoppedonhasbeenbreached,butlikewiseforIoTdevices.Infact,accordingtothisreport,thesebettercredentialscanbeusedtoprovideabulwarkagainstbotnetattackslikeMiraibysubstitutingthehard-codedusernameandpasswordwithonesthatareuniquetoyourorganizationandnot,ofcourse,easilyguessed.
• Turnthemoff.ForcurrentlydeployedIoTdevices,turnthemoffwhennotinuse.IftheMiraibotnetdoesinfectadevice,thepasswordmustberesetandthesystemrebootedtogetridofit.
• Disableallremoteaccesstothem.ToprotectdevicesfromMiraiandotherbotnets,usersshouldnotonlyshieldTCP/23andTCP/2323accesstothosedevices,butalsotodisableallremote(WAN)accesstothem.
• ResearchYourPurchase.Beforeyouevenbuyaproduct,researchwhatyouarebuyingandmakesurethatyouknowhowtoupdateanysoftwareassociatedwiththedevice.Lookfordevices,systems,andservicesthatmakeiteasytoupdatethedeviceandinformtheenduserwhenupdatesareavailable.
• UseItorLoseIt.Oncetheproductisinyouroffice,turnoffthefunctionsyou’rearenotusing.Enabledfunctionalityusuallycomeswithincreasedsecurityrisks.Again,makesureyoureviewthatbeforeyouevenbringtheproductintotheworkplace.Ifit’salreadythere,don’tbeshyaboutcallingcustomerserviceandwalkingthroughthestepsneededtoshutdownanyunusedfunctions.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 36
Source:https://www.pwnieexpress.com/blog/mirai-botnet-part-2
How Can an Organization Protect Against Mirai and Other Botnet Attacks?
• Takethisseriously• ReadupontheDHSPrinciplesonSecuringIoT• LearnaboutIPv6– it’saBIGDeal
(http://ipv6.he.net)• Activelydesign,engineer,andimplement
security,fromthebeginning,notafterthefact• SetorChangethedefaultpasswordsonIoT• HaveanalternateDNSprovider• AddDDoSattackscenariosintoyourIncident
ManagementandResponsePlans• UseDDoSscenariosinyourExercises• SimulateDDoSattacksonyourdigital
infrastructuretostress-test,evaluate,andcontinuallyimproveyourdigitalinfrastructure
April20,2017 MiraiBotnet- WilliamFavreSlater,III 37
More Recommendations to Protect Against Mirai and Other Botnet Attacks
• TheIoTthreatisaseriousonebutonethatcanbesimplyresolved.Whileit’salmostimpossibletoeducateeveryoneonhowtochangetheirusernameandpasswordsonthesedevices,itispossibleformanufacturerstoincorporatesecurityfeaturesintothedesignandproductionofthesedevices,inparticularsecuritytelnetcommunicationanditsassociatedports.Defaultpasswordsmustberandomandusersshouldbeadvisedwithsimpleinstructionsonhowtochangethem.
• Wealsorecommendhomeuserstakethesefourstepstobetterprepare:– Staycurrent– Updatefirmwareandsoftwareregularly– Authentication– Useuniquecredentialsforeachdevice– Configuration– Closeunnecessaryportsanddisableunnecessary
services– Segment– CreateseparatenetworkzonesforyourIoTsystems
Source:https://blog.radware.com/security/2017/03/expansion-iot-since-mirai/
April20,2017 MiraiBotnet- WilliamFavreSlater,III 38
Read: DHS Strategic Principles for Securing Internet of Things
Source:https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf
Publishedabout25daysAFTERtheMiraiBotnetattack…
April20,2017 MiraiBotnet- WilliamFavreSlater,III 39
Read: DHS Strategic Principles for Securing Internet of Things
Source:DHSIoTFactsheethttps://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf
Publishedabout25daysAFTERtheMiraiBotnetattack…
April20,2017 MiraiBotnet- WilliamFavreSlater,III 40
The Mirai Botnet Five Takeaways
1.Notjustoneattack2.Theattackwassophisticated3.IoTistoblame4.Thisisn'ttheend5.TheIoTindustryneedsstricterstandards
Source:http://www.techrepublic.com/article/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters/
April20,2017 MiraiBotnet- WilliamFavreSlater,III 41
April20,2017 MiraiBotnet- WilliamFavreSlater,III 42
Source:Kasperskyhttps://www.pwnieexpress.com/blog/mirai-botnet-part-2
HAJIME! Some Recent “Good News”
Anew,morepowerfulIoTdecentralizedworm,Hajime,isspreadingfasterandmoreeffectivelythanMirai.Ø HajimeisaJapanesewordfor“Begin!”or“Beginning”Ø Firstidentifiedandanalyzed,andwrittenupinOctober2016bySamEdwardsandIoannisProfetisofRapidity
NetworksSecurityResearchGroupØ LaterannouncedApril18,2017bySymantecØ WritteninCØ Platforms:ARMv5,ARMv7,Intelx86-64,MIPS(littleendian)Ø BruteforceauthenticationØ SpreadsindependentlyviaPeer-to-Peer,withoutusingC2Ø InfectsmostlyDVRsandCCTVdevicesØ Onceincontrolofatargetitseveralblocksportsusedbyitsrival,MiraiØ Onlyscansabout86%oftheIPv4addressspaceØ MostlyinAsia,Russia,BrazilandArgentinaØ Writesbenignmessage“StaySharp”Ø Thoughttobefroma“WhiteHat”,VigilanteHacker,whoprefersEnglishØ ThoughttobecompetingagainstMiraiØ CautionaryNote:LikeMirai,stillbreakingtheLawandifHajimeoritsvariantsturn“evil”itcouldbeworsethan
Mirai.Sources:http://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtmlhttp://linkis.com/www.cio.co.nz/articl/2dpeghttps://nakedsecurity.sophos.com/2017/04/20/the-iot-malware-that-plays-cat-and-mouse-with-miraihttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf ß TechnicalAnalysisReportbyEdwards&Profetis
April20,2017 MiraiBotnet- WilliamFavreSlater,III 43
ActualHajimeIoTWormMessage
Top 10 Countries with Hajime Infections
Sources:http://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtmlhttp://linkis.com/www.cio.co.nz/articl/2dpeghttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf ß TechnicalReportbyEdwards&Profetis
April20,2017 MiraiBotnet- WilliamFavreSlater,III 44
Conclusion
• TheMiraiBotnetmadehistorybecauseofitssize,power,bandwidthconsumption,andimpacttheInternet-basedbusinessesandpeopleconnectedtotheInternet.
• BecauseMiraiandHajimesourcecodehavebeensharedasOpenSourceontheweb,theyarebeingstudiedandtheyareevolving.
• TherapidevolutionandspreadofIoTDevicesprovidesMiraiandHajimeanditsvariantsanever-expandingtarget-richenvironment
• ThemorepeopleandorganizationspayattentiontotheMiraiBotnetcodeandhowtosurviveDDoSattacks,thebetteroffwewillbeasanInternet-connectedSociety.
• Rememberthatpresently,HajimeisP2PandpowerpowerfulthanMirai• RememberthatCIA(Confidentiality,Integrity,andAvailability) arethe
simplestprinciplesofSecurity,andthatMiraiandDDoSattackscanandwillreducetheAvailability ofyourdigitalinfrastructure.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 45
Questions
April20,2017 MiraiBotnet- WilliamFavreSlater,III 46
References• Amazon.(2006).AWSBestPracticesforDDoSResiliency.RetrievedonApril3,2017from
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf .• Arghire,I.(2016).MiraiSwitchestoTorDomainstoImproveResilience.PublishedDecember19,2016atSecurityWeek.Retrievedon
March29,2017fromhttp://www.securityweek.com/mirai-switches-tor-domains-improve-resilience .• Arghire,I.(2016).MiraiUsedSTOMPFloodsinRecentDDoSAttacks.PublishedNovember17,2016atSecurityWeek.Retrievedon
March29,2017fromhttp://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks .• Arghire,I.(2016).ThisWeb-basedToolChecksifYourNetworkIsExposedtoMirai.PublishedNovember24,2016atSecurityWeek.
RetrievedonMarch29,2017fromhttp://www.securityweek.com/web-based-tool-checks-if-your-network-exposed-mirai .• Arghire,I.(2017).MiraiforWindowsBuiltbyExperiencedBotHerder:Kaspersky.PublishedFebruary21,2017atSecurityWeek.
RetrievedonMarch29,2017fromhttp://www.securityweek.com/mirai-windows-built-experienced-bot-herder-kaspersky .• Arghire,I.(2017).NewVariantofInfamousIoTBotnetLaunchesAttackAgainstNetworkofU.S.College.PublishedMarch29,2017at
SecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/new-mirai-variant-unleashes-54-hour-ddos-attack .• Arghire,I.(2017).WindowsTrojanSpreadsMiraitoLinuxDevices.PublishedFebruary10,2017atSecurityWeek.RetrievedonMarch
29,2017fromhttp://www.securityweek.com/windows-trojan-spreads-mirai-linux-devices .• Cheng,G.(2015).AnalysisonDDOStoolStacheldraht v1.666.aGIACpaperpublishedbytheSANSInstitute.RetrievedonApril8,
2017fromhttp://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150 .• Cimpanu,C.(2017).HajimeIoTWormConsiderablyMoreSophisticatedthanMirai.PublishedatSoftpedia.comonApril18,2017.
RetrievedonApril20,2017fromhttp://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtml .
• DHS.(2016)StrategicPrinciplesforSecuringtheInternetofThings.PublishedbyDHSonNovember15,2016.RetrievedonMarch29,2017fromhttps://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf
• DHS.(2016)StrategicPrinciplesforSecuringtheInternetofThings.PublishedbyDHSonNovember15,2016.RetrievedonMarch29,2017fromhttps://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf .
April20,2017 MiraiBotnet- WilliamFavreSlater,III 47
References• Dishon,R.(2017).Badbots,badbots,whatcha gonnado.PublishedatESETonMarch17,2017.RetrievedonMarch30,2017from
https://www.eset.com/us/about/newsroom/corporate-blog/bad-bots-bad-bots-whatcha-gonna-do/.• Edwards,S.,andProfetis,I.(2016).Hajime:AnAnalysisofaDecentralizedWormforIoTDevices.PublishedOctober16,2016byRapidity
NetworksSecurityResearchGroup.RetrievedonApril20,2017fromhttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf .
• Finley,K.(2016).OracleJustBoughtDyn,theCompanyThatBroughtDowntheInternet.PublishedatWired.comonNovember21,2016.RetrievedonApril14,2017fromhttps://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/.
• Gallagher,S.(2016).Howonerent-a-botnetarmyofcameras,DVRscausedInternetchaos.PublishedatArsTechnica.comonOctober25,2016.RetrievedonApril12,2017fromhttps://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/.
• Forrest,C.(2016).Dyn DDoSattack:5takeawaysonwhatweknowandwhyitmatters.AnarticlepublishedatTechRepublic onOctober24,2016.RetrievedonOctober25,2017fromhttp://www.techrepublic.com/article/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters/ .
• Henriques.N.(2017).HackerWhoKnockedMillionRoutersOfflineUsingMIRAIArrestedatLondonAirport.RetrievedonFebruary24,2017fromhttps://www.linkedin.com/pulse/hacker-who-knocked-million-routers-offline-using-mirai-nuno-henriques
• Herzberg,B.,Bekerman,D.,andZeifman,I.(2016).BreakingDownMirai:AnIoTDDoSBotnetAnalysis.PublishedatIncapsula onOctober26,2016.RetrievedonApril8,2017fromhttps://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html.
• Kan,M.(2017).AvigilantehackermayhavebuiltacomputerwormtoprotecttheIoT.PublishedatCIO.comonApril20,2017.RetrievedonApril20,2017fromhttp://linkis.com/www.cio.co.nz/articl/2dpeg .
• Kovacs,E.(2016).GermanISPConfirmsMalwareAttacksCausedDisruptions:UsersAroundtheWorldVulnerabletoAttacksonPort 7547.PublishedNovember29,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions .
• Kovacs,E.(2016).HackerReleasesSourceCodeofIoTMalwareMirai.PublishedOctober3,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/hacker-releases-source-code-iot-malware-mirai .
April20,2017 MiraiBotnet- WilliamFavreSlater,III 48
References• Kovacs,E.(2016).Over500,000IoTDevicesVulnerabletoMiraiBotnet.PublishedOctober7,2016atSecurityWeek.RetrievedonMarch
29,2017fromhttp://www.securityweek.com/over-500000-iot-devices-vulnerable-mirai-botnet .• Lipman,P.(2017).TheCybersecurityIndustryIsFailing:TimetoGetSmartAbout'Dumb'Homes.PublishedatNewsweek.com,onMarch
23,2017.RetrievedonApril12,2017fromhttp://www.newsweek.com/cybersecurity-industry-failed-threat-572949.• McLaughlin,J.(2017).TheInternetofBadThings.PublishedintheSping 2017issueofJohnsHopkinsMagaine ontheWeb.Retrievedon
March28,2017fromhttps://hub.jhu.edu/magazine/2017/spring/internet-personal-cyberattacks .• Phys.org.(2016).Disgruntledgamer'likely'behindOctoberUShacking:expert.PublishedatPhys.orgonNovember16,2016.Retrieved
onMarch29,2017fromhttps://phys.org/news/2016-11-disgruntled-gamer-october-hacking-expert.html .• Newman,L.H.(2016).TheBotnetThatBroketheInternetIsn’tGoingAway.PublishedatWired.comonDecember9,2016.Retrievedon
April12,2017fromhttps://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/.• Read,M.(2013).ThisIllegallyMade,IncrediblyMesmerizingAnimatedGIFIsWhattheInternetLooksLike.PublishedonGAWKER,
RetrievedonApril5,2017fromhttp://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like.
• Savage,K.(2016)APost-MortemontheMiraiBotnet:Part2:AnalyzingtheAttack.PublishedatPwnieExpress.comonDecember29,2016.RetrievedonApril20,2017https://www.pwnieexpress.com/blog/mirai-botnet-part-2 .
• Smith,D.(2017).TheExpansionofIoTsinceMirai.PublishedatRadware.RetrievedonApril8,2017fromhttps://blog.radware.com/security/2017/03/expansion-iot-since-mirai/ .
• Sophos.(2017).TheIoTmalwarethatplayscatandmousewithMirai.PublishedatNakedSecurity.Sophos.comonApril20,2017.RetrievedApril20,2017fromhttps://nakedsecurity.sophos.com/2017/04/20/the-iot-malware-that-plays-cat-and-mouse-with-mirai .
• Townsend,K.(2016).100,000UKRoutersLikelyAffectedbyMiraiVariant.PublishedDecember6,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant .
• Verizon.(2016).Verisign2016DDoSTrendsReport.RetrievedSeptember16,2016,fromhttps://www.verisign.com/assets/report-ddos-trends-Q22016.pdf .
• Wikipedia.(2017).Wikipedia– CarnaBotnet.RetrievedApril3,2017fromhttps://en.wikipedia.org/wiki/Carna_botnet.• Woolf,N.(2016).DDoSattackthatdisruptedinternetwaslargestofitskindinhistory,expertssay.PublishedOctober26, 2016at
TheGuardian.com.RetrievedMarch29,2017fromhttps://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 49
Presenter Bio:William Favre Slater, III
• ProjectManager/Sr.ITConsultantatSlaterTechnologies,Inc.,andAdjunctProfessorattheIllinoisInstituteofTechnology-Workingonprojectsrelatedto:– Securityreviewsandauditing– ISO27001ProjectImplementations– DevelopingApplicationsforRiskandCompliance– SubjectMatterExpertinCybersecurityandITServiceManagementfor
GovernmentProposalsandContractsrelatedtotechnicalservicesmanagementandmeasurement
– SMEforpreparingRiskManagementandSecurityExamsatWesternGovernor’sStateUniversityinUT
– CreatedaneBookwitharticlesaboutSecurity,RiskManagement,Cyberwarfare,ProjectManagementandDataCenterOperations
– ProvidingsubjectmatterexpertservicestoDataCenterproductvendorsandotherlocalbusinesses.
– DevelopingandpresentingtechnicaltrainingmaterialsforundergraduateandgraduatestudentsattheIllinoisInstituteofTechnologyintheareasofDataCenterOperations,DataCenterArchitecture,CyberSecurityManagement,andInformationTechnologyhardwareandsoftware.
– Mr.SlaterisaninternationallypublishedauthoronCybersecuritytopicsrelatedtoCyberwarfare,SocialEngineering,andvariousothertopics.
– ProvidingSummerInternshipstoIITStudentsviahiscompany,SlaterTechnologies,Inc.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 50
Presenter Bio:William F. Slater, III
• 2017marksthefifthconsecutiveyearMr.SlaterhaspresentedatForensecureatIIT
• Mr.SlaterhasearnedanM.S.inCybersecurity(2013,BellevueUniversity,Bellevue,NE),aswellasanM.S.inComputerInformationSystems(2004,UniversityofPhoenix,Phoenix,AZ),andanMBA(2010,UniversityofPhoenix,Phoenix,AZ).Hehasalsoearned80professionalcertifications,includingaPMP,CISSP,CISA,SSCP,ISO27002,andaCDCP.
• Mr.Slaterhastaughtforover9yearsasanAdjunctProfessorattheIllinoisInstituteofTechnologyanddevelopedanddeliveredcoursesonthesetopics:DataCenterOperations,DataCenterArchitecture,InformationTechnologyhardwareandsoftware,DataWarehousing,JavaandObject-OrientedSoftwareDevelopment,CybersecurityManagement,andITinPublicAdministration.Seehttp://billslater.com/teaching
• Mr.SlaterisonapersonalMissiontohelpmaketheworldabetter,saferandmoreproductiveplace,especiallywhenitmeanshelpinghisstudentsandcolleaguesbecomesmarteraboutcybersecurity,InternetofThings,DataCenters,theInternet,andotherexcitingareasofInformationTechnology.
• HelivesinChicago’sWickerParkneighborhoodwithhislovelywife,JoannaRoguska,whoisawebdeveloper,musicianandbellydancer.
• Inhissparetime,Mr.SlaterteachesJudoandSelfDefenseatIIT,andhealsooffersinternshipstoIITstudentswhowanttodevelopreal-worldtechnologyskills.
• [email protected] orat312– 758– 0307.
April20,2017 MiraiBotnet- WilliamFavreSlater,III 51
WilliamFavreSlater,II
William Favre Slater, III
Ø 312-758-0307
Ø http://billslater.com/interview
Ø 1515W.HaddonAve.,Unit309Chicago,IL60642UnitedStatesofAmericaApril20,2017 MiraiBotnet- WilliamFavreSlater,III 52
Thank You!
April20,2017 MiraiBotnet- WilliamFavreSlater,III 53