Mirai Botnet: How IoT Botnets Performed Massive DDoS ......• Mirai is the Japanese word for “The Future” • The Mirai Botnet Attack of October 2016 used known security weaknesses

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Thousands of Internet Businessesand Millions of Users in October 2016

WilliamFavreSlater,III,M.S.MBA,PMP,CISSP,CISASr.CybersecurityConsultantandAdjunctProfessor,IITSchoolofAppliedTechnology

April20,2017 MiraiBotnet- WilliamFavreSlater,III 1

Agenda• Introduction• WHYIsThisimportant?• InternetofThings– SizeandTypicalDevices• WhatisaBotnet?• DDoSAttacks• LittleKnownRootsoftheMiraiBotnet• Pre-AttackEvents• WhatDidtheMiraiBotnetDoin

October2016?• HowDidMiraiWork?• Post-AttackEvents• HowCananOrganizationProtectAgainstMiraiandotherBotnetAttacks?• Hajime!SomeRecent“GoodNews”• Conclusion• Questions• References• Bio


Introduction

• MiraiistheJapanesewordfor“TheFuture”• TheMiraiBotnetAttackofOctober2016usedknownsecurityweaknessesin

tensofmillionsofInternetofThings(IoT)DevicestolaunchmassiveDistributedDenialofServicesAttacksagainstDYN,whichisamajorDNSServiceprovider.TheresultwasanotableperformancedegradesintensofthousandsofbusinesseswhorelyheavilyontheInternet,andmillionsofuserswhousedtheseservices.Ashorttimebeforetheattack,theMiraiBotnetcodewassharedontheInternetasitwasplacedintoOpenSource.WiththeexponentialriseofthepopulationofIoTdevices,whatdoestheMiraiBotnetattackmeanforthefutureofInternetSecurity?

• ThispresentationwillexaminetheimplicationsoftheMiraiBotnetcodeandtheexplosionofIoT.


WHY Is this Presentation Important??• TheInternethasbeenbusinesscriticalsince1997• TheInternet,theWorldWideWeb,webapplications,data,and

resourcestheyrepresentareoftenconsideredbymanytobecriticalinfrastructure

• Outages(any)cancostmoney,lostcustomers,andevenbranddamage

• EveryonewhousestheInternetinabusinesscapacityshouldbeawareoftheDDoSThreatthattheMiraiBotnetandsimilarprogramsrepresent

• TheInternetofThingsthatplaysamajorroleinthissaga,continuestogrowexponentiallyinpopularityandincapability



How Big is the “Internet of Things”?

April20,2017 6MiraiBotnet- WilliamFavreSlater,III

Typical IoT Devices

• CCTVcameras• DVRs• DigitalTVs• Homerouters• Printers• Alexa• Securitysystems• Garagedoors• Industrialsystems• Medicalsystems• Homeappliances• SmartUtilityMeters• Cars• OtherstuffApril20,2017 7MiraiBotnet- WilliamFavreSlater,III

Often “Internet of Things” Devices and Typically Cell Phones are Accessing the Internet Via IPv6


Comparing IPv4 and IPv6

9April20,2017 MiraiBotnet- WilliamFavreSlater,III

What is a Botnet?• Abotnet isanumberofInternet-

connecteddevicesusedbyabotnetownertoperformvarioustasks.BotnetscanbeusedtoperformDistributedDenialOfServiceAttack,stealdata,sendspam,allowtheattackeraccesstothedeviceanditsconnection.Theownercancontrolthebotnetusingcommandandcontrol(C&C)software.Thewordbotnetisacombinationofthewordsrobotandnetwork.Thetermisusuallyusedwithanegativeormaliciousconnotation.

• Botnetshavebeenaroundsince2004.• Attackermachinesareusuallyrunning

theLinuxoperatingsystem.

Sources:Wikipediahttps://en.wikipedia.org/wiki/BotnetCheng,G.(2005).http://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150

StachledrahtDDoSAttack


Sources:Wikipediahttps://en.wikipedia.org/wiki/Botnet


DDoS Attacks

Source:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf


DoSAttack DDoSAttacks

Types of DDoS Attacks

• HTTPFloods• DNSQueryFloods• SSLAbuse• TCPSYNFloods• TCPACKFloods• TCPNULLFloods• StreamFlood• UDPFlood• UDPReflection• SmurfAttack• ICMPPINGFloods• GREIPFloods• GREETHFloodsSources:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdfCheng,G.(2005).http://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150Herzberg,B.,Bekerman,D.,andZeifman,Ihttps://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html.

TheMiraiBotnetinfectedandharnessedmillionsofIoTDevicestoattack17DYNDNSProviderDataCentersandimpairtheirabilitytoresolveDNSrequests.

MiraiisdesignedandwasimplementedtoemploySEVERALoftheseDDoSattackmethods.


Types of DDoS Attacks

Source:AWSBestPracticesforDDoSResiliencyhttps://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf


DDoS Attack CostsMoney, Time and Risk Brand Damage

Source:Kaspersky


Little-Known Roots of the Mirai Botnet

• The2012CarnaBotnetCensusexploitedoverpublic-facing420,000IPv4devicesthathadnopasswordsorweakpasswords

• Ofthe4.3billionpossibleIPv4addresses,CarnaBotnetfoundatotalof1.3billionaddressesinuse,including141millionthatwerebehindafirewalland729millionthatreturnedreversedomainnamesystemrecords.Theremaining2.3billionIPv4addressesareprobablynotused.[Wikipedia]

• Thewebsiteathttp://internetcensus2012.github.io/InternetCensus2012/paper.htmlshowsthepaperwrittenwhichdescribesthemethodsusedanddatacollected

• Theauthoradmittedinhispaperthatheenjoyedthe“feelingofpower”beingabletosimultaneouslycontrolover400,000devicesfromasingledesktop.

• Over4TBofdevicedataandIPaddresseswerecollected• Thisdataremainsastandardfor“checkup”toensurethatadministratorshavenopublic

facinginsecuredevices• Theauthor,whoremainsasecret,couldfaceprosecutionineverycountrythathas

applicablenetworkintrusionlaws


Source:CarnaBotnetCensusof2012http://census2012.sourceforge.net/paper.htmlApril20,2017 MiraiBotnet- WilliamFavreSlater,III 17

Little Known Roots of the Mirai Botnet

Source:https://web.archive.org/web/20130324015330/http://gawker.com:80/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like


Pre-Attack Events

• August 2016 - Bruce Schneier predicts, based on his research and observations that a DDoS attack or series of attacks would take down the Internet

• September 2016 - Brian Krebs’ website and his Provider were hit with DDoS attacks at about 665 Gbs

• October 2016 - Mirai Source Code placed in Open Source


DDoS Attack Prediction in September 2016 by Bruce Schneier

• SomeoneIsLearningHowtoTakeDowntheInternet- byBruceSchneier,Excerpt:“Whatcanwedoaboutthis?Nothing,really.Wedon'tknowwheretheattackscomefrom.ThedataIseesuggestsChina,anassessmentsharedbythepeopleIspokewith.Ontheotherhand,it'spossibletodisguisethecountryoforiginforthesesortsofattacks.TheNSA,whichhasmoresurveillanceintheInternetbackbonethaneveryoneelsecombined,probablyhasabetteridea,butunlesstheUSdecidestomakeaninternationalincidentoverthis,wewon'tseeanyattribution.Butthisishappening.Andpeopleshouldknow.”– https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html

BruceSchneier

Note:WhenDr.BruceSchneiersayssomething,Ibelieveit.HeisoneofthegreatestCybersecurityResearchersandWritersintheWorld.


The Security Economics ofInternet of Things (IoT)

Sources:https://www.schneier.com/blog/archives/2016/10/security_econom_1.html

}ExcellentCommentaryaboutIoT,Economics,AndSecuritybyInternationallyknownSecuritywriterandResearcher,Dr.BruceSchneier

BruceSchneier


DDoS Attack on Brian Krebs’ Website

• KrebsOnSecurityHitWithRecordDDoS– https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

• DDoSattacktakesdownBrianKrebs'site- www.krebsonsecurity.com .At665GbpsoftrafficitwasthelargestDDoSAttackinInternetHistory- AttackwassopowerfulthatAkamaithrewupitshands– http://www.csoonline.com/article/3123785/security/largest-ddos-attack-ever-delivered-by-botnet-of-hijacked-iot-devices.html

• WillIoTfolkslearnfromDDoSattackonKrebs’Website?– http://www.csoonline.com/article/3124436/security/will-iot-folks-learn-from-ddos-attack-on-krebs-web-site.html

• Someone,whomhesubsequentlyspentmonthsworkingtotrackdown,hadseizedcontrolofhundredsofthousandsofinternet-connecteddevices,includinghomerouters,videocameras,DVRs,andprinters,tocreateabotnet,asortofdigitalzombiearmy.– https://hub.jhu.edu/magazine/2017/spring/internet-personal-cyberattacks/

BrianKrebs

Note:WhenBrianKrebs,ofwww.krebsonsecurity.comwritesaboutCybersecurity,andthengetshitwiththeInternet’slargestDDoSattackever,itgetseveryone’sattention,especiallyCybersecurityResearchers.


WHAT DID THE MIRAI BOTNET DO IN OCTOBER 2016?


DDoS Attacks of October 21, 2016

}TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.

Screenshotsfrom:http://downdetector.com/Hint:AGREATResource!


DDoS Attacks of October 21, 2016 –The Major Internet-Related Businesses Affected



} TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.

Note:OracleboughtDYNinNovember2016Source:https://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/



}TheInternetdidn’t“break”onOctober21,2016,buttheattackerswholaunchedtheDDoSattacksagainstDynexploitedaknownDNSWeaknessthatnegativelyimpactedMANYInternet-relatedbusinessesandmillionsofusers.

Note:OracleboughtDYNinNovember2016Source:https://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/


How Did Mirai Work?DDoS Attacks of October 21, 2016



InfectedIoTDevices:1) LaunchDDoS

Attacks2) Reportdatato

C2Servers3) InfectotherIoT

Devices



• TheMiraiInternetofThings(IoT)botnethasbeenusingSTOMP(SimpleTextOrientedMessagingProtocol)floodstohittargets,aprotocolthatisn’tnormallyassociatedwithdistributeddenialofservice(DDoS)attacks.

• MiraihasbeenresponsiblefortakingmajorwebsitesofflineformanyusersbytargetingtheDynDNSservice,inadditiontohostingfirmOVHinattacksthatsurpassed1.2Tbps(terabitspersecond).MiraiwasalsoinanattackagainstBrianKrebs’blogina665Gbps+(gigabitspersecond)assault.Thebotnetusesvariousattackvectorstopowerthesemassiveattacks,includingSTOMPfloods.

Source:http://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks


Mirai’s Purposes and Some Source Code

Analysis

Source:https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html


Mirai’s “Don’t Mess With” List and a look

at the Coder’s Psyche



Where were the Mirai Botnet Attacks Coming From on October 21, 2016?



Post-Attack Events

• October 2016 - Twitter Account to Monitor Mirai in Real-Time• November 2016 - Chinese claim Mirai Botnet attack hit Chinese-

made IoT Devices, especially CCTVs• November 2016 - DHS published guideline documents for

implementing Secure IoT devices• Windows Mirai botnet variant identified in 2017

– TheWindowsvariantoftheinfamous MiraiLinuxbotnet istheoffspringofamoreexperiencedbotherder,possiblyofChineseorigin,KasperskyLabsecurityresearcherswarn.

– RecentlydetailedbyDoctorWeb,itsmainfunctionalityisto spreadtheMiraibotnet toembeddedLinux-baseddevices.ThemalwarealsoabusesWindowsManagementInstrumentation(WMI)toexecutecommandsonremotehosts,andtargetsMicrosoftSQLServerandMySQLserverstocreateadminaccountsandabusetheirprivileges.


Post-Attack Events

[email protected].


The Basics:How to Protect our IoT Devices Against Mirai and

Other Botnet Attacks• ChangeYourPassword.Thisisnotonlygoodadviceforthoseofuswhoshoponlineorwhohave

beennotifiedthatthee-commercesitewerecentlyshoppedonhasbeenbreached,butlikewiseforIoTdevices.Infact,accordingtothisreport,thesebettercredentialscanbeusedtoprovideabulwarkagainstbotnetattackslikeMiraibysubstitutingthehard-codedusernameandpasswordwithonesthatareuniquetoyourorganizationandnot,ofcourse,easilyguessed.

• Turnthemoff.ForcurrentlydeployedIoTdevices,turnthemoffwhennotinuse.IftheMiraibotnetdoesinfectadevice,thepasswordmustberesetandthesystemrebootedtogetridofit.

• Disableallremoteaccesstothem.ToprotectdevicesfromMiraiandotherbotnets,usersshouldnotonlyshieldTCP/23andTCP/2323accesstothosedevices,butalsotodisableallremote(WAN)accesstothem.

• ResearchYourPurchase.Beforeyouevenbuyaproduct,researchwhatyouarebuyingandmakesurethatyouknowhowtoupdateanysoftwareassociatedwiththedevice.Lookfordevices,systems,andservicesthatmakeiteasytoupdatethedeviceandinformtheenduserwhenupdatesareavailable.

• UseItorLoseIt.Oncetheproductisinyouroffice,turnoffthefunctionsyou’rearenotusing.Enabledfunctionalityusuallycomeswithincreasedsecurityrisks.Again,makesureyoureviewthatbeforeyouevenbringtheproductintotheworkplace.Ifit’salreadythere,don’tbeshyaboutcallingcustomerserviceandwalkingthroughthestepsneededtoshutdownanyunusedfunctions.


Source:https://www.pwnieexpress.com/blog/mirai-botnet-part-2

How Can an Organization Protect Against Mirai and Other Botnet Attacks?

• Takethisseriously• ReadupontheDHSPrinciplesonSecuringIoT• LearnaboutIPv6– it’saBIGDeal

(http://ipv6.he.net)• Activelydesign,engineer,andimplement

security,fromthebeginning,notafterthefact• SetorChangethedefaultpasswordsonIoT• HaveanalternateDNSprovider• AddDDoSattackscenariosintoyourIncident

ManagementandResponsePlans• UseDDoSscenariosinyourExercises• SimulateDDoSattacksonyourdigital

infrastructuretostress-test,evaluate,andcontinuallyimproveyourdigitalinfrastructure


More Recommendations to Protect Against Mirai and Other Botnet Attacks

• TheIoTthreatisaseriousonebutonethatcanbesimplyresolved.Whileit’salmostimpossibletoeducateeveryoneonhowtochangetheirusernameandpasswordsonthesedevices,itispossibleformanufacturerstoincorporatesecurityfeaturesintothedesignandproductionofthesedevices,inparticularsecuritytelnetcommunicationanditsassociatedports.Defaultpasswordsmustberandomandusersshouldbeadvisedwithsimpleinstructionsonhowtochangethem.

• Wealsorecommendhomeuserstakethesefourstepstobetterprepare:– Staycurrent– Updatefirmwareandsoftwareregularly– Authentication– Useuniquecredentialsforeachdevice– Configuration– Closeunnecessaryportsanddisableunnecessary

services– Segment– CreateseparatenetworkzonesforyourIoTsystems

Source:https://blog.radware.com/security/2017/03/expansion-iot-since-mirai/


Read: DHS Strategic Principles for Securing Internet of Things

Source:https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

Publishedabout25daysAFTERtheMiraiBotnetattack…


Read: DHS Strategic Principles for Securing Internet of Things

Source:DHSIoTFactsheethttps://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf

Publishedabout25daysAFTERtheMiraiBotnetattack…


The Mirai Botnet Five Takeaways

1.Notjustoneattack2.Theattackwassophisticated3.IoTistoblame4.Thisisn'ttheend5.TheIoTindustryneedsstricterstandards

Source:http://www.techrepublic.com/article/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters/



Source:Kasperskyhttps://www.pwnieexpress.com/blog/mirai-botnet-part-2

HAJIME! Some Recent “Good News”

Anew,morepowerfulIoTdecentralizedworm,Hajime,isspreadingfasterandmoreeffectivelythanMirai.Ø HajimeisaJapanesewordfor“Begin!”or“Beginning”Ø Firstidentifiedandanalyzed,andwrittenupinOctober2016bySamEdwardsandIoannisProfetisofRapidity

NetworksSecurityResearchGroupØ LaterannouncedApril18,2017bySymantecØ WritteninCØ Platforms:ARMv5,ARMv7,Intelx86-64,MIPS(littleendian)Ø BruteforceauthenticationØ SpreadsindependentlyviaPeer-to-Peer,withoutusingC2Ø InfectsmostlyDVRsandCCTVdevicesØ Onceincontrolofatargetitseveralblocksportsusedbyitsrival,MiraiØ Onlyscansabout86%oftheIPv4addressspaceØ MostlyinAsia,Russia,BrazilandArgentinaØ Writesbenignmessage“StaySharp”Ø Thoughttobefroma“WhiteHat”,VigilanteHacker,whoprefersEnglishØ ThoughttobecompetingagainstMiraiØ CautionaryNote:LikeMirai,stillbreakingtheLawandifHajimeoritsvariantsturn“evil”itcouldbeworsethan

Mirai.Sources:http://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtmlhttp://linkis.com/www.cio.co.nz/articl/2dpeghttps://nakedsecurity.sophos.com/2017/04/20/the-iot-malware-that-plays-cat-and-mouse-with-miraihttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf ß TechnicalAnalysisReportbyEdwards&Profetis


ActualHajimeIoTWormMessage

Top 10 Countries with Hajime Infections

Sources:http://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtmlhttp://linkis.com/www.cio.co.nz/articl/2dpeghttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf ß TechnicalReportbyEdwards&Profetis


Conclusion

• TheMiraiBotnetmadehistorybecauseofitssize,power,bandwidthconsumption,andimpacttheInternet-basedbusinessesandpeopleconnectedtotheInternet.

• BecauseMiraiandHajimesourcecodehavebeensharedasOpenSourceontheweb,theyarebeingstudiedandtheyareevolving.

• TherapidevolutionandspreadofIoTDevicesprovidesMiraiandHajimeanditsvariantsanever-expandingtarget-richenvironment

• ThemorepeopleandorganizationspayattentiontotheMiraiBotnetcodeandhowtosurviveDDoSattacks,thebetteroffwewillbeasanInternet-connectedSociety.

• Rememberthatpresently,HajimeisP2PandpowerpowerfulthanMirai• RememberthatCIA(Confidentiality,Integrity,andAvailability) arethe

simplestprinciplesofSecurity,andthatMiraiandDDoSattackscanandwillreducetheAvailability ofyourdigitalinfrastructure.


Questions


References• Amazon.(2006).AWSBestPracticesforDDoSResiliency.RetrievedonApril3,2017from

https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf .• Arghire,I.(2016).MiraiSwitchestoTorDomainstoImproveResilience.PublishedDecember19,2016atSecurityWeek.Retrievedon

March29,2017fromhttp://www.securityweek.com/mirai-switches-tor-domains-improve-resilience .• Arghire,I.(2016).MiraiUsedSTOMPFloodsinRecentDDoSAttacks.PublishedNovember17,2016atSecurityWeek.Retrievedon

March29,2017fromhttp://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks .• Arghire,I.(2016).ThisWeb-basedToolChecksifYourNetworkIsExposedtoMirai.PublishedNovember24,2016atSecurityWeek.

RetrievedonMarch29,2017fromhttp://www.securityweek.com/web-based-tool-checks-if-your-network-exposed-mirai .• Arghire,I.(2017).MiraiforWindowsBuiltbyExperiencedBotHerder:Kaspersky.PublishedFebruary21,2017atSecurityWeek.

RetrievedonMarch29,2017fromhttp://www.securityweek.com/mirai-windows-built-experienced-bot-herder-kaspersky .• Arghire,I.(2017).NewVariantofInfamousIoTBotnetLaunchesAttackAgainstNetworkofU.S.College.PublishedMarch29,2017at

SecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/new-mirai-variant-unleashes-54-hour-ddos-attack .• Arghire,I.(2017).WindowsTrojanSpreadsMiraitoLinuxDevices.PublishedFebruary10,2017atSecurityWeek.RetrievedonMarch

29,2017fromhttp://www.securityweek.com/windows-trojan-spreads-mirai-linux-devices .• Cheng,G.(2015).AnalysisonDDOStoolStacheldraht v1.666.aGIACpaperpublishedbytheSANSInstitute.RetrievedonApril8,

2017fromhttp://www.giac.org/paper/gcih/229/analysis-ddos-tool-stacheldraht-v1666/102150 .• Cimpanu,C.(2017).HajimeIoTWormConsiderablyMoreSophisticatedthanMirai.PublishedatSoftpedia.comonApril18,2017.

RetrievedonApril20,2017fromhttp://news.softpedia.com/news/hajime-iot-worm-considerably-more-sophisticated-than-mirai-509423.shtml .

• DHS.(2016)StrategicPrinciplesforSecuringtheInternetofThings.PublishedbyDHSonNovember15,2016.RetrievedonMarch29,2017fromhttps://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL....pdf

• DHS.(2016)StrategicPrinciplesforSecuringtheInternetofThings.PublishedbyDHSonNovember15,2016.RetrievedonMarch29,2017fromhttps://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf .


References• Dishon,R.(2017).Badbots,badbots,whatcha gonnado.PublishedatESETonMarch17,2017.RetrievedonMarch30,2017from

https://www.eset.com/us/about/newsroom/corporate-blog/bad-bots-bad-bots-whatcha-gonna-do/.• Edwards,S.,andProfetis,I.(2016).Hajime:AnAnalysisofaDecentralizedWormforIoTDevices.PublishedOctober16,2016byRapidity

NetworksSecurityResearchGroup.RetrievedonApril20,2017fromhttps://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf .

• Finley,K.(2016).OracleJustBoughtDyn,theCompanyThatBroughtDowntheInternet.PublishedatWired.comonNovember21,2016.RetrievedonApril14,2017fromhttps://www.wired.com/2016/11/oracle-just-bought-dyn-company-brought-internet/.

• Gallagher,S.(2016).Howonerent-a-botnetarmyofcameras,DVRscausedInternetchaos.PublishedatArsTechnica.comonOctober25,2016.RetrievedonApril12,2017fromhttps://arstechnica.com/information-technology/2016/10/inside-the-machine-uprising-how-cameras-dvrs-took-down-parts-of-the-internet/.

• Forrest,C.(2016).Dyn DDoSattack:5takeawaysonwhatweknowandwhyitmatters.AnarticlepublishedatTechRepublic onOctober24,2016.RetrievedonOctober25,2017fromhttp://www.techrepublic.com/article/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters/ .

• Henriques.N.(2017).HackerWhoKnockedMillionRoutersOfflineUsingMIRAIArrestedatLondonAirport.RetrievedonFebruary24,2017fromhttps://www.linkedin.com/pulse/hacker-who-knocked-million-routers-offline-using-mirai-nuno-henriques

• Herzberg,B.,Bekerman,D.,andZeifman,I.(2016).BreakingDownMirai:AnIoTDDoSBotnetAnalysis.PublishedatIncapsula onOctober26,2016.RetrievedonApril8,2017fromhttps://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html.

• Kan,M.(2017).AvigilantehackermayhavebuiltacomputerwormtoprotecttheIoT.PublishedatCIO.comonApril20,2017.RetrievedonApril20,2017fromhttp://linkis.com/www.cio.co.nz/articl/2dpeg .

• Kovacs,E.(2016).GermanISPConfirmsMalwareAttacksCausedDisruptions:UsersAroundtheWorldVulnerabletoAttacksonPort 7547.PublishedNovember29,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions .

• Kovacs,E.(2016).HackerReleasesSourceCodeofIoTMalwareMirai.PublishedOctober3,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/hacker-releases-source-code-iot-malware-mirai .


References• Kovacs,E.(2016).Over500,000IoTDevicesVulnerabletoMiraiBotnet.PublishedOctober7,2016atSecurityWeek.RetrievedonMarch

29,2017fromhttp://www.securityweek.com/over-500000-iot-devices-vulnerable-mirai-botnet .• Lipman,P.(2017).TheCybersecurityIndustryIsFailing:TimetoGetSmartAbout'Dumb'Homes.PublishedatNewsweek.com,onMarch

23,2017.RetrievedonApril12,2017fromhttp://www.newsweek.com/cybersecurity-industry-failed-threat-572949.• McLaughlin,J.(2017).TheInternetofBadThings.PublishedintheSping 2017issueofJohnsHopkinsMagaine ontheWeb.Retrievedon

March28,2017fromhttps://hub.jhu.edu/magazine/2017/spring/internet-personal-cyberattacks .• Phys.org.(2016).Disgruntledgamer'likely'behindOctoberUShacking:expert.PublishedatPhys.orgonNovember16,2016.Retrieved

onMarch29,2017fromhttps://phys.org/news/2016-11-disgruntled-gamer-october-hacking-expert.html .• Newman,L.H.(2016).TheBotnetThatBroketheInternetIsn’tGoingAway.PublishedatWired.comonDecember9,2016.Retrievedon

April12,2017fromhttps://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/.• Read,M.(2013).ThisIllegallyMade,IncrediblyMesmerizingAnimatedGIFIsWhattheInternetLooksLike.PublishedonGAWKER,

RetrievedonApril5,2017fromhttp://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like.

• Savage,K.(2016)APost-MortemontheMiraiBotnet:Part2:AnalyzingtheAttack.PublishedatPwnieExpress.comonDecember29,2016.RetrievedonApril20,2017https://www.pwnieexpress.com/blog/mirai-botnet-part-2 .

• Smith,D.(2017).TheExpansionofIoTsinceMirai.PublishedatRadware.RetrievedonApril8,2017fromhttps://blog.radware.com/security/2017/03/expansion-iot-since-mirai/ .

• Sophos.(2017).TheIoTmalwarethatplayscatandmousewithMirai.PublishedatNakedSecurity.Sophos.comonApril20,2017.RetrievedApril20,2017fromhttps://nakedsecurity.sophos.com/2017/04/20/the-iot-malware-that-plays-cat-and-mouse-with-mirai .

• Townsend,K.(2016).100,000UKRoutersLikelyAffectedbyMiraiVariant.PublishedDecember6,2016atSecurityWeek.RetrievedonMarch29,2017fromhttp://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant .

• Verizon.(2016).Verisign2016DDoSTrendsReport.RetrievedSeptember16,2016,fromhttps://www.verisign.com/assets/report-ddos-trends-Q22016.pdf .

• Wikipedia.(2017).Wikipedia– CarnaBotnet.RetrievedApril3,2017fromhttps://en.wikipedia.org/wiki/Carna_botnet.• Woolf,N.(2016).DDoSattackthatdisruptedinternetwaslargestofitskindinhistory,expertssay.PublishedOctober26, 2016at

TheGuardian.com.RetrievedMarch29,2017fromhttps://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.


Presenter Bio:William Favre Slater, III

• ProjectManager/Sr.ITConsultantatSlaterTechnologies,Inc.,andAdjunctProfessorattheIllinoisInstituteofTechnology-Workingonprojectsrelatedto:– Securityreviewsandauditing– ISO27001ProjectImplementations– DevelopingApplicationsforRiskandCompliance– SubjectMatterExpertinCybersecurityandITServiceManagementfor

GovernmentProposalsandContractsrelatedtotechnicalservicesmanagementandmeasurement

– SMEforpreparingRiskManagementandSecurityExamsatWesternGovernor’sStateUniversityinUT

– CreatedaneBookwitharticlesaboutSecurity,RiskManagement,Cyberwarfare,ProjectManagementandDataCenterOperations

– ProvidingsubjectmatterexpertservicestoDataCenterproductvendorsandotherlocalbusinesses.

– DevelopingandpresentingtechnicaltrainingmaterialsforundergraduateandgraduatestudentsattheIllinoisInstituteofTechnologyintheareasofDataCenterOperations,DataCenterArchitecture,CyberSecurityManagement,andInformationTechnologyhardwareandsoftware.

– Mr.SlaterisaninternationallypublishedauthoronCybersecuritytopicsrelatedtoCyberwarfare,SocialEngineering,andvariousothertopics.

– ProvidingSummerInternshipstoIITStudentsviahiscompany,SlaterTechnologies,Inc.


Presenter Bio:William F. Slater, III

• 2017marksthefifthconsecutiveyearMr.SlaterhaspresentedatForensecureatIIT

• Mr.SlaterhasearnedanM.S.inCybersecurity(2013,BellevueUniversity,Bellevue,NE),aswellasanM.S.inComputerInformationSystems(2004,UniversityofPhoenix,Phoenix,AZ),andanMBA(2010,UniversityofPhoenix,Phoenix,AZ).Hehasalsoearned80professionalcertifications,includingaPMP,CISSP,CISA,SSCP,ISO27002,andaCDCP.

• Mr.Slaterhastaughtforover9yearsasanAdjunctProfessorattheIllinoisInstituteofTechnologyanddevelopedanddeliveredcoursesonthesetopics:DataCenterOperations,DataCenterArchitecture,InformationTechnologyhardwareandsoftware,DataWarehousing,JavaandObject-OrientedSoftwareDevelopment,CybersecurityManagement,andITinPublicAdministration.Seehttp://billslater.com/teaching

• Mr.SlaterisonapersonalMissiontohelpmaketheworldabetter,saferandmoreproductiveplace,especiallywhenitmeanshelpinghisstudentsandcolleaguesbecomesmarteraboutcybersecurity,InternetofThings,DataCenters,theInternet,andotherexcitingareasofInformationTechnology.

• HelivesinChicago’sWickerParkneighborhoodwithhislovelywife,JoannaRoguska,whoisawebdeveloper,musicianandbellydancer.

• Inhissparetime,Mr.SlaterteachesJudoandSelfDefenseatIIT,andhealsooffersinternshipstoIITstudentswhowanttodevelopreal-worldtechnologyskills.

• [email protected] orat312– 758– 0307.


WilliamFavreSlater,II

William Favre Slater, III

Ø 312-758-0307

Ø [email protected]

Ø [email protected]

Ø http://billslater.com/interview

Ø 1515W.HaddonAve.,Unit309Chicago,IL60642UnitedStatesofAmericaApril20,2017 MiraiBotnet- WilliamFavreSlater,III 52

Thank You!


Documents

Mirai Botnet: How IoT Botnets Performed Massive DDoS ......• Mirai is the Japanese word for “The Future” • The Mirai Botnet Attack of October 2016 used known security weaknesses