In a new blog post Imperva researchers analyse the Mirai botnet which was responsible for a huge DDoS attack against security researcher Brian Krebs in September. The blog studies the locations of the IP addresses that make up the botnet, examines the botnet’s source code in order to understand more about how it operates, studies what IP addresses Mirai is programmed to avoid and reveals new data which shows that Russian hackers may be behind the huge botnet.
The full blog post can be found here, however key takeouts include:
- Overall, IP addresses of Mirai-infected devices were spotted in 164 countries. As evidenced by the map below, the botnet IPs are highly dispersed, appearing even in such remote locations as Montenegro, Tajikistan and Somalia.
- Mirai’ has a “Don’t Mess With” List. One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans. This list, which you can find below, includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric.
- It is worth noting that Mirai code holds traces of Russian-language strings despite its English C&C interface. This opens the door for speculation about the code’s origin, serving as a clue that Mirai was developed by Russian hackers or—at least—a group of hackers, some of whom were of Russian origin. Other bits of code, which contain Rick Rolls’ jokes next to Russian strings saying “я люблю куриные наггетсы” which translates to “I love chicken nuggets” provide yet more evidence of the Russian heritage of the code authors, as well as their age demographic.
- Another interesting thing about Mirai is its “territorial” nature. The malware holds several killer scripts meant to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device.