Mirai Botnet Source and Simple Analasys


#1

Unless you have been living under a rock I’m sure you have heard of the Mirai botnet that was responsible for taking over thousands of IoT devices.

I spent a few hours checking out the code and to be honest it’s absolutely unreal how well this worked, considering it’s attack consists only of a brute force using this list:

root     xc3511
root     vizxv
root     admin
admin    admin
root     888888
root     xmhdipc
root     default
root     juantech
root     123456
root     54321
support  support
root     (none)
admin    password
root     root
root     12345
user     user
admin    (none)
root     pass
admin    admin1234
root     1111
admin    smcadmin
admin    1111
root     666666
root     password
root     1234
root     klv123
Administrator admin
service  service
supervisor supervisor
guest    guest
guest    12345
guest    12345
admin1   password
administrator 1234
666666   666666
888888   888888
ubnt     ubnt
root     klv1234
root     Zte521
root     hi3518
root     jvbzd
root     anko
root     zlxx.
root     7ujMko0vizxv
root     7ujMko0admin
root     system
root     ikwb
root     dreambox
root     user
root     realtek
root     00000000
admin    1111111
admin    1234
admin    12345
admin    54321
admin    123456
admin    7ujMko0admin
admin    1234
admin    pass
admin    meinsm
tech     tech
mother   f**er [censored]

Additionally, I found it interesting that it had what is essentially an off-limits list.

0.0.0.0/8                 - Invalid address space
3.0.0.0/8                 - General Electric (GE)
15.0.0.0/7                - Hewlett-Packard (HP)
56.0.0.0/8                - US Postal Service
10.0.0.0/8                - Internal network
192.168.0.0/16            - Internal network
172.16.0.0/14             - Internal network
100.64.0.0/10             - IANA NAT reserved
169.254.0.0/16            - IANA NAT reserved
198.18.0.0/15             - IANA Special use
224.*.*.*+                - Multicast
6.0.0.0/7                 - Department of Defense 
11.0.0.0/8                - Department of Defense
21.0.0.0/8                - Department of Defense
22.0.0.0/8                - Department of Defense
26.0.0.0/8                - Department of Defense
28.0.0.0/7                - Department of Defense
30.0.0.0/8                - Department of Defense
33.0.0.0/8                - Department of Defense
55.0.0.0/8                - Department of Defense
214.0.0.0/7               - Department of Defense

At any rate, I thought it was fun to read through and see just how simple a piece of malware needs to be to create massive damage.

Oh, and here’s the source on Github:


#2

It is funny, but you have to have that exception list, otherwise you will be detected much quicker. There are just some bears you do not want to walk around poking all the time. :slight_smile:

What is more curious to me is how they exclude GE, HP, and USPS. Why not others like Apple and Microsoft? There are also other entities that hold Class A networks.


#3

That’s a good question, and I have no idea. I’m gonna try to look into it a little bit.