IoT Malware Analysis - Observations and Statistics - Part 2

On the previous post that I published I utilized a python program to emulate a telnet server, captured commands that were sent to the telnet server, and then utilized those commands to research the binaries that were collected.

In this post I am going to provide information on what happened when 2 of my servers became infected with the malware, statistics on the username and password combinations used, and statistics of which IP Addresses I observed the most attempting to login to my telnet server.

The Mirai botnet gains its popularity in causing Distributed Denial of Service (DDoS) attacks.  This is exactly what happened to both of my honeypot servers that were infected.


As you can see in the above screenshot upon initial infection of the server you see the command "SCANNER ON".  This command causes the infected device to begin scanning for other IP Addresses at random to see if port 23 is open.  If the device can be reached over port 23 then a basic script of logging in, sending 3-4 commands and then the commands cause the device to become infected as described in the previous post.

After a short period of time the infected server stopped scanning, I observed the following commands come from 2 different honeypots that were infected:




The first instance sent traffic to 107.178.255.126 over UDP to port 80.  The second instance sent traffic to 72.193.246.62 over UDP to port 3074.  In the first command you notice the number 65500.  As you can see in the below image it filled the packets with 65,500 random ASCII characters and sent them to the receiving IP.



The second instance you will notice a 0.  This sent packets that were empty to the IP address.

Both instances where the infected servers were utilized I rebooted them as soon as I observed them being utilized in a denial of service attack, however that still provided me with almost 4 GB of pcap data.  To take a quick tangent, I utilized tshark to carve the pcap files.  Below are a few commands that I used:

1. "tshark -r output.pcap -T fields -e ip.src  -e ip.dst -e tcp.dstport | sort | uniq -c | sort -n > freq_analysis.txt" - This command would read the source IP Address, destination IP Addresses and the destination port then sort it, combine all of the duplicates with a count of the occurrences, and then sort the count of occurrences numerically.

2. "editcap -r read.pcap output.pcap 500-1000" - Due to the mass amounts of traffic generated as the host participated in a denial of service, I utilized editcap to pull out of the pcap packets 500-1000.  This was so I could get a sample of the packets being sent to the target involved in the denial of service.

I do publicly apologize to the 2 IP Addresses that were targeted from my honeypot.  I tried to shutdown the execution of the denial of service attack as soon as I observed it occurring.

Below are the usernames and passwords that I observed logging into my honeypot.  The first number is how many times the combination of the username and password appeared in the logs of my honeypot:

9637 root:xc3511
9567 root:vizxv
8532 root:admin
7897 admin:admin
6856 root:888888
5569 root:xmhdipc
5341 root:juantech
4927 support:support
4598 root:default
4393 root:
4321 root:anko
4268 root:123456
4100 root:54321
3668 root:root
3655 admin:password
3523 root:12345
2835 admin:
2822 admin:smcadmin
2730 admin:admin1234
2680 root:pass
2642 user:user
2476 root:hi3518
2367 root:1111
2208 root:password
2055 admin:1111
2022 root:666666
1742 root:1234
1538 guest:12345
1247 root:hunt5759
1230 root:GM8182
1201 root:dreambox
1201 root:7ujMko0vizxv
1118 admin:pass
1107 root:00000000
1102 root:Zte521
1089 root:klv1234
1088 service:service
1073 administrator:1234
1069 admin:54321
1062 root:jvbzd
1005 root:klv123
1001 admin:meinsm
991 supervisor:supervisor
987 ubnt:ubnt
967 root:7ujMko0admin
939 root:ikwb
916 admin:1111111
897 tech:tech
896 admin:4321
895 root:zlxx.
882 admin1:password
875 888888:888888
866 guest:guest
864 Administrator:meinsm
859 root:realtek
843 root:user
839 admin:1234
834 admin:123456
829 666666:666666
817 root:system
811 admin:12345
783 admin:7ujMko0admin
439 root:1001chin
357 user:qweasdzx
331 netgear:netgear
185 root:zlxx
169 admin:cat1029
168 realtek:realtek
150 telnet:telnet
98 root:5up
95 root:telnet
33 root:tl789
31 Admin:1234
23 cisco:cisco
19 root:admin@mymifi

Here are the most frequent IP Addresses and how many times a particular IP Address appeared in the logs:

   2625 110.46.206.69
   1726 211.116.216.80
   1039 113.21.230.158
    889 61.216.169.144
    696 213.109.9.79
    682 108.30.195.231
    666 176.122.98.75
    661 200.71.198.27
    626 118.194.243.82
    604 112.198.53.227
    600 110.46.13.132
    597 176.122.121.16
    596 111.177.26.210
    587 178.132.124.154
    569 116.108.236.118
    558 117.3.214.198
    531 178.255.170.86
    501 41.174.134.39
    499 14.181.187.48
    476 183.80.246.232
    475 46.100.164.100
    475 195.138.85.207
    464 109.98.11.183
    443 191.190.69.216
    432 62.83.67.39
    430 185.42.225.13
    381 213.60.130.226
    369 14.169.208.240
    365 14.167.194.168
    352 116.109.24.186
    347 89.46.4.71
    340 88.250.61.158
    337 91.219.15.100
    317 88.225.222.167
    311 177.193.110.155
    305 86.124.90.244
    300 60.186.21.124
    295 183.25.246.52
    283 82.114.90.217
    283 113.169.87.139
    281 116.102.150.187
    277 183.62.63.5
    277 14.172.254.167
    276 46.36.169.59
    276 181.23.58.164
    274 187.59.124.89
    271 203.69.196.159
    271 177.194.228.102
    268 181.44.219.236
    266 37.229.144.226
    263 27.64.30.158

I have collected a log entry from 2,654 IP Addresses so far in my research.  Understanding that some of these IP Addresses are dynamic and the party utilizing the IP changes frequently, I found that 758 were listening on port 23.  I found this to be interesting that of the IP Addresses 28.56% were listening on port 23.  I would think that this number would be above 60% of the scanned devices.  Also I found interesting that some of the IP Addresses that most frequently hit my botnet were not listening on port 23.

Also I conducted a host lookup on the 2,654 IP Addresses to see if they resolved to a reverse DNS name.  I utilized the command "host <ip address>":
1578 - Resolved to a reserve DNS name
807 - NXDOMAIN
144 - SERVFAIL
73 - Directed to localhost (Blackholed)
52 - DNS connection timed out














Comments

Popular posts from this blog

Netflix Streaming Blocked by Sophos UTM

BSides 2016 Hackers Challenge

Python - Vega Conflict Script to Maximize Fleet Sizes based on Fleet Mass

VBA - Script to Download a file from a URL

IoT Malware Analysis - CnC Server - Part 3