During the past six months we have been closely monitoring the development of the Mirai botnet and its connections with the Israeli stress testing service vdos-s.com.
This article summarizes ten of our findings:
1. Protraf wrote the Mirai code, but others also walked the walk
As already reported in January, Mirai was originally written by two members of Protraf, a hosting company not only specialized in protecting Minecraft servers but also engaged in all sorts of underground battles with competitors including launching denial of service attacks and routing hijacks.
During months we wondered what was the connection of Josiah White (Bashlite, Qbot) and Paras Jha (Anna-Senpai. Dreadiscool) and the largest botnet using Mirai. This very active botnet that later on became publicly known as “Botnet #14” was operated by someone that seemed to have close connections with the code owners but with the freedom of choosing its own targets.
Botnet #14 used the domain mufoscam.org as one of the earliest placeholders for the command and control.
While monitoring the different Mirai deployments, it became also obvious that this special actor had very special targets and interests. The victims were not just gamers playing call of duty, online dating websites or minecraft servers but mobile infrastructure inside Liberia.
By then we knew that following Mufoscam.org, was following Botnet #14. Monitoring route updates inside Liberia was monitoring Mirai in action.
2. VDOS – “the VIP DDOS market”
Thanks to the documents early released by drowzeepok and the analysis of hundreds of attacks launched by several stress testing services during the past couple of years, we understood that vdos-s.com backend (spoofing) servers were the common infrastructure used by many other “booters”, some of them also based in Israel and hosted in companies like Proginter.com and hidden behind Cloudflare.
3. The VDOS and Bestbuy VIP client connection
When Mirai started to attack a GSM operator in “Liberia”, we double checked again the VDOS leaked database, in the database we found records of a few interesting conversations between “bestbuy” and the VDOS support system back in late 2015. The support messages between bestbuy and the VDOS shows how Bestbuy wanted more powerful attacks from VDOS service against Liberia and he was willing to pay for them.
22-10-2015 13:32 bestbuy> Okay fair enough, I hope 50gbps is the actually speed for vip…
I’ll probably purchase soon. Thanks!’
22-10-2015 13:38 vdos> Hello bestbuy,
No problem, feel free to contact us again if you need any further assistance.
Best regards, P1st.
24-10-2015 13:19 vdos> Hello bestbuy,
Each stress test is between 20-100+Gbps using DNS (depending on running stress tests), this information is included in our Terms of Service.
May I ask why you require more power, 20-100Gbps should be enough to render most non-DDoS protected hosts offline.
24-10-2015 14:53 vdos> Hello bestbuy,
I cannot really assist you with this problem, sorry. If you provide me with an IP address and port, I will try to find a working method.
02-11-2015 07:55 bestbuy> 18.104.22.168
I’ll give it another shot soon, thanks for checking!
Yes, Just if you wonder: 22.214.171.124 is a Lonestar Cell address in Liberia.
4. Bestbuy, Cyprus and the other VDOS accounts targeting Liberia
A close review of the VDOS leaked database reveals that several accounts created in the VDOS’s stress testing service were operated from a Cyprus IP address. Attacks started at least in late 2015 and have been ongoing until early 2017. In an article published in this site in late December 2016, we already linked Cyprus IP addresses to attacks against the GSM operator: Lonestar Cell.
5. Anna-Senpai felt the heat. Source code is released
When Paras Jha (Anna-Senpai), felt the heat, he dumped the source code of Mirai in Hack Forums. This was not the first time that code of this nature has been dumped in the public domain. Qbot, a predecessor of Mirai also ended up in the Hacker Forum.
For reasons we still ignore, the code released by Paras Jha included the string “VDOS” in one of the botnet components that suggests that a Mirai deployment was rented to VDOS.
6. From Dyn, Spamhaus, Lonestar Cell to Deutsche Telecom
As many others monitoring Mirai, by following the whereabouts of the mufoscam.org, we could track a few large attacks that often used the GRE and DNS attack vectors. But in late November 2016, something unexpected happened. A new attack vector “made Mirai great again!”
The new attack vector was connected to the domain tr069.pw as the TR069 attack vector was used to enlarge the number of machines compromised by Mirai.
In preparation, Bestbuy provisioned two full networks to operate Mirai from Peterburg International Network aka PIN. The networks (126.96.36.199/24 and 188.8.131.52/24) were registered using the fake identity Bharath Kuchangi, BB9693-RIPE.
bestbuy registered the networks using an email from the domain novotele.online.
7. Bharath Kuchangi, a flexible identity
The details of Bharath Kuchangi were used to register Internet resources in RIPE where Peterburg International Network acted as a LIR proxy. Bharath Kuchangi identity was also used to obtain code-signing certificates. The data leak from Hacking Team shows that one of the certificates was in the name of Kuchangi. Bharath Kuchangi used the e-mail address email@example.com in those certificates.
8. A very mobile command control
The Mufoscam.org botnet (Botnet #14) has been moving to a myriad of ASNs. Following this botnet has been a fantastic way to find the best places in the Interwebs.
Where has been Botnet #14? In alphabetical order.
BG AS200002 Kandi EOOD BG AS201640 MEGA - SPRED LTD BG AS20876 GEO KOMERS 97 EOOD BG AS44901 BelCloud Hosting Corporation DE AS20773 Host Europe GmbH DE AS47447 23Media GmbH LT AS61272 Informacines sistemos ir technologijos LV AS24651 JSC BALTICOM NL AS16265 LeaseWeb B.V. NL AS16265 LeaseWeb B.V. NL AS201630 Qhoster NL AS29073 Ecatel Network NL AS43350 NFOrce Entertainment BV NL AS49981 WorldStream NL AS62454 ZYZtm Research Division 10 B.V. RO AS3223 Voxility S.R.L. RO AS49349 BlazingFast RO AS57786 HOSTING TRIPLU W CONCEPT SRL RO AS60115 SC Klass Systems Grup SRL RO AS8708 RCS & RDS SA RU AS44050 Petersburg Internet Network ltd RU AS8219 ICExpert Company Limited US AS30186 Toqen LLC
9. Bestbuy, zero day exploits and denial of service attacks
One of the most fascinating aspects of Bestbuy is his good understanding of the “Market Place”. What better way to be close to the market that operating the market?
10. Who is bestbuy? Why a mobile operator in Liberia?
This morning, the Federal Criminal Police Office of Germany announced the detention of a suspect in Luton Airport in connection to Mirai and the attacks against Deutche Telecom. It seems that we might finally find out who bestbuy really is and why he targeted a place in Liberia.
Stay tuned for more updates and to find out who Bill Bones is and what Peter Parker does in the Internet.
As always, thanks for reaching out! Want to contribute? Reach out.