The Friday 30th September, Anna-senpai posted the source code of the Mirai botnet. After reviewing the code and comparing with our own findings, we can confirm that the code release is authentic.
- – The botnet communicates with two “services”, one of the services is the command and control and the other is a “reporter”, the reporter service is responsible for the collection of IPs, user and passwords of devices that have been successfully brute forced. [ip:port user:pass]
- – The command and control moves with the changes of the domain network.santasbigcandycane.cx
- – The domain name was registered the 14th of September 2016 one week after the detention of VDOS’s owners
- – That the report.santasbigcandycane.cx domain was hosted
US, United States| AS25653 FortressITX|22.214.171.124 | US, United States| AS25761 Staminus Communications|126.96.36.199| BR, Brazil| AS16735 TELECOM S/A|188.8.131.52|
- – The command and control has been mostly in AS49335 (Hostkey), at Serverius Holding B.V.
- – That the port 48101 that is binded in Mirai did not serve to communicate with the command and control but as a mechanism for the botnet to identify if other instance of the code was running in the same machine.
- – The reporter component of the botnet is responsible of collecting brute forced passwords and also run in port 48101.
- – The botnet brute forces passwords from telnet service from random IPs running at ports 23 and 2323. Once the password has been obtained, the botnet sends this information to the reporter that in turn communicates with a load balanced set of servers loading the malware (the loader).
- – The loader is hosted at Nforce Entertainment. Loader servers are: 184.108.40.206, 211 212 213 and 214.
inetnum: 220.127.116.11 - 18.104.22.168 netname: NFORCE_ENTERTAINMENT descr: Customer 1995 country: NL
- – That the released code uses the busybox applet call VDOSS while our honeypots have recorded MIRAI and ECCHI. One open question that we had is why “Mirai” was issuing the command /bin/busybox MIRAI. It turns out that the only reason this command is sent is use the prompt errors “applet not found” to track execution progress. The code released in Hack Forums includes the command /bin/busybox VDOSS. Is the author suggesting that the code was part of the VDOSS booter?
- – That the domain name used for command and control uses Cloudflare infrastructure as domain name servers.
santasbigcandycane.cx. IN NS pat.ns.cloudflare.com. santasbigcandycane.cx. IN NS jeremy.ns.cloudflare.com.