Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, what’s next after Mirai? Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the aftermath of Mirai will focus on three technical aspects: Mirai variants with their significant modifications, a genealogy of all Mirai variants identified so far, and if whether other botnets have reuse some of Mirai’s code.
To begin with, we will talk on the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as proxy.
The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare all of them and see how they relate to each other.
A botnet that we observed reusing Mirai’s code is Hide ‘N Seek. We will take a look at its modules and compare it to Mirai whether the configuration encryption algorithm is still the same.
To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.