Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, who will be the next Mirai?
Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the battle of being the next Mirai will focus on Mirai variants with their significant modifications and a genealogy of all Mirai variants identified so far.
This talk will cover the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as a proxy.
The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare the interesting variants and see how they relate to each other.
To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.