#HITBGSEC 2018 COMMSEC: Internet Of Things: Battle Of The Bots - Rommel D. Joven

Two years have passed since Mirai unleashed its wrath to the world by targeting high profile victims. Many things have happened since then, the good, the author responsible has already been convicted, the bad, source code was released to the public, and the not so bad, organizations became aware of the threat and geared up their defences for the possible next attack. Question is now, who will be the next Mirai?

Ever since the release of its source code, many have used, experimented, and modified the code for their own liking and purpose. These so called Mirai copycats all want to have a piece of the IoT pie, battling to compromise more vulnerable IoT devices to grow their own army of bots and become Mirai’s possible heir. This research on the battle of being the next Mirai will focus on Mirai variants with their significant modifications and a genealogy of all Mirai variants identified so far.

This talk will cover the added techniques implemented to the variants to infect more IoT devices, like an exhaustive factory default credentials set, the use of both known and unknown exploits and targeting more architectures. We will also present the new ways it monetizes IoT bots like by targeting miners or using them as a proxy.

The research as of now identified already 100 variants and still counting. We will discuss on how we automatically decrypt and dump the configuration for easy family identification and C2 extraction. Additionally, to have a better overview and understanding of the variants we will compare the interesting variants and see how they relate to each other.

To finish the presentation, we will share interesting insights, findings and lessons learned in the research and how these can help researchers in their threat Intel tasks.

===

Rommel Joven is a malware researcher at Fortinet. Prior to joining Fortinet, he started his career in cybersecurity at Trend Micro as a threat response engineer. He has continued to develop strong interest and the passion to learn more about reverse engineering. He is now further involved in hunting new malware ranging from IoT botnets to targeted attacks. He is a contributor to Fortinet’s Security Research blog where he writes about up to date malware. Outside work, he enjoys basketball, online games, and travelling.