Merit Research is pleased to announce that data capturing malicious internet of things (IoT) activities, attributed to the Mirai botnet, is now being available to researchers and cybersecurity analysts. The data were captured at Merit’s large network telescope (a network telescope, aka Darknet, is an unused, but routed, IP address space that is utilized for the collection and analysis of unsolicited internet traffic; such traffic is usually associated with nefarious activity such as scanning, worm propagation, spoof-based denial of service attacks, etc. — see [1] for more details). The data is being made available through the DHS IMPACT project [2].
[visibility type=”hidden-phone”]
The botnet author uploaded the Mirai source-code in a publicly accessible hacker forum in September 2016 (see [4]). This gave the opportunity to several security researchers (including members of our team) to get a glance at the code. Careful inspection of the code revealed a unique fingerprint that could be used to identify Mirai’s scanning efforts. In particular, the scanning function of the source code crafts the probing packets in a very specific way: the “initial TCP sequence packet” is set equal to the “destination IP” of the victim. This is probably done for efficient, non-blocking scanning, but it also allows for easy scanning identification! We looked at data captured at our longitudinal Darknet monitor, and we were able to identify thousands of infected IoT devices1. For the record, the first Mirai scan appeared in our Darknet on August 1, 2016.
This dataset can enable cybersecurity researchers to characterize the population of infected IoT devices and potentially understand patterns and trends in its evolution. It also provides a mechanism to assess network reputation and network hygiene. Interested researchers are encouraged to visit https://www.impactcybertrust.org/dataset_view?idDataset=717 and request access to the dataset.
References:
[1] “Internet Background Radiation Revisited”, https://www.merit.edu/wp-content/uploads/2016/01/Internet_Background_Radiation.pdf[2] Information Marketplace for Policy and Analysis of Cyber-Risk & Trust, sponsored by the Department of Homeland Security, https://www.impactcybertrust.org
[3] “A View on the IoT-enabled DDoS Attacks Against Dyn from Merit’s Vantage Point”, Feb. 2017, https://www.merit.edu/a-view-on-the-iot-enabled-ddos-attacks-against-dyn-from-merits-vantage-point/
[4] “Who is Anna-Senpai, the Mirai Worm Author?”, Krebs on Security, https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
Footnote:
1 For interested researchers, longitudinal Darknet datasets are also made available to cyber-security researchers via IMPACT.