Cymmetria Research is releasing an open source honeypot for mirai detection. While simple, this is a very specific tool built to match what mirai expects, based on its source code. It took more time than what would be expected to develop, as mirai is buggy and we needed to avoid crashing it (see more below).
MTPot was developed by Dean Sysman, Co-Founder & CTO; Itamar Sher, Head of Research; and Imri Goldberg, Co-Founder & VP R&D; Cymmetria.
mirai has hit the news recently with the huge DDoS attack (“DynDOS”) that occurred in October, which has overwhelmed Internet service providers and caused multiple disruptions, making DDoS one of the key concerns of security as well as businesses world-wide.
One of our friends wanted a very lightweight honeypot with which he could collect verified mirai Indicators of Compromise (IoCs) – specifically IP addresses trying to compromise IoT systems – and the malware samples they infect them with.
In addition to the DDoS component, mirai first compromises IoT devices, building an infrastructure from which the DDoS can be launched. The infection attempt is what we aim to detect.
The mirai honeypot functionality includes the ability to:
- Detect incoming connections on any port using telnet (equivalent to listening on that port).
- Specifically ID the mirai version we researched (the one which is open source), based on the commands requested from the service.
- Alter parameters to ID mirai (port and commands).
- Report to a syslog server.
- Collect the malware samples mirai tried to infect the user with (will currently crash mirai instead, see below note).
There was a limit as to how much debugging time we could invest in mirai, and this last functionality (collecting samples) is not currently working, instead, mirai crashes when it receives the input it expects. Some consider this a feature. We are happy to receive fixes from the community.
Usage of the tool is simple, but much like any other low interaction honeypot, it has limitations by its nature of emulating a service. This is shown through the requests mirai sends via its telnet connection, based on the mirai source code available on GitHub, here. Thus, it can be fingerprinted if anyone puts their mind to it.
To try it out yourself, you can download the mirai honeypot from our Git, here.
Also, consider downloading the MazeRunner Community edition, a free version of Cymmetria’s enterprise cyber deception platform, and please check out our website and what we do.