Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Mirai - now with DGA

Published: 2016-12-09
Last Updated: 2016-12-09 19:29:50 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Shortly after Mirai was attributed to massive DDOS on OVH and Brian Krebs the source code for Mirai was released on Github.  This was a double edged sword.  It gave security researchers insight into the code, but it also made it more available to those who may want to use it for nefarious purposes.  Within days Mirai variants were detected.  Now chinese researchers Network Security Research Labs  are reporting that recent samples of Mirai have a domain generation algorithm (DGA) feature.  The DGA is somewhat limited in that it will only generate one domain per day, so a total of 365 total domains are possible and they are all in the .tech or .support TLDs.  Further investigation reveals that some of these possible domains have already been registered, presumably by the Mirai variant author.

A few of the domains were in the past, but a number are coming up in the next couple of weeks.

Definitely something to have your Intrusion Detection and DNS sensors watch for.

The detailed analysis of the malware sample is a fun read...if you are into such things.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

Keywords: DDOS DGA Mirai
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Good Cop; Bad Cop; Domain Cop?
Dec 8th 2016
1 day ago by Johannes (4 comments)

The Passwords You Should Never Use
Dec 7th 2016
2 days ago by Xme (9 comments)

Attacking NoSQL applications
Dec 6th 2016
3 days ago by Bojan (1 comment)

Hancitor Maldoc Videos
Dec 5th 2016
4 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

404 Project: Compatible with mod_security?
created Dec 4th 2016
5 days ago by Ted (1 reply)

Confused about SHA1 in Certs and upcoming changes in browsers
created Dec 2nd 2016
1 week ago by Dana (1 reply)

SQL Slammer activity
created Nov 30th 2016
1 week ago by lwhitworth (2 replies)

Need help with classifying botnets via log entries
created Nov 17th 2016
3 weeks ago by Anonymous (0 replies)

Good read about PCI DSS
created Nov 16th 2016
3 weeks ago by (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
Oct 21st 2016
1 month ago by Johannes (9 comments)

Port 7547 SOAP Remote Code Execution Attack Against DSL Modems
Nov 29th 2016
1 week ago by Johannes (21 comments)

TR-069 NewNTPServer Exploits: What we know so far
Nov 29th 2016
1 week ago by Johannes (12 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
Feb 12th 2016
9 months ago by Johannes (25 comments)

Protecting Powershell Credentials (NOT)
Dec 2nd 2016
1 week ago by Rob VandenBrink (3 comments)