Cymmetria Research is releasing an open source honeypot for Mirai detection, a specific tool built to match what Mirai expects, based on its source code. MTPot was developed by Dean Sysman, Co-Founder & CTO; Itamar Sher, Head of Research; and Imri Goldberg, Co-Founder & VP R&D; Cymmetria.
Mirai has hit the news recently with the huge DDoS attack (“DynDOS”) that occurred in October, which has overwhelmed Internet service providers and caused multiple disruptions, making DDoS one of the key concerns of security as well as businesses worldwide.
According to the company, a need arose for a very lightweight honeypot with which one could collect verified Mirai Indicators of Compromise (IoCs) – specifically IP addresses trying to compromise IoT systems – and the malware samples they infect them with.
In addition to the DDoS component, Mirai first compromises IoT devices, building an infrastructure from which the DDoS can be launched. The infection attempt is what Cymmetria aims to detect.
The Mirai honeypot functionality includes the ability to:
· Detect incoming connections on any port using telnet (equivalent to listening on that port).
· Specifically ID the Mirai version we researched (the one which is open source), based on the commands requested from the service.
· Alter parameters to ID Mirai (port and commands).
· Report to a Syslog server.
· Collect the malware samples Mirai tried to infect the user with (will currently crash Mirai instead, see below note).
The company says that there was a limit as to how much debugging time they could invest in Mirai and this last functionality (collecting samples) is not currently working. Instead, Mirai crashes when it receives the input it expects.
Usage of the tool is simple, but much like any other low interaction honeypot, it has limitations by its nature of emulating a service. This is shown through the requests Mirai sends via its telnet connection, based on the mirai source code available on GitHub, here. Thus, it can be fingerprinted if anyone puts their mind to it.