Mirai is Attacking Again, So We’re Outing its Hilarious, Explicit C&C Hostnames
Sure, the C&C list is a small sample size, and C&C hosts come and go quickly. This list is in no way exhaustive—it’s just a snapshot in time from last quarter. But for a breakdown of the domain hosting services, see the end of this article.
“Yes, I really am a C&C server.”
A disturbing number of the C&C servers brazenly scream out that they are, indeed, nefarious “cnc” servers. Check out this subset:
cnc.bigbandsinmyvault.tk
cnc.bigbotpein.ru
cncbot.cnbot.space
cncbot.ddns.net
cnc.changeme.com
cnc.linux.lol
cnc.nutsz.club
cnc.skidsec.org
cnc.spamtech.win
There’s a whole other category of hosts that identify not just as C&C servers, but as Mirai C&C servers. Thanks for the specificity, dudes! How much more obvious do you need to be?
cmdmirai.tk
cnc.mirai.com
iotmirai.tk
lolzsecssh*ttymirai.tk
miraibotnet.ml
miraibotnet.online
miraihoneypot.tk
mirainet.ml
mirainet.tk
For those of you security engineers out there, it’s probably not a terrible idea to flag any computer in your network that is looking up hosts that begin with “cnc” or “mirai.”
And somebody really likes boats. We like boats, too.
bigboats.club
bigboatz.us
boatnet.xyz
boat.racoon.ml
gammaboat.us
ssh.gammaboat.us
www.trapboat.club
We’ve been saying that the Internet of Things is the attacker platform of the future. The world of IoT botnets is highly automated. And, of course, our defenses are getting more automated, as well. It’s computers attacking and computers defending.
But every now and then you get a glimpse of the humanity buried in the morass of digital data. Like when you run across C&C hostnames that contain absurdly juvenile names and words you haven’t heard since middle school. But that’s how you know they’re human. And humans make mistakes. Sometimes those mistakes are other humans, and those humans end up building IoT botnets controlled by C&C hosts whose names offend the senses or offer dubious advice.
What’s Up With All the .tk Domains?
In theory, the .tk top level domain (TLD) represents the Tokelau island chain of New Zealand, a place so small it doesn’t even have a regional airport. In reality, .tk domains are free and are used by the poor as well as a huge number of spammers, phishers, and stressors.5The .tk TLD is now, incredibly, the third most popular after .com and .net. That’s right, more popular than .uk, .org, and .sex.
The massive popularity of .tk domains has increased the GDP of Tokelau by 10% and some of the increased revenue goes to provide the local poor their own Internet access. 6Such a strange, circular world we live in.
Conclusion
Credit goes to the infosec community as 70% of the C&C hosts (including all of them with “cnc” in the hostname) are already offline. Cloudflare is still hosting about 7 of these hosts, down from the original 14.
Below is the list of hosts in table form. The second column denotes whether or not the host appears to still be active, at least from a network perspective.
Feel free to add these hosts to threat Intelligence IP reputation lists.
Source link
lol
Sure, the C&C list is a small sample size, and C&C hosts come and go quickly. This list is in no way exhaustive—it’s just a snapshot in time from last quarter. But for a breakdown of the domain hosting services, see the end of this article. “Yes, I really am a C&C server.” A…