It looks almost like english. It makes me want to learn it for fun.
More than likely though I would go to decompile something and it would be infinitely complicated and years of learning to know what I'm doing. Perhaps I shall youtube some intro videos.
If you're interested in getting started with reverse engineering, I recommend Binary Ninja . It's a newer platform, and you may run into bugs, but the team behind it is super responsive to feedback, and they've done a great job of taking a traditionally very arcane UI, and making it into something that's a joy to use.
In the past it was a lot more difficult since as an individual they'd want to physically ship you the software on disk, so they'd only send it to offices, trusted addresses, etc which complicated it a lot. I never really had to deal with this since I think their strategies changed a bit by the time I got licenses at my last job.
Of course, just emailing them from your work addr won't totally cut it -- you also have to pony up the few thousand USD to get IDA, and near $10k if you want all the decompiler tools, as well... IDA Pro itself is relatively 'cheap' by itself if you just want disassembly, though, and you actually do it for a job.
It takes some learning, but yes it's as cool as it looks.
It definitely won't take you years to learn how to understand disassemblies! You can get to 80% proficiency in a few weeks, just by understanding how control flow graphs work.
Do these kids even use some sensible crypto for the C&C? If not, anyone running their own mirai net can steal these bots just by running .dns on their C&C domain and registering one of the generated domains :)
Not so fast. This is just so that malware reverse engineers can't run strings on the executable (note also where they say this executable is stripped but not packed) and then block/tip the handful of hard-coded domains.
Anti-forensics is an arms race, and especially for a botnet like this the goal is to do just enough that you can spread (see also: premature optimization). You'll see it (mirai) get progressively better as the authors are forced to work harder.
Nothing to do with `strings`. The purpose of domain generation algorithms is simply to prevent bot loss from domain suspension/C&C takedowns.
Unless these guys patched mirai to authenticate the server somehow, this is a really easy way for them to lose all of their bots.
As I stated earlier, this enables any competing botmaster to easily steal their bots simply by taking down the nameservers for their main domains. Mirai has built in functionality to do that, the ".dns" command.
Even without that flaw, it's also a really bad way of keeping the bots alive since 365 domains will be trivial for the registry to blacklist.
The purpose of DGA is also to make it harder to identify the domains the malware will use. One of those ways is to run strings on an executable and look for domain names. As they made no attempt to move off their main domains, we can assume that wasn't the goal. Rather, the goal of this is pretty clearly to add a few new domain names which are not as obvious and thus less likely to be blocked. Certainly not the perfect solution, but see my previous about premature optimization.
Also, I think you're overestimating the ease of taking over someone else's registrant account. Possible? Absolutely. Easy? Well, that depends on a great many things, but typically not easy without a court order.
I've seen lots of DGAs, but I've never seen one being used for the purpose you're describing.
You're suggesting a pretty novel use case here, why is that?
>Also, I think you're overestimating the ease of taking over someone else's registrant account. Possible? Absolutely. Easy? Well, that depends on a great many things, but typically not easy without a court order.
While it's not at all what I was referring to, many domain registrars are actually surprisingly happy to just hand over malware domains to "whitehats".
See goatsis comment for the issue I was originally referring to.
In my experience, malware authors care about beating the defense more than they do about having their domains taken down by some "whitehat". Although if you think that's easy, by all means please do. The Internet will thank you.
The idea of using a DGA to hide your C&C simply isn't a very good one. It's not going to work, anyone running a packet capture will still see where your bot connects.
Using a DGA to protect your C&C from being taken down? You can easily make it impossible for any domain registry to shut you down. It'll also protect you from server suspensions as you'll just be able to update your DNS records.
One of these actually works, one doesn't. For hiding your C&C you'd want to use tor hidden services instead. Generally C&Cs are disposable though, so there's no need to hide them in the first place.
>In my experience, malware authors care about beating the defense more than they do about having their domains taken down by some "whitehat".
I don't really understand what you mean here. "beating the defense"? Are you suggesting that whoever did this mirai edit was trying to evade antiviruses or any sort of "defense" in that matter? On iot devices and routers?
I'm sure they weren't hoping that whatever analyst finds their binary isn't going to find their C&C... Which seems to be what you're suggesting.
But if they aren't worried about their C&C being taken down by some "whitehat" then why on earth would they want to hide it in the first place?
So, the author of the code doesn't need to register all of them. Just one for each day he needs a backup c&c network.