The source code for the malware Mirai has been released to the public. This source code, released on Hackforums, can be used to create an Internet of Things botnet that can launch a massive distributed denial of service attack.
Last month, it was used to attack KrebsonSecurity and it is almost guaranteed that more attacks will follow.
The power of Mirai comes from a growing number of insecure cameras, routers, and other IoT devices that have been taken over by the malware. So far, the Mirai devices have reached 164 countries.
To give you an idea of the scope of the IoT, Cisco is expecting the number of connected devices to increase from the current 15 billion in 2016 to 50 billion by 2020. Intel thinks that number is low and that there will be over 200 billion connected devices by that time. Some of these devices include 173.4 million wearable devices. 90% of cars are expected to be connected to the Internet as well.
Once taken over, these devices can then become part of a botnet, which can be used to take websites offline.
When a hacker calling him/herself “Anna-senpai” released the source code, they left the following message on the forum:
“When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IoT now, so it’s time to GTFO [link added]. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
Interesting Facts Uncovered
- Even though Anna-senpai mentions ISPs “cleaning up their act,” researchers do not believe he/she did this for altruistic reasons.
- One of the interesting things uncovered by researchers is that there is a hardcoded list of IP addresses that the Mirai bots are instructed to avoid when scanning for machines. Some of these include the US Post Office, GE, US Department of Defense, HP, and the Internet Assigned Numbers Authority.
- The code for the command-and-control interface is written in English, but contains strings in Russian. This leads some to speculate that it was developed by either Russian hackers or possibly some of the hackers were Russian in origin.
How It Works
“Mirai isn’t really a fancy piece of malware, but it’s effective and spreads quickly because it targets Internet of Things (IoT) devices that are extremely easy to hack. These devices, mostly DVRs and surveillance cameras, use default and predictable passwords, such asadmin and 123456, root and password, or guest and guest, among others,” says Lorenzo Franceschi-Bicchierai at Motherboard.
Mirai constantly scans IoT devices on the internet that use hard-coded or factory default usernames and passwords. Once these devices are infected, they contact the command-and-control servers and get the information about their next target.
Once they have the target information, they start sending traffic to the target. With enough of these devices acting together, it’s sufficient to shut down most websites. Since the biggest impact the botnet will have on an individual infected machine is slower bandwidth, most owners of the equipment have no idea that their hardware is infected and will allow the behavior to continue.
“Akamai’s Shaul says attackers are using smaller packets in their attacks, which stresses the networking equipment near the targeted servers as well as the servers themselves. Routers have to spend processing power for each packet regardless of length, so boosting the sheer number of packets can cause network bottlenecks,” says Tim Greene at NetworkWorld.
Cleaning Up the Systems and Preventing Botnet Attacks
While it is true that cleaning up the infection can be as simple as a reboot, which wipes the malicious code from memory, the malware is constantly scanning for vulnerable devices. This results in a device being reinfected within minutes of being rebooted.
The problem is that IoT device manufacturers are creating devices based on functionality and not security. This will need to change in the future.
For now, check out our article that shows how to prevent infection.
What effects will this have on the internet as we know it? It’s likely that we will start seeing slower internet speeds as more devices on the IoT become hacked and start using more bandwidth as a result.
The Mirai source code is now freely available and we should expect more botnet attacks as a result. In addition to this, it’s important to protect your network using next-generation endpoint protection with SentinelOne.