IoT-powered DDoS attacks are on the rise, and the situation is poised to become even worse now that the source code for the Mirai malware has been made public.
Reporter Brian Krebs, whose website has recently been bombarded with a huge DDoS attack by botnets created with the Mirai and Bashlite malware, spotted a post on hacking community Hackforums by a user named “Anna-senpai” offering the code.
“When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO,” the user wrote. “So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
Apparently, Mirai’s author is trying to muddy the waters, to make the job of identifying and eventually convicting him more difficult. Also, if many other criminals take on the malware and set up IoT-powered botnets, investigators might never end up coming around searching for him.
The Mirai Trojan targets mostly routers, DVR or WebIP cameras, Linux servers, and Internet of Things devices running Busybox – the “Swiss Army knife of Embedded Linux.”
The attackers wielding it first gain shell access to the target devices by taking advantage of the fact that most have a default password set for the SSH or telnet account, and then they load the malware.
Mirai is considered to be a more sophisticated descendant of the Bashlite (aka Gafgyt, aka Torlus) Trojan. It is capable of making the infected device participate in UDP, DNS and HTTP floods, UDP floods over GRE (generic routing encapsulation), and several types of TCP floods.
The increased visibility of this and similar threats will raise awareness about the (in)security of IoT devices, leading hopefully to more efficient defenses, but things will definitely get worse before they get better.
“Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory,” Krebs noted. “But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.”
A simple test by SANS ISC CTO Johannes Ullrich demonstrates the onslaught IoT devices start experiencing as soon as they are connected to the Internet.