Nearly 400,000 video recorders, webcams, and home routers are being used to launch attacks against targets around the world. This threat is an Internet of things (IoT) distributed denial of service (DDoS) weapon called the Mirai botnet.
Below, we will look at basics on the DDoS mega-attack of security reporter Brian Krebs, open-sourcing of the Mirai code, and defense tactics from US-CERT.
In Part 2, we will explore how to use a test server to track Mirai and the botnet’s top 10 login combinations. We will then review why conventional botnets don’t DDoS and IoT ones do, and why Mirai was open-sourced. Finally, we will review a new Mirai worm variation and look forward at continuing protection.
- Stop the botnets for $25K
- What are Mirai and the IoT botnet threat?
- Open-sourcing the Mirai code
- How can you protect yourself from Mirai and Bashlight?
- Help with DDoS protection
Stop the botnets for $25K
A January 5 headline from USA Today read simply, “How to win $25,000: Find a tool to fight zombie botnets.” That’s right, the federal government is offering a cash reward if you can figure out how to stop IoT botnets like Mirai. The concern is understandable, since Mirai’s source code has been publicly released. This is a very real and serious threat, and coverage of it sounds like a warning of technological apocalypse.
Even if Mirai does not mean the end of the Internet, the findings on this botnet (a vast network of computers leveraged for attacks through voluminous, fraudulent requests) are deeply disturbing.
What are Mirai and the IoT botnet threat?
On October 14, 2016, the US federal government (via its Computer Emergency Readiness Team, US-CERT) released Alert TA16-288A: “Heightened DDoS Threat Posed by Mirai and Other Botnets.” (The alert was updated on November 30.)
It’s no surprise that the Internet of Things is mentioned as the “systems affected” within this notice, since the security challenges of this booming computing field have been a topic of concern among thought-leaders for years.
The US-CERT announcement was prompted by the Mirai DDoS attack of Brian Krebs’ site, krebsonsecurity.com, which occurred the evening of September 20 and reached a climax of more than 620 gigabits per second (Gbps).
The author believed to be responsible for Mirai pointed over 380,000 different IoT device slaves (the routers, video recorders, webcams, etc.) at Krebs’ site. Slaves are captured by Mirai’s malware, which scans the web for them. “The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices,” said US-CERT. “Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.”
Krebs is joined by another high-profile victim of Mirai: in September, the French web host OVH was hit with an assault exceeding 1.1 terabits per second (Tbps). It’s not just these one-off attacks that have DHS sounding the alarm bell, though. It’s that the source code for Mirai was posted publicly at the end of September. The open-sourcing of Mirai is expected to spark copycat DDoS botnet creation, effectively militarizing our devices as unwilling soldiers for use against someone else’s enemies.
Along with Mirai, you may have also heard of Bashlight – another malware botnet that is not open-sourced as of this writing. Its similar because it also exploits default passwords. This botnet is thought to have as many as 1 million devices enslaved.
Is that all the bad news? Unfortunately, no. US-CERT updated its Mirai notice in late November because use of the botnet was evolving. “[A] new Mirai-derived malware attack actively scanned TCP port 7547 on broadband routers susceptible to a Simple Object Access Protocol (SOAP) vulnerability,” explained the agency. “Affected routers use protocols that leave port 7547 open.”
Open-sourcing the Mirai code
The source code for Mirai was made publicly available, as indicated by Brian Krebs himself (via his attacked site) on October 16. Krebs noted that the leak was first announced on Friday, October 13, on Hack Forums (a service that recently came under fire for allegedly offering DDoS-for-hire).
Krebs explained that once IoT devices (cameras, routers, or whatever else) are infiltrated, they then become bots for use of the botnet – to derail target sites so they can’t be accessed by their legitimate users. In other words, Mirai and DDoS vehicles like it are generally a threat to online service, although specific victims are hand-picked.
The user on Hack Forums who released the Mirai code was Anna-senpai (senpai meaning “an older person or mentor”). “Anna” noted that he/she was releasing the source code because security pros were cracking down on IOT DDoS.
“When I first go in DDoS industry, I wasn’t planning on staying in it long,” wrote the user. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.”
Anna-senpai mentioned that they had typically been able to access and control 380,000 bots via Telnet prior to September; however, following the Krebs DDoS, they could now only use 300,000 slaves at most.
How can you protect yourself from Mirai and Bashlight?
Mirai and Bashlight are both massive and can be massively destructive, preventing your systems from working and possibly running up a huge price tag through recovery and blocked access to revenue. What can you do?
Here are mitigation and preventive steps from US-CERT:
To remove Mirai:
- Disconnect the camera, router, or other device from the network.
- Reboot it. That’s it (sort of). “Because Mirai malware exists in dynamic memory,” explained the DHS, “rebooting the device clears the malware.”
- Secure the password. The default password is what makes it vulnerable. Here are strong passwords – especially the middle option containing ASCII (American Standard Code for Information Interchange) characters. Or use these tips from Silicon Valley nonprofit org.
- Reconnect only once you reboot and set a new password. Otherwise reinfection is likely.
To prevent Mirai:
- Change all your passwords to strong ones. Default passwords are typically posted online, so they’re easy to target.
- Download patches as soon as they’re released.
- Turn off your router’s UPnP (Universal Plug and Play) function.
- Buy IoT devices from businesses known to invest in security.
- Watch specific ports. “Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol,” advised US-CERT, which added that “[i]nfected devices often attempt to spread malware by using port 48101 to send results to the threat actor.”
- Be aware that any connected devices are at risk. Whenever you get a device that has a default password or open Wi-Fi, switch the password and contain it within a secured network.
- Check medical devices. Often at-home medical devices now send data and allow remote operation. These are also common malware targets.
See below to continue reading about Mirai.
Help with DDoS protection
What about the other side, though? What about when the devices are used against your business? After all, DDoS attacks were up 125% between 2015 and 2016 (ZDNet). In this botnet age, what can you do?
At Total Server Solutions, we’ve partnered with Staminus, the leading DDoS mitigation provider, to bring their enterprise level-protection to your site. Let us help you!