Mirai Botnet

The Mirai botnet is a network of Internet of Things (IoT) devices infected with Mirai malware, used for massive distributed denial of service (DDoS) attacks. The Mirai malware was discovered in August 2016 by MalwareMustDie^[1], and it’s first major attack was on computer security expert Brian Krebs’s personal website ^[2]. The botnet gained mainstream notoriety after performing the largest DDoS attack in history against DNS provider Dyn in October 2016 ^[3]. The Mirai Botnet is now being rented on dark web for performing DDoS attacks for high paying clients ^[4]

Notable Attacks

Krebs Attack

The September 20th attack on computer security blogger Brian Krebs's website, KrebsOnSecurity.com, was the first major attack of the Mirai Botnet. The attack was estimated to have been around 620 gbps, which was approximately twice as large than any prior DDoS attack on record. Content Distribution Network provider Akamai thwarted the attack, and released a special State of the Internet report following it.

Dyn Attack

On October 21st, the Mirai botnet performed one of the most disruptive DDoS attacks in Internet history. The attack took down Domain Name Service (DNS) provider Dyn, a major backbone for many websites. DNS is a service that translates human readable URLs to IP addresses. When Dyn went down, many sites including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered unreachable for most users. Estimates report that up to 100,000 IoT devices were used to power the attack which attained a throughput of up to 1.2 TBPS. ^[5]

Technical Notes

Distributed denial-of-service (DDoS) attacks

A denial-of-service (DoS) attack is an attack that sends excessive amounts of requests from a device on the Internet to flood a victim network with traffic. The intent of a DoS attack is to create enough congestion to render a service or website unusable. A distributed denial-of-service (DDoS) attack uses a collection of devices on the Internet to flood the victim with traffic from many devices. The collection of devices used in a DDoS attack are often referred to as a botnet, and are often exploited without their owners' consent.^[6]

Mirai Malware

Mirai malware targets poorly secured IoT devices by brute-forcing into them with a list of common usernames and passwords. Mirai then infects the device with software which gives control of the its network resources to a central server. Devices will remain infected until they are rebooted. Mirai’s inventor claims that the botnet uses upwards of 380,000 devices in an attack at a rate of 620 Gbps ^[7]. Interestingly, Mirai has a list of hardcoded IP addresses in the source code to avoid attacking. The list includes Hewlett-Packard, General Electric, and the US Postal Service ^[8]. The source code of Mirai is open source on GitHub ^[9]

Implications on IoT

The Internet of Things refers to the collection of everyday objects with embedded Internet connections. Examples of IoT devices include 'smart objects' like smart tvs, smart refrigerators, etc. as well as Internet beacons and personal assistants. The IoT industry has been criticized by security professionals for having poor security practices and the immense power achieved by the Mirai botnet has exacerbated to this concern. Security professionals also speculate that the attacker who created Mirai is an amateur and not a professional hacker^[10].

Mirai for rent

Since the major attacks in 2016, a market has developed for the Mirai botnet. Hackers are currently renting botnets infected with Mirai on the black market. It is estimated that around 400,000 bots are available for rent, however, customers may choose to rent fractions of the botnet for reduced cost. $4,600 will purchase the usage of 50,000 bots while $7,500 will purchase 100,000. The seller claims it can reach a bandwidth of up to 1 tbps ^[11].

References

1. ↑ http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
2. ↑ http://www.computerworlduk.com/security/krebs-ddos-aftermath-industry-in-shock-at-size-depth-complexity-of-attack-3646809/
3. ↑ https://www.flashpoint-intel.com/action-analysis-mirai-botnet-attacks-dyn/
4. ↑ https://www.cyberscoop.com/mirai-botnet-for-sale-ddos-dark-web/
5. ↑ http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
6. ↑ https://www.us-cert.gov/ncas/tips/ST04-015
7. ↑ https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
8. ↑ https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
9. ↑ https://github.com/jgamblin/Mirai-Source-Code/tree/master/mirai
10. ↑ http://www.latimes.com/business/autos/la-fi-tn-cyberattack-hackers-20161026-story.html
11. ↑ http://www.forbes.com/sites/leemathews/2016/11/29/worlds-biggest-mirai-botnet-is-being-rented-out-for-ddos-attacks/#2cd29d903046