Endpoint Protection

 View Only

Mirai: what you need to know about the botnet behind recent major DDoS attacks 

Oct 27, 2016 10:36 AM

A distributed denial of service attack (DDoS) on DNS provider Dyn last week managed to disrupt an array of the internet’s biggest websites, including Spotify, Twitter, and PayPal.

What was most interesting about this attack was that it was largely carried out using an Internet of Things (IoT) botnet called Mirai (Linux.Gafgyt).

Q: When did Mirai emerge?
A: Mirai first came to public attention when it was used in a huge DDoS attack against the website of journalist Brian Krebs, which reached 620 Gbps, on September 20.

The source code for the botnet was then publicly released on the English-language hacking community Hackforums on September 30 by a user using the screen name Anna-senpai.

Q: How does Mirai work?
A: Mirai works by exploiting the weak security on many IoT devices. It operates by continuously scanning for IoT devices that are accessible over the internet and are protected by factory default or hardcoded user names and passwords.

In a Security Response blog last month, we revealed research that indicated that the default user names and passwords for IoT devices are often never changed.

Mirai infects devices with malware that forces them to report to a central control server, turning them into a bot that can be used in DDoS attacks.

Q: In which attacks has Mirai been used?
A: Following the aforementioned Krebs attacks, which was record-breaking at the time, Mirai was used in an attack on French hosting company OVH that peaked at 1 Tbps.

However, it was last week’s attack on Dyn, which brought so much of the internet to a standstill, that grabbed the most attention and raised questions about how powerful these DDoS attacks could become. In a blog following the attack, Dyn said it had “observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.” Upon further analysis, Dyn lowered that estimate.

Q: What devices are at risk of exploitation/infection?
A: Routers, DVRs, CCTV cameras, and any other ‘smart’, internet-connected appliances are at risk of attack.

Webcams were the primary devices exploited in the Dyn attack, while CCTV cameras are believed to have been the IoT device primarily utilized in the attack on OVH. These devices weren’t protected by a firewall or router using NAT, which allowed them to be easily compromised. Additionally many IoT devices take advantage of a feature known as Universal Plug and Play (UPnP) which opens a port on the router to allow them to be accessible from the internet.

Q: How are device manufacturers responding?
A: The Chinese electronics firm behind many of the webcams used in the attack on Dyn’s services, XiongMai Technologies, issued a recall for many of its devices following the attack.

Q: What is the likelihood my device will be attacked?
A: Analysis this week by Symantec concluded the average IoT device is scanned every two minutes. This means that a vulnerable device, such as one with a default password, could be compromised within minutes of going online.

Q: Why are IoT devices being targeted?
A: Poor security on many IoT devices makes them soft targets and attackers often pre-program their malware with commonly used and default passwords. Processing power limitations and basic operating systems mean many IoT devices don’t have advanced security features. As they are often designed to be plugged in and forgotten about, owners often don’t apply security updates and it is easy for an attack on such devices to go unnoticed.

Q: Why was Mirai’s source code leaked?
A: This is unknown. However, leaks often occur when attackers become concerned about discovery and want to “muddy the waters” by putting the malware in the hands of more attackers.

Source code leaks can also lead to new varieties of the malware emerging. It is possible that other attack groups may modify Mirai to attack a wider range of IoT devices.

Q: How many passwords is Mirai configured to try?
A: Analysis by Symantec of recent Mirai samples has found the malware is configured to use a list of at least 62 user name and password combinations, most of which are commonly used default credentials for IoT devices.

Q: Can a Mirai infection be removed?
A: Devices that become infected with Mirai can be cleaned by restarting them. However, due to constant scanning for devices by the botnet, vulnerable devices can become re-infected within a matter of minutes of going back online unless the default credentials are changed.

Q: What can I do to protect my devices and prevent them from becoming infected?
A: Symantec Security Response has the following tips to protect your IoT device from becoming infected with malware.

  • Research the capabilities and security features of an IoT device before purchase
  • Perform an audit of IoT devices used on your network
  • Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks.
  • Use a strong encryption method when setting up Wi-Fi network access (WPA)
  • Disable features and services that are not required
  • Disable Telnet login and use SSH where possible
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
  • Modify the default privacy and security settings of IoT devices according to your requirements and security policy
  • Disable or protect remote access to IoT devices when not needed
  • Use wired connections instead of wireless where possible
  • Regularly check the manufacturer’s website for firmware updates
  • Ensure that a hardware outage does not result in an unsecure state of the device

Q: Does Symantec have protection in place against Mirai infections?
A: Yes. Symantec and Norton products detect the Mirai Trojan as Linux.Gafgyt.

For more information on this subject, read our blog: IoT devices being increasingly used in DDoS attacks

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.