The secret behind the success of Mirai IoT botnets
28 October 2016 | 0
There is no magic behind the success of Mirai DDoS botnets that are made up of IoT devices: the software enabling them is publicly available, which makes it easy for relatively inexperienced actors to create them and turn them loose on anyone.
Flashpoint speculates that the attacker in the case of the Dyn DDoS, which had an enormous impact on major web sites, was the work of low-skilled script kiddies – a frightening prospect that contributes to Trend Micro’s assessment that “the Internet of Things ecosystem is completely, and utterly, broken.”
“To amass an IoT botnet, Mirai bot herders scan a broad range of IP addresses, trying log in to devices using a list of 62 default usernames and passwords that are baked into Mirai code,” US-CERT
To amass an IoT botnet, Mirai bot herders scan a broad range of IP addresses, trying log in to devices using a list of 62 default usernames and passwords that are baked into Mirai code, according to US-CERT.
Connect and command
Mirai connects hijacked devices to an IRC-type service where it waits for commands. Often one of the first things a bot does is scan the internet for more vulnerable devices to infect. These devices are largely security cameras, DVRs and home routers. Brian Krebs, whose krebsonsecurit.com site was one of the first hit by a massive Mirai-based DDoS attack, lists some of the specific devices here.
When Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.
Mirai does not try to hide from forensic analysis, probably because the type of device it is on will not have an owner who is skilled enough to look for it.
Like any botnet, Mirai directs its zombie machines via command and control (C2) servers, which are mostly compromised machines in the networks of small and mid-sized businesses, says Dale Drew, CSO of Level 3. To avoid detection, these change location about three times as other IoT botnets change – roughly every day or so, he says.
These IoT botnets carry out volumetric attacks that try to throw as much traffic at their targets as possible to overwhelm them and make it impossible for legitimate traffic to reach them. Some estimate they have generated greater than 1Tbps attacks.
There are millions of IoT devices deployed, making it possible to assemble larger than usual botnets more quickly. US-CERT says the purported author of Mirai says 380,000 IoT devices are under its control.
Since so many devices are enlisted and attack directly it’s difficult for defenders to readily identify significant numbers of malicious IP addresses and block them quickly. With reflection attacks, there is another layer of attack device that can be identified and blocked, effectively nullifying many individual bots.
These hijacked IoT devices often use randomly assigned and changing IP addresses issued by service providers via DHCP. That means the IP address that identifies attack traffic coming from a single device might change over time, making it more difficult to nail it down as an attacker.
Why IoT devices?
IoT devices represent an ideal category of potential bots. There are millions of them and they have several problems:
Many of them have exposed administrative ports protected by weak passwords. They lack anti-virus and other security software, and they are turned on and connected to the internet all the time. The owners of these devices are often consumers or businesses who do not have the training to secure these devices.
Because attackers go directly to open ports used for administration – typically SSH and Telnet – they do not have to deal with things like social engineering, email poisoning or zero-day attacks to hijack devices.
Many of the devices used in the Mirai attacks were made by or included components made by a single vendor, XiongMai Technologies, which has issued recalls and sofware updates for some of its products to make them more secure.
Are you infected?
One indicator that an IoT device might be infected with Mirai is that the SSH and Telnet ports (22 and 23) are closed. Mirai does that so administrators cannot get in and nobody else can attack the machine in the same way. Since Mirai is in memory, rebooting the machine should open them again. This should be done offline and afterwards the default password should be changed to help avoid reinfection. In some cases it’s not easy or even possible to change the passwords.
If firewalls are set to block traffic to IoT devices they protect, they should be protected from infection, say researchers at Imperva.
There are steps businesses can take if they are worried about whether their Web sites will be taken down by future attacks on DNS services. The top one is to hire more than one DNS provider so if one is impaired another can pick up the slack. They should also formulate a plan for what they are going to do when they do suffer such an outage and have the names and phone number s of those who will be involved. Everyone should be aware of their responsibilities and the team should practice their responses in simulation exercises.
IDG News Service