Mirai Botnet: A Sign of DDoS to Come
Attackers are always looking for new and novel methods of attack. These initially may be difficult to defend against, as these were new to the environment. Of the recent attacks, Mirai has been a major contributor to the malware business. This has created quite a stir in the market. Mirai was coded to target embedded systems and IoT devices as tools to spread the malware and also as attack tools. This malware sample is notable in that this malware created the largest DDoS attacks recorded to this junction. This has been shown to be a rather significant issue for those affected, even with a DDoS protection app in place with third party vendors.
The Mirai attack does not have a specific set of targets in mind. This bot army focuses its energy on any particular target based on any number of reasons, from the person or entity. Each time the bots are rented, a specific target is chosen. The prior publicized targets have been Krebs on Security (620 Gps), Deutsche Telecom, KCOM, Irish telco Eir, the French internet provider OVH (1.1 Tbps), Dyn, and others.
Method of Attack
The attack has evolved over time. Initially, Mirai utilized routers manufactured by the Taiwan company ZyXEL. This particular router posed the vulnerability with port 7547, a maintenance interface, using the TR-064 and TR-069 protocols. Once exploited, the unauthorized third party may access and alter the router LAN configuration and become part of the bot army. Originally they began with 200K bots. Now, there are over 400K bots to carry out the attacks. There could be as many as 5M routers that could be vulnerable to this exploit. These bots have a minimum rental period of two weeks. For the person renting the destructive bots, the number of bots and duration drive the cost. The attack may be extended, as this has been coded to spoof the individual bot’s IP address. This works to appear to be a new node that had not been blacklisted yet.
This has been a rather significant issue and alarming trend. This attack alone has garnered a mass amount of attention and press, cost the targets large amounts of money, and at times lost their DDoS defense vendor. As this issue brings much attention to the weak link, the equipment manufacturers have started to focus on reviewing the issue. As an example, ZyXEL began to investigate this issue. The vulnerability allegedly was arising from one of the chipset providers (Econet) with chipsets RT63365 and MT7505. As of December 2016, ZyXEL was working on a patch.
Another option is to place the equipment behind a firewall or NAT with no ports exposed. This is important as with this being exposed, it is vulnerable. A rather short-term yet effective remediation for this issue is to reboot the equipment. This clears the memory, removing the issue. This, although effective is problematic as this may be reinfected with little effort. As an additional step, the default password should be changed.
Vendors & IoT
There has been a continuing issue where the vendors and IoT security meet. These devices have overlooked security for years, via using insecure protocols, not securing the device’s communication, and most of other factors. The persons devising attacks clearly have taken notice of this and are exploiting the IoT devices left and right.
There are only a few mass attacks that have been on this level and with such immediate devastation. A business could be attacked for no reason and suffer the detrimental effects.
Cimpanu, C. (2016, November 24). You can now rent a mirai botnet of 400,000 bots. Retrieved from https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/
Heller, M. (2016, November 30). Modified mirai botnet could infect five million routers. Retrieved from http://searchsecurity.techtarget.com/news/450403881/Modified-Mirai-botnet-could-infect-five-million-routers
Krebs, B. (2016, October 16). Source code for IoT botnet ‘mirai’ released. Retrieved from https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
Leyden, J. (2016, December 2). Sh...IoT just got real: Mirai botnet attacks targeting multiple ISPs. Retrieved from http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/
US-CERT. (2016, November 30). Alert (TA16-288!): Heightened DDoS threat posed by mirai and other botnets. Retrieved from https://www.us-cert.gov/ncas/alerts/TA16-288A
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.