Inside the Mirai Malware That Powers IoT Botnets
In early October 2016, the source code for a specific Internet of Things (IoT) malware was released on a hacking community called “Hackforums.” The malicious item, now known as Mirai malware, was posted by a user named Anna-Senpai, who claimed a botnet was used to prey on hundreds of thousands of IoT devices daily.
We now know this was the distributed denial of service / DDoS attack vector used by threat actors on Oct. 21, 2016 to take down DNS provider Dyn. The DDoS attack single-handedly disrupted global Internet services, including many of Dyn’s top consumer application services customers, such as Spotify, Reddit and Github.
“It was an interesting point to see the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just against sites or applications,” A10 Networks Director of Cyber Operations Dr. Chase Cunningham told Computer Weekly.
How Mirai Works
The Mirai malware power stems from its ability to spread itself to other connected IoT devices, creating the Mirai botnet. The malware the Internet for IoT devices and systems that are protected by hard-coded usernames and passwords and other factory defaults (as is the case in many IoT systems that are already installed).
Because Mirai malware knows these default passwords, the Mirai botnet can command any number of devices, such as routers, webcams, DVRs, IP cameras, thermostats, and other Internet-connected devices. The result is a powerful global botnet that can launch large-scale DDoS attacks against any type of service, application, site or organization.
Mirai: A Forensic Analysis
To shed light on this new attack vector, the A10 Networks security team investigated Mirai and conducted forensic analysis on the Mirai malware and Mirai botnet.
At a basic level, Mirai consists of a suite of various attacks that target lower-layer Internet protocols and select Internet applications. To date, A10 has uncovered nine specific DDoS attack vectors that Mirai targets during an attack.
Alarmingly, hackers, criminal groups or threat actors just need a scanner and they can jump into the cybercrime arena of DDoS bot-herding. Because of the nature of this type of attack — and the ease with which it can be launched — we will continue to see these types of attacks in the near future. Combined with a ransom-type activity, an IoT-based botnet could easily power a dangerous money-making machine.
Investigating the Mirai Botnet
Mirai, a clever malware that takes advantage of lax security standards in connected smart devices to build massive botnets that are able to deploy DDoS payloads.
- Learn more about A10 Networks’ SSL inspection/TLS inspection solutions
- Learn more about A10 Networks’ DDoS Protection solutions
How cloud-ready and modernized are your application services?
Take this brief multi-cloud application services assessment and receive a customized report.Take the Survey