Mirai is a botnet that was responsible for the largest DDoS attack in botnet history. On 20 September 2016, the biggest security news website KrebsOnSecurity.com was targeted by 650 Gbps attack and later the French internet hosting site OVH reported being targeted by 1.1 Tbps DDoS attack. Mirai was responsible for the largest DDoS attack recorded till date despite not being the biggest botnet in the world.
Busybox is the Swiss army knife of embedded Linux. It combines tiny and stripped down versions of UNIX utilities into an executable file. This single executable replaces basic functions of more than 300 common commands. Mirai is designed to hijack the busy box in IoT devices to conduct DDoS attacks. It uses a list of 62 commonly used usernames and passwords, like admin:admin, to brute force telnet servers. After gaining access, it blocks certain ports like 22, 23 and 80 in order to lock the users out of their own devices while also preventing infection from another malware.
How is Mirai responsible for the biggest recorded DDoS attack?
There is no simple answer for this, but we can glimmer some hints from the fact that Mirai uses IoT botnet to launch attacks. Conventional botnets consist of infected desktops computers compromised via social engineering, spam, exploits, etc. These botnets are costly to maintain and run. Also, as the Anti-Virus industry has progressed, the number of infected computers in a conventional botnet have shrunk considerably. This combined with the maintenance cost has made conventional botnets less profitable and less lucrative.
On the other hand, IoT infected devices are cheap and easy to infect and maintain. IoT being a niche technology is not experiencing proper security practices. From using default credentials for authentication to improper implementation of encryption, IoT devices remain very vulnerable and a hacker's dream come true. Due to the embedded nature of many of these devices, patching also faces problems as new exploits and vulnerabilities are reported daily.
Another point in favour to IoT botnet is the online time. Online time of conventional botnets, being desktop computers, peak during the daytime but during night time and weekends it is at its lowest as people don't have their computers running 24 hours and 7 days a week. In stark contrast, IoT devices like routers, CCTV cameras, refrigerator, and thermostats are online all day, throughout the week. Therefore, to get devices online in order to launch a crippling DDoS attack, IoT botnets trump over conventional botnets.
These factors play a major role, making an unsophisticated telnet brute forcing attack into the record-breaking DDoS attack which became the subject of worldwide media and security researcher's attention.
After fingerprinting the infected devices, the majority of the infected devices were found to be CCTV cameras running Dahua firmware or a generic management interface. The RTSP or Real Time Streaming Protocol streams were exposed to the internet and could be remotely viewed using the default passwords Mirai used to hack the cameras.
And it doesn't end there, on 30 September a hacker named “Anna-senpai” released the source code for Mirai on hackforums.net, a hacking community. So now even you can run your own IoT botnet along with any other script kiddie, hacker or a security researcher.
https://github.com/jgamblin/Mirai-Source-Code (Mirai source code)
Authored by Shubham Bhardwaj
TCS Enterprise Security and Risk Management
Rate this article: