So far, the largest attacks have been caused by one particular malware family – Mirai. Although the original botnet is probably on its way out, its offspring and competitors in the malware trade are on the rise.
Record breaking DDoS attacks
The Mirai’s claim to fame included massive attacks on the Krebs On Security site (620 Gbps), French web host OVH (1 Tbps), and DNS provider Dyn (1.2 Tbps). That attack on Dyn, the largest DDoS on record (for now), prevented users in Europe and North America from connecting to a large number of popular sites.
Twitter, Amazon, CNN, PayPal, Reddit, Visa, SoundCloud, and AirBnB were just some of the many high-profile sites that were affected by that single attack.
Mirai malware source code
There seemed to be a sliver of good news when a Hackforums user, whom some believed was the creator of Mirai, expressed intention of hanging up his/her cape. Going by the nickname of “Anna-senpai”, the user posted that when he/she first entered into the DDoS industry, he/she “wasn’t planning on staying in it long.”, adding that “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO”
But as it turned out, the entire announcement was really a portent of what could potentially be an even greater threat. The user continued the post saying, “So today, I have an amazing release for you…”. That release turned out to be the source code of the Mirai malware itself. The source code can now be found on Github.
So with the Mirai source code out in the open, what else could anyone expect? Naturally, it shouldn’t take long for other miscreants to develop their own versions of IoT botnet malware.
That’s probably what happened here…
Very recently, a botnet with similar characteristics as Mirai was discovered by researchers at white hat security research group MalwareMustDie.org. Dubbed Linux/IRCTelnet, this botnet snags IoT devices by taking advantage of the default passwords hard-coded in them. These passwords are usually weak (and hence easily broken by brute force attacks) or have already been disclosed in hacking forums (some, via the Mirai botnet).
The botnet clients receive commands from malicious C&C IRC servers through the Telnet protocol. To cripple targets, the Linux/IRCTelnet can carry out Denial-of-Service mechanisms like UDP flood, TCP flood, and several other attacks through both the IPv4 or IPv6 protocols.
Another IoT botnet we should be worried about is Bashlite. While Linux/IRCTelnet is still on the rise, Bashlite is already quite well established. Apparently, this malware family has already managed to infect a million endpoint devices, the majority of which are IoT devices, and has even been used to conduct DDoS attacks-for-hire.
Like the other two IoT botnets, Bashlite also exploits default usernames and passwords. It can launch TCP and UDP floods, and can even carry out HTTP attacks.
The malicious code used by these types of malware reside in memory. So, theoretically, they can be removed by simply restarting the compromised devices. However, the volume of scans conducted by these malware are so large, that they can also as easily re-infect the restarted devices.
The use of default or non-configurable login credentials is one of the vulnerabilities we outlined in our post “IoT Vulnerabilities – What Should You Secure?”. Unless this vulnerability, which exists in a large number of IoT devices out there, is addressed, IoT botnets like Linux/IRCTelnet and Mirai will continue to exploit it.