Mirai Botnet Descendants Will Lead to Even Bigger Internet Outages

image mirai botnet descendants will lead to even bigger internet outages
Client supplied

Hackers iterate constantly and at a frightening rate. Whenever a new piece of malware finds success, a million imitators and successors will pop up. The marketplace of ideas guarantees that the most successful of these variants will rapidly spawn offshoots of their own. We’ve seen this in the rise of ransomware, and now we will see it in the rise of botnets like Mirai.

When Mirai struck the internet this October, it was the largest DDoS attack ever recorded. It achieved a throughput of 1.2 Tbps by leveraging the potential of hundreds of thousands of insecure IoT devices. A troubling fact to consider is that Mirai also spawned the third-biggest DDoS attack earlier in September, bringing down Krebs on Security with traffic equivalent to 665 Gbps. In short, the more recent attack already represents an iteration of Mirai’s capabilities—what are we about to see next?

An Open-Source Menace

One of the most compelling reasons that we’re about to see a surge in Mirai-descended malware is the fact that it is now open-source. Anyone who’s motivated to create a large-scale internet outage is now free to tinker with Mirai’s design. In fact, we’re already seeing iterations that might push the capabilities of this virus even further.

A new cousin of Mirai is known to security researchers as Linux/IRC telnet. Like Mirai, it massively automates the process of finding, infecting, and controlling IoT devices.  This new malware actually takes its cues from two different sources. Its source code isn’t based on Mirai itself—rather, it’s a revision of Aidra, a botnet that was found infecting routers, modems, and DVR devices as far back as 2013. From Mirai, it takes a list of login credentials representing the hard-coded admin passwords for newer and more vulnerable IoT devices such as webcams.

Internet Outages Are Now a Public Safety Issue

The thing to take away from the Aidra revision is that the 2013 edition was not particularly deadly. Per the original report, it was only designed to infect a rather small category of devices. By incorporating data from Mirai (which basically compromises the entire product range of an IoT chip manufacturer), the authors of Linux/IRC telnet have a much larger attack surface to choose from.

DDoS attacks are already common, but botnet malware that’s based on Mirai’s design philosophy has the potential to change the game. Open-source versions of Mirai give any random script kiddie the potential to whip up a massive robot army from unsecured IoT devices and then cause internet outages at will.

As our world becomes more networked, these abilities become more and more dangerous. Recently, two apartment complexes in Finland found themselves without heating when unknown hackers conducted DDoS attacks on their networked thermostats. This may seem benign, until you remember that winter in Finland produces subzero temperatures starting in mid-October. Unheated buildings in those conditions pose a hazard to their residents. The time is coming when a DDoS attack will kill.

Businesses, Manufacturers, and Governments Must Fight Botnet Proliferation

Aidra isn’t the only mutant version of Mirai that’s achieved notoriety in recent weeks. A more directly-descended variant knocked over 900K German users offline in mid-November. This particular version added a new category of insecure routers to its infected targets, and was so aggressive that it didn’t even need a persistence mechanism. Rather, had the ability to re-infect a vulnerable device within ten minutes of it being reconnected to the internet.

There isn’t going to be a quick cure for IoT botnet proliferation—the toothpaste is out of the tube. To begin mitigating this epidemic, businesses, regulators, and manufacturers all need to work together. Manufacturers need to construct more resilient IoT products, businesses need to enforce proper hygiene on IoT devices, and regulators need to create a compliance regime for both users and manufacturers to follow.

The solution isn’t likely to be easy, but the alternative is worse. To keep abreast of all the news in this space and create a proper endpoint protection strategy, download this white paper: Industrial Control Systems Under Threat: Preventing the Next Stuxnet.