Competing hackers dampen the power of Mirai botnets

The malware behind last month’s massive distributed denial-of-service attack in the U.S. appears to be losing its potency. Ironically, hackers are to blame for diluting its power.  

The malware known as Mirai — which is now available on the internet — has become a bit too popular in the hacking community, according to security firm Flashpoint.

Competing hackers have all been trying to take advantage of Mirai to launch new DDoS attacks. To do so, that means infecting the poorly secured internet-connected devices, such as surveillance cameras, baby monitors, and DVRs, that the malware was designed to exploit.

The problem is the malware may have run out of new devices to infect, forcing the hackers to vie for control over a limited resource pool. That competition appears to be stiff.

On Tuesday, Flashpoint said it found that the Mirai malware is probably being used across 52 different networks of enslaved devices, often called botnets.

Many of these hackers are coming up with their own strains of Mirai to fight over the what devices they can infect, Flashpoint analyst John Costello said in an email.

However, that competition is also fracturing Mirai’s full power. Newly formed botnets created through Mirai are becoming smaller in size, ever since the source code to the malware was released back in late September.

“Due to these factors, the botnet’s fracturing has significantly lowered the impact, efficacy, and damage of subsequent attacks,” Flashpoint said in a blog post.

Hackers also face another challenge to fully exploit Mirai — the malicious coding has been designed to kick out competing malware.

It does this whenever it spreads to a new device. Mirai will also attempt to lock down the device, shutting off the ports that allowed the infection in the first place, Costello said.  

That feature may be inadvertently contributing to the diminishing power of the malware. For instance, last week, one large Mirai-powered botnet was found attacking IP addresses in Liberia, disrupting business at a local mobile service provider.

But since then, the server controlling the botnet has gone offline, according to a security researcher who goes by the name MalwareTech. Without a master, the Mirai-infected devices will no longer attack, nor can they be overtaken by another malware in most cases.

Only when the devices are rebooted does the Mirai infection clear, Costello said. Competing hackers will then try to quickly reinfect the devices, sometimes within 30 seconds of the device going back online.

“This appears to be the primary means by which vulnerable devices are reinfected and the main method by which botnet ownership has fluctuated over time,” he said.

It isn’t clear how big these individual Mirai-powered botnets are, but internet backbone provider Level 3 Communications estimated last month that more than 500,000 devices had been infected with the malware.

Security researcher Kevin Beaumont agreed that Mirai-powered botnets appear to be fracturing under the competition. Nevertheless, there are still three or four large Mirai botnets capable of taking down websites, he said. He pointed to online gambling service William Hill, which was likely hit with a DDoS attack and kicked offline by a Mirai botnet last week.