A Post-Mortem on the Mirai Botnet Part 2: Analyzing the Attack

Cracking the Code

According to several independent research sources, Mirai proliferated across the web recruiting its device-like zombies by logging into devices using their default, factory-set passwords, via Telnet and SSH.

As described by researcher Brian Krebs, himself an initial target of Mirai’s opening salvo against Internet connected devices, many IoT devices, even though shipped with the ability for users to change the default usernames and passwords, can still be reached using Telnet and SSH. Both are command-line, text-based interfaces that are typically accessed via the command prompt and then by typing “telnet” to expose a username and password prompt at the target host.

A whitehat researcher, dubbed MalwareMustDie! was able to sample from Mirai, and found the botnet uses open Telnet ports to target ARM, ARM7, MIPS, PPC, an x86 devices that run on Linux firmware. The researcher also found that its targets are mostly DVRs and IP cameras. As it turns out, its insidious detection avoidance techniques are particularly problematic, since once it forces its way into a device by accessing a list of default login credentials, it sits idle long enough to avoid early detection. Eventually, it contacts its Command and Control server to ask for further instruction which could decide on parallel, albeit alternative attack pathways. It uses the infected device to organize DDoS attacks or brute-force attempts on DVRs and IP cameras. As a result, this segmented command-and-control functionality allows the botnet to launch simultaneous DDoS attacks against multiple, unrelated targets including high-volume, nontrivial DDoS attacks.

Next, as described in this Security Week article, ⁽⁶⁾ Mirai then performs wide-ranging scans of IP addresses to identity under-secured IoT devices, accessing them via their weak login credentials. The scanning is performed against destination ports TCP/23 and TCP/2323. Notably, the botnet is embedded with 62 user name and password combinations common to IoT devices, and while researchers found many infected devices can be “cleaned” with a restart, the constant scanning initiated by the botnet means they are re-infected within minutes after coming back online.

Finally, once in place, the malware can launch a wide variety of bold as well as nuanced attacks including HTTP floods, OSI layer 3-4 attacks including GRE IP and GRE ETH floods, SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods, and UDP flood attacks. Researchers also found that Mirai is a greedy botnet, containing scripts that eradicate other worms and Trojans, but also prohibiting remote connection attempts to the hijacked device.

What makes the Mirai Botnet so attractive to DDoS hackers?

As we outlined in Part 1 of our series on this outbreak, the Mirai botnet was first observed in the wild for sale on the Dark Net.

As described by researchers at Arbor Networks who closely examined Mirai, those individuals renting the botnet have a plethora of capabilities at their disposal. For example:

It can be customized. Mirai can be deliver UDP, SYN and ACK flooding attacks against the application later as well as so-called DNS Water Torture attacks.

It can be segmented. Researchers estimate the original Mirai botnet contained between 500,000 and 550,000 nodes could be segmented to attack multiple targets simultaneously.

It’s user-configurable. While many DDoS-for-hire botnets have the capability to vary the attack traffic, that’s not a feature usually available to inexperienced users. With Mirai, however, it comes pre-loaded with multiple attack nodes that is coupled with a high degree of customizability.

It’s economical. While it takes only short money to launch DDoS attacks, organizations that are defending themselves against them have to spend a significant amount of money in resources, techniques and time to thwart them. As a result, a botnet like Mirai becomes, in the words of this researcher, a “great equalizer” between threat actor groups and nation states.” 

Are consumer as well as business IoT devices similarly at risk from infection?

One of the vulnerabilities that Mirai exploited is Telnet, an insecure, open network service running on a standard port that is easy to connect to and exploit. Among other reasons, this is concerning from a security perspective since more and more consumer product manufacturers are connecting their devices to the network. When they do this. they mostly look for the cheapest way to join the IoT “grid” and security becomes secondary, (e.g. a “nice to have.”). For consumers that means convenience. For vendors hawking them to unsuspecting consumers, there is an apparent emphasis on security, although practically speaking security is mostly an afterthought. We’ll explore this more concretely in our next post in this series.

Businesses, however, for whom security must take precedence, need to be able to assess these devices as they would any others lighting up on their network: what OS are they running, what ports are open, what vulnerabilities might they present? In fact, because they are so vulnerable to attack and their defenses easily penetrated (even hidden from even the most scrupulous security team), IoT devices need to be treated with the same scrutiny as any other device on your network.

How to proactively prevent an attack of IoT devices on my network?

With more of these devices coming into these environments, IT security efforts need to start taking them into consideration. That includes, significantly, changing the hard-coded passwords embedded in an IoT device. There are also other steps you can take to mitigate and prevent these attacks:

1. Change Your Password. This is not only good advice for those of us who shop online or who have been notified that the e-commerce site we recently shopped on has been breached, but likewise for IoT devices. In fact, according to this report, these better credentials can be used to provide a bulwark against botnet attacks like Mirai by substituting the hard-coded username and password with ones that are unique to your organization and not, of course, easily guessed.
2. Turn them off. For currently deployed IoT devices, turn them off when not in use. If the Mirai botnet does infect a device, the password must be reset and the system rebooted to get rid of it.
3. Disable all remote access to them. To protect devices from Mirai and other botnets, users should not only shield TCP/23 and TCP/2323 access to those devices, but also to disable all remote (WAN) access to them.
4. Research Your Purchase. Before you even buy a product, research what you are buying and make sure that you know how to update any software associated with the device. Look for devices, systems, and services that make it easy to update the device and inform the end user when updates are available.
5. Use It or Lose it. Once the product is in your office, turn off the functions you’re are not using. Enabled functionality usually comes with increased security risks. Again, make sure you review that before you even bring the product into the workplace. If it’s already there, don’t be shy about calling customer service and walking through the steps needed to shut down any unused functions.

In the concluding post of this series, we’ll examine which devices are being targeted by this malware; how to patch and update to prevent hacks; how manufacturers can be compelled to harden security and what solutions from Outpost24 can help you to find and detect at-risk IoT devices.