The Mirai Botnet – Threats and Mitigations

Created by Josiah White, Paras Jha, and Dalton Norman, the Mirai botnet was initially written in C for the bots and Go for the controllers, with the initial purpose to knock rival Minecraft servers offline using distributed denial of service (DDoS) attacks [1]. The Mirai botnet soon spread to infect thousands of internet of things (IoT) devices and evolved to conduct full, large-scale attacks. After noticing an increase in infections, Mirai caught the attention of the nonprofit organization MalwareMustDie in August 2016, who then started to research, analyze, and track the botnet [2].

Damaging DDoS Attacks

Mirai’s first large-scale attack was in September 2016 against a French technology company, OVH. Mirai’s attack peaked at an unprecedented 1Tbps and is estimated to have used about 145,000 devices within the assault. This attack set the scale for how massive the botnet had become, with the second largest attack peaking around 400 Gbps. After the attack on OVH, Krebs on Security, created by the journalist Brian Krebs, was flooded with over 600 GB of data in late September 2016. Krebs was most likely targeted due to his line of investigative journalism into cyber-related crimes and was seen as a potential threat to the authors [3] .

On September 30, 2017, one of the botnet authors decided to release the source code on a popular hacker forum while simultaneously announcing their supposed departure from hacking [2]. There are several possible reasons why the author decided to dump the code, the most likely being to obfuscate their identity and avoid being charged for committed crimes. Soon after the source code’s release, others began using Mirai for their own malicious purposes and their attacks could no longer be tied back to a single user or group as one could do previously. On top of attribution becoming more difficult to accomplish, the release of the code also allowed for threat actors to increase the number of DDoS attacks conducted.

Since then, other authors added new and more destructive components, such as modules that allow for an increase in infection numbers or one that increases the speed at which it infects. Additionally, novel variants of Mirai have been created to include: Okiru, Satori, Masuta, and PureMasuta [4]. These variants take Mirai and add more functionality, such as the ability to attack computers as well as IoT devices to increase data output. The success of this botnet and its variants relies on the weak security of IoT products and technology. IoT devices built for convenience over security complicate mitigation efforts for the Mirai malware family.

Mirai Technical Details

Mirai starts as a self-propagating worm (T0866 [5]) replicating itself once it infects and locates another vulnerable IoT device [3]. Propagation is accomplished through using infected IoT devices to scan the internet to find additional vulnerable targets (T0883). If a suitable device is found, the already-infected device reports their findings back to a server. Once the server has their list of vulnerable devices, the server loads a payload and infects the target. Botnets, such as Mirai, focus on infecting as many devices as possible, which is made even more possible with the lack of security within IoT devices.

Initially, Mirai compromised these devices with brute force attacks that filled in 64 sets of common usernames and passwords (T0812) like “admin” and “password”; however, current modules and variants use up-to-date vulnerabilities to maximize efficiency. This can be seen in newer variants of the botnet, such as “IoT.Linux.MIRAI.VWISI” found in July 2020 and how it uses CVE-2020-10173 to exploit Comtrend VR-3033 routers [6]. Even more recently, AT&T’s Alien Labs had identified a variant named “Moobot” sharply increasing its scans for Tenda routers that are exploitable with a known remote code execution vulnerability (T1210), CVE-2020-10987. This recent variant also allowed researchers to trace the malware back to its hosting domain named “Cyberium” and has noted that other variants of Mirai reside here, as well [7].

The global distribution of these IoT devices is peculiar, due to the disproportionate number of infected devices coming from South America and Asia. During the attack on Krebs, he was able to gather the location of attacking devices and noticed an irregularity. In the total number of devices used, 31.2% of devices came from South America and 36.8% (counting Russia at 4.7%) from all of Asia [3].

Once infected and configured, the IoT device can be controlled from command and control (C2) servers (TA0011). After amassing thousands of infected devices, these C2 servers tell the devices what to attack. The C2 servers are able to utilize numerous DDoS (T1498) techniques such as HTTP, TCP, and UDP flooding (T1498.001) [6].

Mirai Botnet Mitigations

The Center for Internet Security (CIS) and Cybersecurity and Infrastructure Security Agency (CISA) recommend organizations follow the below mitigations to limit damage caused through a potential attack:

  • Follow CIS Benchmarks – Follow CIS Benchmarks for best practices in the secure configuration of a target system. [8]
  • Learn more about the CIS Benchmarks.

     

  • Segment your network – Ensure that all IoT devices are on a separate network from systems critical for daily operations.
  • Update IoT devices – Always keep IoT devices up to date to ensure there is less of a chance for infection.
  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date. [9]
  • Have an official password policy – Your original passwords may have been compromised. during the infection, so you should change them as soon as possible. [9]
  • Keep operating systems and application software up-to-date – Install software patches so that attackers cannot take advantage of known vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it. [9]
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. [9]

Sources

[1] https://krebsonsecurity.com/tag/mirai-botnet/
[2] https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/akamai-mirai-botnet-threat-advisory.pdf
[3] https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/#toc-2
[4] https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
[5] https://attack.mitre.org/
[6] https://www.trendmicro.com/en_us/research/20/g/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173.html
[7] https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants
[8] https://www.cisecurity.org/cis-benchmarks/
[9] https://us-cert.cisa.gov/ncas/alerts/TA15-105A