Mirai

Mirai is a botnet whose targets are devices of the so-called Internet of Things (IoT for short).

Main targets of this malware have been routers, digital video recorders and surveillance IP cameras.

This botnet was behind one of the largest denial of service (DDoS) attacks known to date, which affected large companies such as Twitter, Netflix, Spotify or PayPal.

This malware infected thousands of IoT devices, remaining inactive inside them.

The creators of Mirai activated it on October 21, 2016 to attack the DNS service provider Dyn. Both his services and those of his clients were down or experienced problems for hours.

It appeared that Mirai’s attack threshold was limited to IoT devices, but this theory was discarded after recent cases where their handlers began using Mirai to open a new flank of cyber attacks on Linux-equipped devices. Now the Mirai botnet is attempting to exploit a critical RCE flaw in the F5 BIG-IP software.

How does it work?

At its core, Mirai is a self-propagating worm, it’s a malicious program that replicates itself by finding, attacking and infecting vulnerable IoT devices.

It is also considered a botnet because the infected devices are controlled via a central set of command and control (C&C) servers. These servers tell the infected devices which sites to attack next. Overall, Mirai is made of two key components: a replication module and an attack module.

Replication module

The replication module is responsible for growing the botnet size by enslaving as many vulnerable IoT devices as possible. It accomplishes this by (randomly) scanning the entire Internet for viable targets and attacking. Once it compromises a vulnerable device, the module reports it to the C&C servers so it can be infected with the latest Mirai payload, as the diagram above illustrates.

To compromise devices, the initial version of Mirai relied exclusively on a fixed set of 64 well-known default login/password combinations commonly used by IoT devices. While this attack was very low tech, it proved extremely effective and led to the compromise of over 600,000 devices.

Attack module

The attack module is responsible for carrying out DDoS attacks against the targets specified by the C&C servers. This module implements most of the code DDoS techniques such as HTTP flooding, UDP flooding, and all TCP flooding options. This wide range of methods allowed Mirai to perform volumetric attacks, application-layer attacks, and TCP state-exhaustion attacks.

Secure yourself against Mirai copycats

The prevalence of insecure IoT devices on the Internet makes it very likely that, for the foreseeable future, they will be the main source of DDoS attacks.

Mirai and subsequent IoT botnets can be averted if IoT vendors start following basic security best practices. In particular, the following should be required of all IoT device makers:

• Eliminate default credentials: This will prevent hackers from constructing a credential main list that allows them to compromise a myriad of devices as MIRAI did.
• Make auto-patching mandatory: IoT devices are meant to be “set and forget,” which makes manual patching unlikely. Having them auto-patch is the only reasonable option to ensure that no widespread vulnerability can be exploited to take down a large chunk of the Internet.
• Implement rate limiting: Enforcing login rate limiting to prevent brute-force attack is a good way to mitigate the tendency of people to use weak passwords. Another alternative would be using a captcha or a proof or work.