Mirai (malware)
Original author(s) |
"Anna-senpai" (online pseudonym) |
---|---|
Written in | C (agent), Go (controller) |
Operating system | Linux |
Type | Botnet |
Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers.[1] The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 [2] on computer security journalist Brian Krebs's web site, an attack on French web host OVH[3] and the October 2016 Dyn cyberattack.[4][5][6]
The source code for Mirai has been published in hacker forums as open-source.[7] Since the source code was published, the techniques have been adapted in other malware projects.[8]
Malware
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of subnet masks that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.[9]
Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.[3][10][11] Infected devices will continue to function normally, except for occasional sluggishness,[10] and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.[10] Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports.[12]
There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack.[10] The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.
Use in DDoS attacks
Mirai was used in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbps.[13] Ars Technica also reported a 1 Tbps attack on French web host OVH.[3]
On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others.[14] The attribution of the attack to the Mirai botnet was originally reported by BackConnect Inc., a security firm.[15]
Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.[16]
Mirai has also been used in an attack on Liberia's Internet infrastructure in November 2016.[17][18][19] According to computer security expert Kevin Beaumont the attack appears to have originated from the actor which also attacked Dyn.[17]
At the end of November 2016 0.9 million routers, from Deutsche Telekom and produced by Arcadyan, were forced offline, which resulted in Internet connectivity problems for the users of these devices.[20]
See also
- Denial-of-service attack
- BASHLITE – another notable IoT malware
- Linux.Darlloz – another notable IoT malware
- Remaiten - another IoT DDoS bot
- Linux.Wifatch
References
- ↑ Biggs, John (Oct 10, 2016). "Hackers release source code for a powerful DDoS app called Mirai". TechCrunch. Retrieved 19 October 2016.
- ↑ Krebs, Brian (September 21, 2016). "KrebsOnSecurity Hit With Record DDoS". Brian Krebs. Retrieved 17 November 2016.
- 1 2 3 Bonderud, Douglas (October 4, 2016). "Leaked Mirai Malware Boosts IoT Insecurity Threat Level". securityintelligence.com. Retrieved 20 October 2016.
- ↑ Hackett, Robert (October 3, 2016). "Why a Hacker Dumped Code Behind Colossal Website-Trampling Botnet". Fortune.com. Retrieved 19 October 2016.
- ↑ Newman, Lily Hay. "What We Know About Friday's Massive East Coast Internet Outage". WIRED. Retrieved 2016-10-21.
- ↑ "Dyn | crunchbase". www.crunchbase.com. Retrieved 2016-10-23.
- ↑ Statt, Nick (October 21, 2016). "How an army of vulnerable gadgets took down the web today". The Verge. Retrieved October 21, 2016.
- ↑ Kan, Michael (October 18, 2016). "Hackers create more IoT botnets with Mirai source code". ITWORLD. Retrieved 20 October 2016.
- ↑ Zeifman, Igal; Bekerman, Dima; Herzberg, Ben (October 10, 2016). "Breaking Down Mirai: An IoT DDoS Botnet Analysis". Incapsula. Retrieved 20 October 2016.
- 1 2 3 4 Moffitt, Tyler (October 10, 2016). "Source Code for Mirai IoT Malware Released". Webroot. Retrieved 20 October 2016.
- ↑ Osborne, Charlie (October 17, 2016). "Mirai DDoS botnet powers up, infects Sierra Wireless gateways". ZDNet. Retrieved 20 October 2016.
- ↑ Xander (October 28, 2016). "DDoS on Dyn The Complete Story". ServerComparator. Retrieved 21 November 2016.
- ↑ The Economist, 8 October 2016, The internet of stings
- ↑ "Today the web was broken by countless hacked devices". theregister.co.uk. 21 October 2016. Retrieved 24 October 2016.
- ↑ "Blame the Internet of Things for Destroying the Internet Today". Motherboard. VICE. Retrieved 27 October 2016.
- ↑ "Think Mirai DDoS is over? It ain’t!!"
- 1 2 "Unprecedented cyber attack takes Liberia's entire internet down". The Telegraph. Retrieved 21 November 2016.
- ↑ "DDoS attack from Mirai malware 'killing business' in Liberia". PCWorld. Retrieved 21 November 2016.
- ↑ "Massive cyber-attack grinds Liberia's internet to a halt". The Guardian. Retrieved 21 November 2016.
- ↑ Kumar, Mohit (28 November 2016). "Cyber Attack Knocks Nearly a Million Routers Offline". thehackernews.com. Retrieved 29 November 2016.