Mirai, Bricker Bot and the future of IoT malware

On October 21st, 2016, the biggest DDoS attack ever was initiated on the service provider Dyn. This attack disabled major websites like Reddit, Netflix, Airbnb, CNN, and Twitter. A DDoS attack on that scale could only be made with a particular form of malicious malware, one that had only been discovered to exist a few months prior, Mirai.

Since then, Mirai malware has been detected in over 160 countries – even as places as remote as Somalia and Montenegro. McAfee Internet Security predicts that over 2.5 million devices have already been infected with Mirai based malware – and 42 million are estimated to be vulnerable.

Mirai is possessing devices all over the world and then leveraging them into a sort of zombie army, capable of bringing even advanced systems and networks to their knees. The threat has even begun to fracture and grow in unpredictable ways.

What is Mirai Malware

Mirai is a type of malware that invades and infects networked appliances and machines, specifically IoT (Internet of things) products, and uses them in accordance with thousands of other infected devices to launch DDoS (Distributed Denial of Service) attacks.  An attack that overwhelms and crashes a server.

IoT devices like as diverse as cameras, DVRs, routers, networked surveillance equipment, and a whole plethora of other smart devices are all at risk of being enslaved by this malware. One investigation estimated around 49,650 different IPs were hosting infected devices.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

Once Mirai invades a device, it has two missions. The first is to find new IoT devices that it can infect. This search is done by scanning IP addresses to locate other lightly secured devices whose login credentials are either easily guessed or are still factory defaults. The second mission is to wait for remote commands via a command and control code to launch attacks on selected targets. The end result is a botnet capable of wreaking havoc wherever the controller chooses.

Where Did Mirai Malware Come From

Mirai malware was first discovered late in 2016, and in the following months, it launched devastating attacks against computer security journalist Brian Krebs’s web site, Dyn, and French web host OVH. Each of those events significantly raised the profile of the Malware as it quickly crippled its targets.

The secretive hacker who created Marai is referred to as “Anna-senpai,” and the malware itself is named after an Anime series Mirai Nikki. From the outset, this fits the profile of “Chan” style hackers who often intermingle their internet personas with anime themes.

After the attacks that left millions without functioning web services, the code for Maria was made public. The creator knew others would duplicate the code and use it, and this was likely done to cover the originator’s tracks.

On January 17, 2017, Brian Krebs, the security journalist targeted last year, released what he believed was the true identity of Anna-senpai. Paras Jha. Paras is a student at Rutgers University and ironically owns a DDoS mitigation service. Paras denies the accusation.

According to the BBC, a 29-year old British man with the pseudonym “Best Buy” was arrested in February under the charges of duplicating the now public Mirai Malware and inadvertently launching an attack on the German and British digital infrastructure.

There is still no verifiable proof of who created the original code for Mirai.

According to Incapsula.com some of the most interesting aspects of Mirai, and the most telling of its originator’s personality and mindset, is who the malware was designed not to target.

“This list [of non-targets] … includes the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric,” –incapsula.com

The team at Incapsula speculates that this demonstrates that the creator not only wished to avoid drawing attention to the botnet but also had only an amateurish understanding of the global cyber security apparatus.

“the content list is fairly naïve—the sort of thing you would expect from someone who learned about cyber security from the popular media (or maybe from this Wiki page), not a professional cyber criminal.” – incapsula.com

Incapsula also discovered that the Mirai code contains bits of Russian-language strings even though the C&C interface is in English. The relevance of this is as of yet unknown.

What Danger Does Mirai Pose?

While the smart devices commonly infected with Mirai show no outward signs of the malware presence, this doesn’t mean Mirai doesn’t have its victims. The vast majority of us use the internet for entertainment, communication, and everything else – so a DDoS attack on these sites affects us all. The catastrophic attack that took down a huge portion of the internet apparently used only 10% of its infected network. There is no telling exactly how much of a threat Mirai really is – and Mirai itself may not be the biggest issue. Since the code was released, copycat malware has been popping up everywhere. Many are “improvements” on the original design. As stated earlier, over 2 million devices are likely enslaved by Mirai based malware. Versions have begun appearing on Windows-based devices as well. The situation has gotten so bad that it seems these different creations have started fighting over devices with which to control – some even going so far as to launch attacks on one another to claim device real estate.

Mirai style malware actively removes other malware and secures the device, staking its claim on the territory. This helps that form of malware maximize its effectiveness when launching its own attacks, and prevents competing malware from removing it and doing the same.

A twist to all of this is Hajime. Hajime is a piece of malware developed by a “white hat” hacker (someone acting in good faith) that is currently using the technology to lock down and secure devices from the many strains of Mirai. This unknown vigilante white hat hacker has gone to war against the many black hats creating and perpetuating the IoT-based malware. Estimates of the number of devices claimed by Hajime range from the tens to hundreds of thousands.

Since the malware is removed from the product upon rebooting, and once again becomes contested ground, we are likely to see a constant back and forth between Mirai and Hajime struggling to either possess or secure IoT devices. A sort of weird Good Vs Evil for our modern age.

As with anything that has gone open source, we will likely see the technology continue to expand and update – and the war over our digital infrastructure will escalate.

What May the Future Hold?

It has been said that Mirai has inspired a Renaissance of IoT device hacking and it is very unlikely this threat will be going away anytime soon. The entire discovery and subsequent attacks by Mirai are still incredibly recent for the amount of ground the malware has covered and the copies it has spawned. Speaking nothing of the devastation and loss of revenue it has wrought. As this form of threat continues to evolve, manufacturers of smart devices will have to begin investing heavily in security countermeasures – though the millions of vulnerable devices already on the shelves and in homes mean this threat won’t be quickly stopped. The recent evolution onto Windows devices may also be the harbinger of more devastating things to come.

Bricker Bot – The next wave?

On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four days, one honeypot logged 1,895 infection attempts by Brickbot, with the majority of attacks coming from Argentina, and a second logged 333 attempts – untraceable as they came from a Tor node.

By exploiting security flaws or bad configurations, PDoS can destroy the firmware and/or basic system functions. It is different from its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage. BrickerBot malware forms a Permanent Denial-of-Service (PDoS) botnet.

All that said Mirai and what it has spawned may be the current big name threat to IoT devices, but as we have already seen, it certainly won’t be the last.

Mirai, the botnet behind a wave of major DDoS attacks, was primarily composed of infected routers and security cameras, low-powered and poorly secured devices. In the wrong hands, even relatively benign devices and software can be used to devastating effect.

John Evans

Customer Success Manager John has over 15 years’ experience in managing clients and helping them achieve their desired outcomes. John heads up our customer success and community management at IndustrialCyber, taking care of clients’ needs, inquiries and advertising.