[BreachExchange] Smart device malware behind record DDoS attack is now available to all hackers

Wed Oct 5 19:40:48 EDT 2016

http://www.pcworld.com/article/3126362/security/iot-malware-behind-record-ddos-attack-is-now-available-to-all-hackers.html

The source code for a trojan program that infected hundreds of thousands of
internet-of-things devices and used them to launch distributed
denial-of-service attacks has been published online, paving the way for
more such botnets.

The code for the trojan, which its creator calls Mirai, was released Friday
on an English-language hackers’ forum, cybersecurity blogger Brian Krebs
reported
<https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/>
over the weekend. Krebs’ website was the target of a record DDoS attack two
weeks ago that was launched from the Mirai botnet.

The trojan’s creator, who uses the online handle Anna-senpai, said that the
decision to release the source code was taken because there’s a lot of
attention now on IoT-powered DDoS attacks and he wants to get out of this
business.

Mirai used to enslave around 380,000 IoT devices every day using
brute-force Telnet attacks, according to Anna-senpai. However, after the
DDoS attack against krebsonsecurity.com, ISPs have started to take action
and block compromised devices, so the daily rate of Mirai infections has
dropped to 300,000 and is likely to go down even further, the malware
writer said.

It’s worth noting that unlike malware infections on desktop computers,
infections on IoT and embedded devices are usually temporary and disappear
when those devices are rebooted because they use volatile storage. In order
to maintain their size, IoT botnets need to find and reinfect devices every
single day.

The hijacking of home routers, DSL modems, digital video recorders,
network-attached storage systems and other such devices to launch DDoS
attacks is not new. For example, in October 2015, security firm
Incapsula mitigated
a DDoS attack
<http://www.pcworld.com/article/2996137/attackers-hijack-cctv-cameras-and-network-attached-storage-devices-to-launch-ddos-attacks.html>
launched from around 900 closed-circuit television (CCTV) cameras.

However, the IoT DDoS botnets seem to have reached their full potential
over the past few months. After the unprecedented 620Gbps DDoS attack
against Krebs’ website two weeks ago, French server hosting firm OVH was
hit with a 799Gbps DDoS attack launched from a botnet of over 140,000
hacked digital video recorders and IP cameras.

Such a large botnet is capable of launching crippling attacks that could
easily exceed 1Tbps, the OVH’s CTO warned at the time.

There are very few DDoS mitigation providers in the world who are capable
of protecting customers against 1Tbps attacks. Content delivery network
Akamai, which also offers DDoS protection services, dropped Krebs as a
customer when his website was recently attacked because the attack was too
costly to mitigate.

And things are only going to get worse because the market of IoT devices is
rapidly expanding and many of these devices come with basic security holes,
such as remote administrative interfaces exposed to the Internet and
protected with weak credentials that users never change.

The release of Mirai’s source code is very likely to lead to the creation
of more IoT botnets, and it wouldn’t be the first time. In early 2015 the
source code for LizardStresser, a DDoS bot for Linux systems written by the
infamous Lizard Squad attacker group, was released online. As of June this
year, security researchers had identified
<http://www.csoonline.com/article/3090161/security/over-100-ddos-botnets-built-using-linux-malware-for-embedded-devices.html>
over 100 botnets built using malware based on LizardStresser.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161005/0f0f9a93/attachment.html>