Security Experts:

Hacker Releases Source Code of IoT Malware Mirai

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A copy of the source code files provided to SecurityWeek includes a “readme” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

“When I first go in DDoS industry, I wasn't planning on staying in it long,” the hacker said. “I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.”

The hacker claimed his botnet had ensnared up to 380,000 bots via telnet attacks alone, but ISPs allegedly started cleaning up their act following the DDoS attacks aimed at Krebs’ website. He says the number of bots has dropped to roughly 300,000 and continues to decrease.

The leaked files include source code for the bot, command and control (C&C) servers, and tools. The author of Mirai says he is willing to answer specific questions about setting up the botnet, but he is determined not to waste any time teaching wannabe cybercriminals or answering vague questions.

Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

One of the first groups to analyze this threat was Malware Must Die, although the author of Mirai said the analysis was inaccurate. Researchers from Russian antivirus firm Dr. Web reported last week that they had seen newer versions of the Trojan in September. The company has published a 56-page report describing the malware, which it detects as Linux.Mirai.

The attack that hit Brian Krebs’ website peaked at over 600 Gbps, while the simultaneous attacks aimed at hosting provider OVH exceeded 1 Tbps. Octave Klaba, the founder and CTO of OVH, said the botnet was powered by more than 150,000 IoT devices, including cameras and DVRs, capable of launching attacks of over 1.5 Tbps.

The attack targeted at Krebs was launched after the journalist published a blog post exposing the alleged operators of a booter service called vDOS, which led to the arrests of two Israeli nationals. The “readme” file published by the author of Mirai is signed with “FREEAPPLEJ4CK” – AppleJ4ck is the online moniker used by one of the vDOS operators.

Now that Mirai’s source code has been made available, the malware will likely be abused by many cybercriminals, similar to the case of BASHLITE, whose source code was leaked in early 2015. In late August, Level 3 Communications and Flashpoint reported that BASHLITE DDoS botnets had ensnared roughly one million IoT devices.

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.