Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hacker Releases Source Code of IoT Malware Mirai

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A copy of the source code files provided to SecurityWeek includes a “readme” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” the hacker said. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.”

The hacker claimed his botnet had ensnared up to 380,000 bots via telnet attacks alone, but ISPs allegedly started cleaning up their act following the DDoS attacks aimed at Krebs’ website. He says the number of bots has dropped to roughly 300,000 and continues to decrease.

The leaked files include source code for the bot, command and control (C&C) servers, and tools. The author of Mirai says he is willing to answer specific questions about setting up the botnet, but he is determined not to waste any time teaching wannabe cybercriminals or answering vague questions.

Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

One of the first groups to analyze this threat was Malware Must Die, although the author of Mirai said the analysis was inaccurate. Researchers from Russian antivirus firm Dr. Web reported last week that they had seen newer versions of the Trojan in September. The company has published a 56-page report describing the malware, which it detects as Linux.Mirai.

The attack that hit Brian Krebs’ website peaked at over 600 Gbps, while the simultaneous attacks aimed at hosting provider OVH exceeded 1 Tbps. Octave Klaba, the founder and CTO of OVH, said the botnet was powered by more than 150,000 IoT devices, including cameras and DVRs, capable of launching attacks of over 1.5 Tbps.

Advertisement. Scroll to continue reading.

The attack targeted at Krebs was launched after the journalist published a blog post exposing the alleged operators of a booter service called vDOS, which led to the arrests of two Israeli nationals. The “readme” file published by the author of Mirai is signed with “FREEAPPLEJ4CK” – AppleJ4ck is the online moniker used by one of the vDOS operators.

Now that Mirai’s source code has been made available, the malware will likely be abused by many cybercriminals, similar to the case of BASHLITE, whose source code was leaked in early 2015. In late August, Level 3 Communications and Flashpoint reported that BASHLITE DDoS botnets had ensnared roughly one million IoT devices.

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.