Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.
In early October, Mirai’s developer released the malware’s source code and also revealed that there were over 300,000 devices infected with it. Soon after, as the botnet was increasingly used in DDoS attacks, Flashpoint security researchers determined that over half a million IoT devices worldwide were vulnerable to Mirai, because they were protected by weak security credentials.
According to Imperva researchers, the investigation of an attack carried out in August has revealed around 49,657 unique IPs hosting Mirai-infected devices, mostly CCTV cameras, already proven popular targets for IoT botnets.
These IP addresses, researchers say, are located in 164 countries, with Vietnam taking the top spot at 12.8%, followed by Brazil at 11.8%, the United States at 10.9%, China at 8.8%, and Mexico at 8.4%. South Korea, Taiwan, Russia, Romania and Colombia are rounding up top ten most affected countries. Remote locations such as Montenegro, Tajikistan and Somalia were also among the affected countries.
Imperva also notes that a few new Mirai-powered attacks were seen after the source code emerged online, though they were low-volume application layer HTTP floods. These used a small number of source IPs, and the security researchers suggest that they might be mere experimental first steps of new Mirai users.
The researchers also note that the botnet’s command and control (C&C) code is coded in Go, while the bots are coded in C. Code analysis also revealed that the botnet was built for two main purposes: find and compromise devices to increase the botnet’s footprint, and launch DDoS attacks based on received instructions.
As previously revealed, Mirai performs wide-ranging scans of IP addresses to locate under-secured IoT devices and access them via easily guessable login credentials. The scanning is performed against destination ports TCP/23 and TCP/2323, and Arbor Networks researchers note that prevention is possible by shielding access to these ports.
According to Symantec, the botnet has been configured to use a dictionary of at least 62 user name and password combinations, most of which are commonly used default credentials for IoT devices. The security firm also notes that, while infected devices can be cleaned with a simple restart, the constant scanning performed by the botnet means that they are re-infected in a matter of minutes after coming back online.
The malware is able to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks, including GRE IP and GRE ETH floods, SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods, and UDP flood attacks.
Mirai was found to include a list of IPs that bots should avoid scanning: the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric. While also able to bypass security solutions, the botnet contains scripts to eradicate other worms and Trojans, and to prohibit remote connection attempts to the hijacked device.
The developer of this botnet is believed to be Russian, based on some of the comments found in the code. However, Arbor researchers believe that there are multiple threat actor groups actively working to expand and improve the DDoS attack capabilities of Mirai. What’s more, the security researchers discovered alterations in the DDoS attack capabilities of at least one Mirai-derived botnet.
To protect devices from Mirai and similar botnets, users are advised not only to shield TCP/23 and TCP/2323 access to the devices, but also to disable all remote (WAN) access to them. An essential step to secure vulnerable devices, however, is to change the default username and password.
“The potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant, depending upon the target selection and efficacy of a given attack. Outbound/crossbound DDoS attacks launched by Mirai bots can cause significant network performance issues or outages for broadband access network operators. Threat actors may significantly increase the rate of scanning for vulnerable systems, which could lead to an inadvertent DDoS attack on scanned/scanning systems and networks,” Arbor Networks researchers note.
Earlier this week, researchers at Corero Network Security warned of a new zero-day DDoS attack vector leveraging the Lightweight Directory Access Protocol (LDAP) protocol, which could result in terabit-scale DDoS events if combined with the power of IoT botnets such as Mirai. The attack has been already used in small but powerful incidents, the researchers said.
Related: Sierra Wireless Rugged Gateways Targeted by Mirai Malware
Related: DDoS Attacks Are Primary Purpose of IoT Malware
Related: IoT Worm “Hajime” Uses BitTorrent Protocols for Communications