New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College
A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.
Mirai was one of the most discussed Internet of Things (IoT) botnets during the second half of last year, after it was used in two large attacks against Brian Krebs’ blog and DNS provider Dyn. In October, the Trojan’s source code leaked online and new variants emerged soon after.
One such version emerged in December when TalkTalk Telecom home routers were being infected via a vulnerability in the network router protocol. Earlier this year, researchers observed a Windows variant of Mirai, though concluded that it was mainly designed to spread the Linux Trojan to more IoT devices.
The new version, Imperva says, is one of the variants that spawned after the source code leaked. Specifically, while previous versions of the malware launched network layer DDoS attacks, the new variant focuses on application layer assaults, the researchers discovered.
On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).
“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” Imperva’s Dima Bekerman explains.
The device types used in this attack were already known to be abused by Mirai: CCTV cameras, DVRs and routers. These devices might have been impacted by known vulnerabilities that the botnet exploited via open telnet (23) ports and TR-069 (7547) ports.
According to Bekerman, the DDoS bots used in the attack were hiding behind different user-agents compared to the five previously seen hardcoded in the default Mirai version. These details suggest that the new Mirai variant might have been modified to launch more elaborate application layer attacks.
30 user-agent variants were spotted during the attack, Imperva says. Furthermore, the security researchers observed attack traffic originating from 9,793 IPs worldwide, with over 70% of them located in ten countries: United States (18.4%), Israel (11.3%), Taiwan (10.8%), India (8.7%), Turkey (6%), Russia (3.8%), Italy (3.2%), Mexico (3.2%), Colombia (3.0%), and Bulgaria (2.2%).
“Less than a day after the initial assault ended, another one began that lasted for an hour and a half with an average traffic flow of 15,000 RPS. Based on our experience, we expect to see several more bursts before the offender(s) finally give up on their efforts,” Bekerman says.