Content

The Evolution of Mirai as a Cautionary Tale

It was just over a year a year ago when the flood gates opened and the packets rained down as a new player made itself known. 

The Mirai botnet had made it's debut on the world stage. This was a game changer in every sense of the meaning. A botnet had revealed itself to the world that was built on the metaphorical backs of thousands to Internet of Things (IoT) devices. This botnet was capable of distributed denial-of-service, or “DDoS” attacks, which could deliver over 600 Gbps of traffic right out of the gate. A staggering, and previously unseen volume up to that point in time.

The malicious code, dubbed Mirai, scanned the Internet looking for devices from its pre-ordained list of over sixty devices that were attached online. These devices had default credentials that Mirai would seek out in order to compromise further devices to add to the collective that topped 2.5 million IP addresses at its peak.

Devices that were infected would still operate as expected but, could at times appear sluggish. Additionally, bandwidth utilization would jump during an attack that the infected device might be participating in. The malware would reside in the memory of the affected device and would remain there until the device was rebooted, at which time it would be cleared from memory. The problem being, if the device did not have the password changed, the malicious software would simply re-infect the device in question.

The infected hosts which made up the Mirai botnet included DVRs, home routers and even video cameras. There was a time where I would joke that my coffee maker was attacking some random site. Little did I expect that this sort of thing would actually come to fruition.

On October 21, 2016, the attacks from the Mirai platform moved from a grudge match to something a little more sinister when it targeted the DNS service provider, Dyn. This attack caused some significant down time for the company, and as a result numerous Dyn customers found themselves unable to resolve their domain names.

In November of 2016, the Mirai botnet was further utilized to launch attacks against infrastructure targets in Liberia.

In January of 2017, the journalist Brian Krebs named names [https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/]. Krebs pulled a proverbial thread and unwound the story to reveal the identities of the progenitors of the Mirai botnet. He identified Paras Jha, the President of ProTraf Solutions as the author of the malware. On Wednesday December 13, 2017, the FBI announced [https://www.justice.gov/opa/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases-involving] that Paras Jha, 21, Josiah White, 20 and and Dalton Norman, 21 had all plead guilty on December 8 for their involvement in the creation and use of the Mirai botnet.

Now, one of the interesting aspects of the Mirai saga was that the source code was released at the end of September 2016. It was posted on a site called Hackforums. Later the source code was put up on the version control repository service Github by preeminent security researcher, and all around nice guy, Jerry Gamblin.

Why was this possible? Why was something like Mirai even able to come into being in the first place? Security is often the red-headed stepchild of any IT related project. If I had a dollar for every time a project manager had tried to route around me in the past – I would be able to have a really nice vacation. This speaks to the time-to-market problem. Too many companies working as hard and fast as they can to beat their competitors to the street. Unfortunately, security often gets bypassed. We see issues of deprecated libraries being used and old security vulnerabilities, that were previously addressed, being reintroduced to the playing field.

As an example, Mirai relied heavily upon default credentials in IoT related devices. Programmatically, this was a huge misstep as it would have been simple enough to force a person to change their password on first login. This would have cut down the potential pool of candidates for the botnet significantly.

Security needs to be baked into the process from the design stage. Back of napkin, noodling out ideas should have a star with security on it. Many IoT-related devices are consumer grade devices with planned obsolescence built into them but, security must still be considered. Mirai was an example of what can go wrong and unless these issues are properly addressed, it will not be the last lesson that we have to learn.

Dave Lewis

Dave has 30 years of industry experience. He has extensive experience in IT security operations and management. He is the founder of the security site Liquidmatrix Security Digest & podcast. He is currently a member of the board of directors for BSides Las Vegas. Dave has previously worked for companies such as Cisco, Akamai, AMD, and IBM. Previously he served on the board of directors for (ISC)2 as well as being a founder of BSides Toronto conference. Dave was a DEF CON speaker operations goon for over 10 years. Lewis also serves on the advisory board for the Black Hat Sector Security Conference and the CFP review board for 44CON and BSides Athens. Dave has previously written columns for Forbes, CSO Online, Huffington Post, The Daily Swig, and others. For fun, he is a curator of small mammals (his kids) plays bass guitar, grills, and is part owner of a whisky distillery and a soccer team.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.