The release of the source code for ‘Mirai,' the Internet of Things (IoT) botnet responsible for launching a historically large DDoS attack against security researcher Brian Krebs, on Hackforums Friday by a user under the nickname “Anna-senpai,” will mark the beginning of a wave of high-powered IoT botnet DDoS attacks, researchers said.
Anna-senpai claimed to have gotten into the cybercrime industry to make money with no plans of staying long, releasing the source code in response to increased scrutiny from the security industry, according to an Oct. 1 KrebsonSecurity blog post.
“With Mirai, I usually pull max 380k bots from telnet alone,” Krebs quoted Anna-senpai as saying. “However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
The malware spreads by continuously scanning the web for vulnerable devices using default or hard-coded usernames and passwords. Once infected, the devices are seeded with malicious software that converts them into the bots and forces them to report to a central control server which can be used as a staging ground for launching powerful DDoS attacks, the post said.
Experts agree that the release of the code will trigger a flood of new high powered DDoS attacks powered by insecure routers, IP cameras, DVRs and other easily hackable IoT devices and Rubicon Labs Vice President of Product Rod Schultz told SCMagazine that reusable code blocks driving technological innovation will cause problems.
“This lack of diversity in the attack surface allows an attack on one technology to be rapidly re-purposed toward another, and that is exactly what we are seeing with the Mirai IoT Botnet,” Schultz said. “Until security is made simple and scaleable we will continue to see incredibly damaging attacks where there is little to no herd immunity.”
The rise of IoT breaches can be attributed in part to the lack of guidance and regulation for IoT device security, HPE Security-Data Security Global Product Manager Reiner Kappenberger told SCMagazine.com via emailed comments.
“Companies rush product to market that have been developed by teams that are solely focusing on functionality,” Kappenberger said. “They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use.”
He said manufacturers need to start thinking long term with these products as they often have longer life spans than other computer devices which could mean a wider vulnerability window. The onus is also on the consumer to identify what security measures are included in the products they purchase and what additional measures they need to take to secure their devices, he said.
Cesare Garlati, chief security strategist of the prpl Foundation, told SCMagazine.com that IoT vendors need to practice basic protocols to keep users safe and agreed that regulation may be necessary.
“Telnet is a non-secure protocol that should be banned from any device connecting to the internet,” Garlati said. “Many recent incidents involving cars and biomedical devices have shown that poorly designed IoT devices have the potential to result in human fatalities.”
Krebs said most infected systems can be cleaned up by simply rebooting them but noted that constant scanning equipment makes it possible for an attacker to quickly re-infect within minutes of a reboot.