From The Architect

The Mirai Botnet

Mirai is software that can takeover a large number of internet-connected machines for use in mass attacks on other systems. It spreads by using a list of common passwords against random internet connections. It’s a simple and effective way to find connected machines with weak passwords.

Weak Passwords?

One of the first things a security-conscious person does after installing an internet-connected device is to change the administrator’s password. For many years it was an accepted practice to ship devices that had an easy to remember default password with the assumption that the owner will change it. We now know this to be a bad assumption.

Here are some of the infamous administrator passwords that Mirai takes advantage of:

  • admin
  • default
  • pass
  • password
  • system
  • user
  • 12345 (also the combination to the airshield in Spaceballs)

With administrator passwords like this, what can go wrong?

How Infected Machines Operate

Once a machine is infected it then “listens” for commands from the botnet operator. The commands supported by Mirai generally deal with various methods of “flooding” another machine off the internet (also known as a Denial of Service). For a company whose business is tied to the internet, this can be financially expensive as there’s no way to prevent such an attack (if the botnet is large enough).

Details About the Botnet

The Mirai botnet has recently been estimated to be around 100,000 infected devices. What makes the Mirai botnet so destructive is that each attack can be performed against 1 target by 100,000 different machines. Because of the additive nature of so many different traffic sources, the target is easily overwhelmed.

According to Incapsula, the Mirai botnet consists of compromised machines from all over the world, but mainly:

  1. Vietnam
  2. Brazil
  3. United States
  4. China
  5. Mexico

Since the Mirai source code was made public on September 30th 2016, many other variants have been released into the wild. This means the Mirai botnet could be currently operating under different software and have additional attack scripts it can call on.

Commonly Compromised Routers

  • Huawei Routers
  • Mikro RouterOS
  • AirOS Routers

Mirai’s Attack Capabilities

Mirai can perform about 10 TCP/IP-based attacks (one appears to have been disabled in the source), and each one abuses a different aspect of the Internet Protocol stack. But they all share the same purpose; to flood the target network with more data than it can handle.

The 10 attacks are:

  1. UDP flood
  2. Valve Source Engine query flood
  3. DNS water torture
  4. SYN flood
  5. ACK flood
  6. ACK flood to bypass mitigation devices.
  7. GRE IP flood.
  8. GRE Ethernet flood.
  9. Plain UDP flood optimized for speed.
  10. HTTP layer 7 flood.

Each of these attacks generates traffic that isn’t easily distinguishable from normal traffic. Blocking all types of the traffic used in an attack would likely break something legitimate, making it quite difficult to manage.

Mirai’s Defense Capabilities

Mirai has various methods of hiding it’s existence and preventing the compromised machine from being stolen by another botnet. Among the tricks it performs on an infected machine:

  • Deletes itself from the file system after it’s loaded into memory. This means if the device is restarted the machine will boot clean. However, another compromised system simply reinfects the machine as soon as it’s online again.
  • Disables the watchdog process which prevents the system from automatically restarting.
  • Scrambles its name as it appears in the unix process list.
  • Shuts down Telnet and SSH; and prevents them from restarting.

Once Mirai compromises a machine, it’s basically dead to everything except a manual restart by the machine’s owner. Even then unless the default password is changed, restarting the device will only have it immediately reinfected.

The following sources of information were used in this article:

  1. Breaking Down Mirai: An IoT DDoS Botnet Analysis
  2. Mirai: The IoT Bot That Took Down Krebs and Launched a Tbps DDoS Attack on OVH
  3. IoT Home Router Botnet Leveraged in Large DDoS Attack

 Subscribe to RSS
Posted in Computer Security