Leaked Mirai source code already being tested in wild, analysis suggests

In August, Imperva encountered a Mirai DDoS attack that featured malicious traffic originating from nearly 50,000 unique IPs in 164 countries.
In August, Imperva encountered a Mirai DDoS attack that featured malicious traffic originating from nearly 50,000 unique IPs in 164 countries.

Since the source code to the Mirai Internet of Things botnet was publicly leaked on 30 September, researchers at Imperva have uncovered evidence of several low-level distributed denial of service attacks likely perpetrated by new users testing out this suddenly accessible DDoS tool.

With its unusual ability to bombard targets with traffic in the form of generic routing encapsulation (GRE) data packets, Mirai was leveraged last month to launch a massive DDoS attack against internet security researcher Brian Krebs' blog site KrebsonSecurity. Soon after, a Hackforums user with the nickname Anna-senpai publicly posted the botnet's source code – quite possibly a move by the malware's original author to impede investigators from closing in on him.

In a blog post this week, Imperva reported several low-level DDoS attacks taking place in the days following the leak. Consisting of low-volume application layer HTTP floods leveraging small numbers of source IPs, these attacks “looked like the experimental first steps of new Mirai users who were testing the water after the malware became widely available,” the blog post read.

But Imperva also found evidence of much stronger Mirai attacks on its network prior to the leak. On 17 August, Imperva mitigated numerous GRE traffic surges that peaked at 280 Gbps and 130 million packets per second. Traffic from this attack originated from nearly 50,000 unique IPs in 164 countries, many of which were linked to internet-enabled CCTV cameras, DVRs and routers – all infected by Mirai, which continuously scans the web for vulnerable devices that use default or hard-coded usernames and passwords.

An Imperva analysis of the source code revealed several unique traits, including a hardcoded blacklist of IPs that the adversary did not want to attack, perhaps in order to keep a low profile. Some of these IPs belonged to the Department of Defence, the US Postal Service and General Electric.

Ben Herzberg, security group research manager with Imperva Incapsula, told SCMagazine.com in a phone interview that the Mirai's author may have truncated the complete blacklist before publishing it – possibly because such information could offer a clue as to the attacker's identity.

Imperva also found Mirai to be territorial in nature, using killer scripts to eliminate other worms, Trojans and botnet programs that may have infiltrated the same IoT devices. Moreover, the company noted traces of Russian-language strings, which could offer a clue to the malware's origin.

Herzberg said it's only a matter of time before Mirai's newest users make their own modifications. “People will start playing with the code and say, ‘Hey, let's modify this, change this,” said Herzberg. “They have a nice base to start with.”

Web performance and security company Cloudflare also strongly suspects it has encountered multiple Mirai DDoS attacks, including one HTTP-based attack that peaked at 1.75 million requests per second. According to a company blog post, the assault leveraged a botnet composed of over 52,000 unique IP addresses, which bombarded the Cloudflare network – primarily its Hong Kong and Prague data centres – with a flurry of short HTTP requests designed to use up server resources and take down web applications.

A second HTTP-based attack launched from close to 129,000 unique IP addresses generated fewer requests per second, but consumed up to 360Gbps of inbound HTTP traffic – an unusually high number for this brand of attack. In this instance, much of the malicious traffic was concentrated in Frankfurt.

Cloudflare concluded that the attacks were launched from compromised IoT devices, including a high concentration of connected CCTV cameras running on Vietnamese networks and multiple unidentified devices operating in Ukraine.

“Although the most recent attacks have mostly involved internet-connected cameras, there's no reason to think that they are likely the only source of future DDoS attacks,” the Imperva report warns. “As more and more devices (fridges, fitness trackers, sleep monitors...) are added to the internet they'll likely be unwilling participants in future attacks.”

Of course, compromised IoT devices can be used for more than just DDoS attacks. Today, Akamai Technologies released a white paper warning of a new in-the-wild exploit called SSHowDowN that capitalises on a 12-year-old IoT vulnerability.

According to Akamai, cyber-criminals are remotely converting millions of IoT devices into proxies that route malicious traffic to targeted websites in order to check stolen log-in credentials against them and determine where they can be used. Bad actors can also use the same exploit to check websites for SQL injection vulnerabilities, and can even launch attacks against the internal network hosting the internet-connected device.

The vulnerability, officially designated as CVE-2004-1653, affects poorly configured devices that use default passwords, including video surveillance equipment, satellite antenna equipment, networking devices and Network Attached Storage devices. It allows a remote user to create an authorised Socket Shell (SSH) tunnel and use it as a SOCKS proxy, even if the device is supposedly hardened against SSH connections.

"What we're trying to do is raise awareness," especially among IoT vendors said Ryan Barnett, principal security research at Akamai, in an interview with SCMagazine.com. Barnett noted that when the CVE first came out, an exploit on it was "more theoretical," but now "we want to show it is actively being used in a massive attack campaign."

Sign up to our newsletters