Researcher finds Mirai flaws that could allow counterattack on botnet

News by Rene Millman

IoT botnet blamed for Dyn attack - Mirai - has several code vulnerabilities but questions are raised over legality of its use in defence.

A security researcher has found vulnerabilities in the Mirai malware that could be used to mount a counterattack against the botnet that's blamed for the Dyn DDoS attack.

Scott Tenaglia, a researcher at endpoint security firm Invincea, identified a stack buffer-overflow vulnerability in the HTTP flood attack code.

In a blog post, he said, “When exploited it will cause a segmentation fault (ie, SIGSEV) to occur, crash the process, and therefore terminate the attack from that bot. The vulnerable code has to do with how Mirai processes the HTTP location header that may be part of the HTTP response sent from an HTTP flood request,” he said. The flaw exists in the attack_app_http() function of bot/attack_app.c in the malicious code.

He verified that the flaw was exploitable by setting up three virtual machines to run the Mirai command and control server, a debug instance of the Mirai bot, and a victim. The victim simply serves up a file called location_attack with the following contents (carriage-return and new-line replaced with ‘\r' and ‘\n' for readability).

“The bot forks before executing the attack code, so when observing the bot's debug console there is no visual indicator that it crashes, other than the cessation of the attack,” he said.

He added that using the backtrace command it is clear that the crash occurred in memmove, which was called by attack_app_http, but the rest of the stack seems to be corrupted. “This coincides with what one would expect after overflowing the generic_memes buffer, because it is defined on the stack,” said Tenaglia.

“This simple ‘exploit' is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to defend against a Mirai-based HTTP flood attack in real-time. While it can't be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device,” he added.

Conor Ward of legal firm Hogan Lovells told that it is it is generally considered to be unwise to "hack back" in response to a DDoS attack as you could be committing a criminal offence under English law under the Computer Misuse Act even if the systems being attacked back is outside the UK.  

“Indeed, where the system is outside the UK you could break the law in the jurisdiction in which it is located and you could face extradition!  If you exploit vulnerabilities in the Mirai botnet with the result that the IoT device in question is damaged, this might increase the possibility of being charged.  After all, the person who owns the device is most likely to be an innocent victim him/herself,” he said.

“Whether or not you might have a defence to any charge (e.g. something akin to a claim in self-defence in relation to a physical attack to the person) is an interesting question.  English law does recognise the defence of necessity but only in extreme cases.  There is little modern case law on the circumstances in which such a defence could be relied on and unsurprisingly, there are no cases that I am aware of involving hacking back a botnet or DDoS.   I would therefore generally advise against such an approach.”

Ken Munro, partner at Pen Test Partners, told SC that if an issue was found with Mirai that allowed an remote attacker to take control of bots, it would be against the Computer Misuse Act to do so.

“If someone wanted to close the vulnerable devices by changing default passwords, closing telnet, bricking them, it would also be against the Computer Misuse Act,” he said.

“The Intelligence Services Act 1994 could allow the UK government to fight back against devices outside of the UK with a warrant. But is there any legitimate way to allow the attack of devices in the UK, wholesale? I don't think so.”

Ilia Kolochenko, CEO of High-Tech Bridge, told SC that in this particular case there is no hacking in terms of intrusion into anyone's computer.

“The researchers rather demonstrate how to drop [and crash] bots that are trying to connect to their system, without getting into the attacker's infrastructure,” he said.

Pascal Geenens, Radware's EMEA security evangelist, told SC Magazine that using an exploit to stop the Mirai bot is only a temporary fix.

“The device will be reinfected within minutes thanks to the efficient bot harvesting code within Mirai,” he said.

“In order to mitigate the threat, a counter-attack could exploit Mirai and re-enable telnet (as this was disabled by the bot) and then brute itself a way in using the same 60+ credentials Mirai uses. Once inside, the username and password can be changed to anything – but the factory defaults.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews