Over the weekend, the source code of the Trojan which used huge numbers of IoT devices to form a botnet and attack the websites of security blogger Brian Krebs and European web hosting company OVH, with a DDoS attack was released online.
The author of the Mirai DDoS Trojan has published the code of his malware after receiving pressure from security researchers. The Trojan targets Linux systems and especially IoT devices.
In one of the largest attacks of its kind ever recorded, a botnet formed using the malware was used to send junk traffic at security researcher Brian Kreb's website last month.
The availability of the code makes it easier for other hackers to take advantage of devices to launch similar attacks.
Stephen Gates, chief research intelligence analyst at NSFOCUS said the problem of consumer kit and default passwords needs to be resolved sooner rather than later or else more attacks along the same lines will occur.
“The solution to this is simple. Manufacturers must do a better job of either insuring that each device has a unique default password, or they must force users to change the password once the default is entered, when the device is first installed,” Gates said.
“Soon we may see DDoS attacks that are capable of taking down major portions of the internet, as well as causing brownouts, creating intolerable latency, or making the internet unusable. This is all collateral damage caused by a failure of good judgment by using the same factory default passwords on IoT devices in the first place,” Gates continued.
Reiner Kappenberger, global product manager at HPE Security argued that security is no longer the priority as it is often bumped to the back of development.
“The IoT space has become a hot market where companies need to enter quickly with functionality to be considered leading the space. However with that approach where functionality is the leading indicator comes the risk that security measurements are pushed to the back of the development cycle and frequently then dropped in order to release a product. While some of these are easy to fix the problem can lead to new entrants into the market running out of business due to security not taking an equal position to features during development,” Kappenberger said.