A couple of weeks ago, the largest known distributed denial of service (DDoS) attack hit the KrebsOnSecurity website. Now, the malware responsible for that attack has become publicly available.
This could make it harder to hone in on the perpetrator responsible for the record 620 Gb/s attack.
Brian Krebs posted on his website, “The source code that powers the Internet of Things (IoT) botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets.”
The botnet malware, named Mirai, enlists unsecure IoT devices that are connected to networks — such as IP-connected cameras — and uses them as “bots” to bombard a targeted site with requests.
The attack on KrebsOnSecurity didn’t bring the site down thanks to the efforts of Akamai, the site’s host. Akamai had been hosting the site for free because of Krebs’ helpful work in exposing hackers. But after the Mirai attack, Akamai wanted out. Google has since stepped in, and is now hosting the site.
Mirai finds its bots by “continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords,” writes Krebs.
An anonymous person released the Mirai code on Hackforums, saying it was losing its effectiveness after the KrebsOnSecurity attack. This person wrote, “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
No doubt, similar strains of malware will quickly fill any void left by Mirai. But the KrebsOnSecurity attack highlights the vulnerabilities of millions of IoT devices.
“The size of the DDoS was big; 620 Gb/s is actually ridiculous and definitely not the norm,” says Jeff Schilling, chief of operations and security for hosting provider Armor. “Just a few months ago Rio Olympics took 540 Gbps DDoS. We are seeing the bar raised to these massive DDoS levels.”
These IoT devices can be “cleaned up by simply rebooting them — thus wiping the malicious code from memory,” writes Krebs. But the problem is, there is so much constant scanning they can be re-infected within minutes. Changing the default password would slow down the botnet process, but would take time and effort on the part of many, many IoT operators.
It’s not known why the person on Hackforums released the Mirai code. Perhaps law enforcement was getting too close.
“Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants,” writes Krebs.
It’s also notable that the code was made public so quickly. “Does this indicate that botnets are becoming so cheap and easy to build, that they can now be thrown away?” Schilling asks. “If the protection of the botnet is no longer a concern, we will start seeing a bolder set of threat actors experimenting.”