Mirai malware once again hijacked headlines last week as it was identified as the tool behind last week’s massive DDoS attack
Earlier this month October, a hacker published the source code of the Mirai malware online for everyone to use, modify and abuse. The Mirai malware was created to automatically search the internet for unsecured IoT/connected devices that could be used to build a Botnet slave for DDoS attacks.
In late September, we covered (Mother of all DDos attacks) an unprecedented attack against security journalist Brian Krebs’s site, apparently also attributed to the Mirai malware.
The DDoS Attacks on Kerbs hit with over 600Mbps and on the hosting provider OVH with over 1Tbps of traffic. The DDoS Attacks not only used PCs recruited by malware infections (the traditional tool used by threat actors) they also used vulnerable IoT devices such as routers, PVRs, thermostats, refrigerators and cameras. are now targeted by the bad guys as they are often poorly secured and easy to exploit.
What we know about Mirai malware
A link to the malware code, first spotted by Krebs, was posted in the criminal hacker site Hackforum by a user named “Anna-senpai,” who dubbed the malware “Mirai.” The malware is designed to infect Internet of Things (IoT) devices that haven’t changed their default usernames and passwords—a common occurrence in the frighteningly poor security used by IoT products like web cams, “smart” refrigerators, and other internet-connected home appliances. Once assembled, these massive armies of zombie devices can be controlled from a central server, where they are typically leased out to other criminal hackers to launch DdoS attacks against target websites.
According to this post (here) by security vendor Arbor, The original Mirai botnet currently consists of a floating population of approximately 500,000 compromised IoT devices worldwide; relatively high concentrations of Mirai nodes have been observed in China, Hong Kong, Macau, Vietnam, Taiwan, South Korea, Thailand, Indonesia, Brazil, and Spain. Additional Mirai concentrations have been also been observed in multiple countries located in North America, Europe, and Oceania.
Arbor’s researchers found that a Mirai variant in the wild has a “a remote-control backdoor” that listens for commands over port 103. That wasn’t present in the original source code, according to three independent security researchers who have studied the Mirai malware.
Normally, when Mirai infects a target, it disables the protocol that allows anyone to try to connect to the target. This new functions allows the criminals who infect a device to still be able to control it even if their command and control server is taken down.
More Here [Motherboard]