The code for a Trojan capable of creating an IoT botnet for use in massive distributed denial-of-service attacks (DDoS) has been released on a hacking forum. It is feared that now the code is available it will lead to a proliferation of IoT DDoS attacks.
The code for Mirai malware was released on Friday last week by its creator: A hacker operating under the name Anna-senpai. While the hacker has been involved in the DDoS industry for some time offering DDoS-as-a-service, she felt it was time to leave as DDoS attacks are now attracting a lot of attention. She recently said in an online post, “I made my money…it’s time to GTFO.”
According to the post on Hackforums, Anna-senpai said “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
The Krebs on Security DDoS to which the hacker refers, was a colossal 620 Gbps DDoS attack. That attack was conducted using the Mirai botnet.
Mirai creates a botnet by scanning the Internet for IoT devices that have poor security, such as default passwords or hardcoded usernames and passwords. Those devices are then hijacked to create extremely large botnets capable of launching massive DDoS attacks. Mirai can be used for UDP, DNS and HTTP floods, in addition to GRE IP and Ethernet floods.
While PC botnets remain active for some time, the types of botnets created by Mirai are short-lived and do not usually survive a reboot of the device. This means that botnets need to be constantly created. However, there is no shortage of vulnerable devices. Due to the level of scanning that is now taking place, it is likely that devices will be re-infected very quickly after a reboot.
According to Krebs, there are at least two malware families that are being used to create large IoT botnets, the other being Bashlight. Botnets of this nature can be used to launch huge IoT DDoS attacks, with attacks exceeding 1Tbps possible.
Defending against such attacks is difficult. While there are some organizations that offer DDoS mitigation services, they are few and far between. Furthermore, resolving large scale attacks can prove incredibly costly. The huge attack on Krebs on Security resulted in Akamai Technologies dropping Krebs as a client due to the cost of resolving the attack.
Unfortunately, now that the code has been released many more players could become involved. That could lead to a wave of IoT DDoS attacks which could even take down large portions of the Internet. Users would also be affected as a proliferation of attacks would make accessing the Internet incredibly slow as hacked devices take up an increasing amount of ISP bandwidth.