Mirai (Japanese for “the future”) is malware that turns computer systems running Linux into remotely controlled “bots”, which can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks.
The Mirai botnet recently struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds for building powerful and sophisticated cyber-attack tools.
In addition to generating traffic volumes above 1TBps, Mirai features a selection of ten predefined attack vectors, some have proven effective taking down the infrastructure of service providers and cloud scrubbers by attacking their protections. Among the ten vectors, there are highly sophisticated attack vectors such as GRE floods, TCP STOMP and Water Torture attacks.
Mirai attacks also highlight the challenges organizations face when it comes to visibility into the legitimacy of GRE traffic or recursive DNS queries.
Why Is an IoT Botnet So Attractive?
IoT devices are attractive targets for hackers for several reasons:
- First, they usually fall short when it gets to endpoint protection implementation
- Second, there is no regulation or standards for a secure use of IoT devices as exists for PCs and servers for example. Such regulation shall ensure secured configurations and practices such as changing default passwords, access control restrictions (for instance, disable remote access to administrative ports).
- Third, they operate 24*7 and can be used at any moment.
Common malware usually takes advantage of zero-day and known exploits to gain control over their target machines. This is usually complex and time consuming. Mirai authors wisely choose to skip the wearing zero-day research and instead attack one of the most insecure areas in the cyber landscape – IoT devices.
Mirai specifically targets closed-circuit television cameras, routers and DVR’s, taking them over to create a botnet which is later used to launch sophisticated multi-vector DDoS assaults. The source code of the malware was written in C and the code for the command and control server (C&C) was written in Go. Mirai scans for potential targets – specifically devices with default manufacturer credentials. These are hard coded into the device hardware by the manufacturer. After brute-forcing the device credentials, Mirai remotely connects to the attacked targets using Telnet and SSH access points which are often left open by default. With a basic dictionary attack, Mirai gains control over its targets using the default credentials.
A portion of the dictionary content used by the malware
New Dangers Lurking Mirai Source Code
Mirai botnet hosts common attacks such as SYN and ACK floods, as well as introduces new DDoS vectors like GRE IP and Ethernet floods. Mirai also features intelligent evasion mechanisms to bypass known security controls and mitigation methods before reaching its target.
GRE Flood Attack – Generic routing encapsulation (GRE) is a tunneling type protocol developed by Cisco. GRE mainly encapsulates data packets and routes them through the tunnel to a destination network that de-encapsulates the payload packets. Sending many GRE packets with large amount of encapsulated data may lead to resource consumption once the victim will try to de-encapsulate them until exhaustion. This screen shows the bot sends GRE packets with encapsulated UDP packet containing 512 bytes of random data
The payload, structure, size and other elements correspond with the ones generated by Mirai botnet. Moreover, the malware is able to recognize DDoS protection solutions and adjust the attack accordingly
HTTP (Layer 7) flood attack: HTTP flood consists of seemingly legitimate session-based sets of HTTP GET or POST requests sent to a target web server. These requests are specifically designed to consume a significant amount of the server’s resources, and therefore can result in a denial-of-service condition.
HTTP makes it difficult for network security devices to distinguish between legitimate HTTP traffic and malicious HTTP traffic, and could cause a high number of false-positive detections. Rate-based detection engines are also not successful at detecting HTTP flood attacks, as the traffic volume of HTTP floods may be under detection thresholds. Because of this, it is necessary to use several parameters detection including rate-based and rate-invariant. Mirai uses common headers and standard user agent to emulate legitimate traffic. This type of attack could be mitigated using an automatically adapting, network behavioral solution that differentiates legitimate user traffic from botnet traffic
TCP STOMP Attack: The classic ACK flood attack with a twist. As simple botnets will be easily blocked by most network security solutions as they send large volumes of ACK packets, Mirai starts with the ACK flood only after have gaining a legitimate sequence number by completing the TCP connection process. By receiving a sequence number, Mirai raises the odds of bypassing network security solutions.
DNS Water Torture Attack: The attacker sends a pre-crafted DNS query to the service provider DNS server. The malicious DNS query contains random string concatenated previous to the victim’s domain (For example xxxyyyy.www.VictimDomain.com). The DNS server will attempt to get an answer from the authoritative name server over and over with no success and then will automatically send the malicious query to the next authoritative name server repeatedly. Sending different false strings with the victims’ domain name will eventually dramatically increase the DNS server’s CPU utilization till it crashes).
Five Keys to Defend Against Botnets
- Hybrid DDoS Protection (on-premise + cloud) – for real-time protection that also addresses high volume attacks and protects from pipe saturation.
- Behavioral-Based Detection – to quickly and accurately identify and block anomalies while allowing legitimate traffic through.
- Real-Time Signature Creation – to promptly protect from unknown threats and 0-day attacks.
- Protect your GRE Tunnels – or have your providers do so by monitoring and probing the traffic passes through them.
- A cyber-security emergency response plan that includes a dedicated emergency team of experts