The Mirai sequel: how IoT botnet trouble is only just beginning

The Mirai sequel: how IoT botnet trouble is only just beginning

As the record-setting DDoS attacks caused by the Mirai IoT botnet occurred one after the other last fall, culminating in an attack that wiped sites as big as Reddit and Twitter offline, even casual online security observers knew the worst thing about the attacks wasn’t the outages or the damage they caused, or even the immense frustration felt by internet users around the world. The worst thing about the attacks, and the botnet behind them, was what it all meant for the future of online security.

Sure enough, there’s new malware infecting IoT devices to form a monstrous botnet and it may as well be called Mirai 2: Electric Boogaloo because it sounds like the same old story, but it seems as if it’s going to be worse.

Botnet business

A botnet is a network of an increasingly huge number of internet-connected devices that have been infected by malware in order to allow them to be controlled by an attacker. Botnets were bad enough when attackers had to circumvent the serious security on a computer in order to enlist a device in a botnet, but now that the Internet of Things (IoT) is upon us it’s easier than ever to put together botnets in unprecedented sizes.

The IoT consists of billions of devices, and the majority of those devices have shockingly weak security that most often consists of default usernames and passwords that are a breeze for botnet builders to crack. As a result, massive botnets made up of CCTV cameras, webcams and other smart devices are doing attackers’ bidding all over the internet in the form of DDoS or distributed denial of service attacks, which aim the malicious traffic of a botnet at a target website or online service with the aim of overwhelming it and leaving it either so slow it can’t be used or offline altogether.

Arguably the most famous of the IoT botnets is the Mirai botnet, which was behind attacks on security blogger Brian Krebs, French hosting provider OVH and DNS provider Dyn last fall, smashing DDoS records with each assault. The Dyn attack was the largest, weighing in at 1.2 Tbps and taking over 50 major websites offline for hours. For all its destruction, however, Mirai could’ve been better designed. That’s where Hajime comes in.

Hello Hajime

Hajime is the name given to a new piece of malware enslaving internet-connected devices. It was actually discovered by internet security researchers in October of 2016, the same month Mirai lashed out at Dyn, and has been steadily gaining power ever since.

Similar to Mirai, Hajime targets IoT devices, trying different username and password combinations until it can get in and infect the device with a malicious program that enables remote control. One estimate of Hajime’s size puts its number of infected devices around 100,000. This is hundreds of thousands fewer devices than Mirai has reportedly amassed, yet security experts agree Hajime is potentially much more dangerous than Mirai.

The difference between the two botnets lies in how they’re run. Mirai has centralized command and control servers, which directs infected devices when it’s time for an attack. The key to stopping Mirai has been blocking traffic to these command servers, choking off the command servers’ abilities to make an attack happen.

Instead of using command and control servers, Hajime communicates using a peer to peer network. This means many of the average devices in the botnet can distribute instructions to the rest of the botnet. With the control of the botnet being so decentralized, it’s much harder to stop. Security experts have called Hajime much more advanced than Mirai, even going so far as to call it Mirai on steroids.

The implications

It’s hard to imagine a distributed denial of service attack crazier than the one that took down Dyn, but with massive IoT botnets getting even more advanced it stands to reason that 2017 will make 2016’s attacks look like child’s play, with one security expert even predicting a worldwide 24 hour outage at some point this year. This means professional DDoS protection is more essential than ever. Any website or business needs to proactively invest in protection that sits at the edge of the network and keeps attack traffic from ever reaching its target thanks to granular traffic inspection.

IoT device owners also need to take steps to secure their devices in order to strike at the root of the ever-growing DDoS problem. To protect against Hajime, change default usernames and passwords to ones that would be hard to guess. Other steps that can be taken include blocking TCP port 4636 used in stage 1, blocking any traffic from Telnet sessions executing the shell command the “/bin/busybox ECCHI”, and blocking UDP packets containing the key exchange message of Hajime.

Tuning out

Save for the head-scratchingly popular Fast and Furious franchise, no one likes a sequel. Especially one that could potentially wreak record-setting havoc on websites and services across the internet with no straightforward way to stop it. Until IoT device manufacturers and users start prioritizing security, these big bad botnets are going to be free to steamroll targets all over the globe – unless they happen to come up against leading DDoS protection. Wouldn’t it be nice if this sequel could have that kind of twist ending?

I'm the editorial writer for DroidHorizon. You'll find my content varies in the technology, science, & lifestyle categories.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


Time limit is exhausted. Please reload CAPTCHA.

Lost Password

Sign Up