Mirai: Now with TOR

Botnets, a collection of Internet-connected devices compromised by malware and under the control of a botnet “herder”, pose a significant threat to the cybersecurity of both the owners of the devices and the rest of the Internet at large.

Mirai botnet MUD

photo credit: Obsydistone / Wikia

The security impacts of botnets for the Internet arise from the fact that they are designed to be used to amplify the botnet herder’s ability to perform large-scale cyberattacks. A common example of this is a Distributed Denial of Service (DDoS) attack, where many devices work together to overwhelm and take down an organization’s website. As botnets grow larger and easier to create, organizations increasingly need to deploy robust DDoS protection solutions to help protect their Internet presence.

One famous example of a botnet was the Mirai botnet. This botnet contained hundreds of thousands of compromised machines and participated in some massive DDoS attacks against legitimate websites. Mirai is also famous for its many descendants, malware derived from the Mirai source code. One of these descendants is now using the TOR network to conceal its traffic, making the botnet much more difficult to defeat.

Introduction to Mirai

The Mirai botnet demonstrated the insecurity of many Internet of Things devices and their potential value to hackers. The Internet of Things makes up a rapidly growing component of the Internet as device manufacturers continue to connect new types of appliances to the Internet in the name of convenience. While the ability to manage these devices from a smartphone or using voice commands is convenient, their power and Internet connections pose a significant security risk.

In the case of Mirai, a botnet of hundreds of thousands of IoT devices was created and used to launch DDoS attacks of record sizes. The hacker who developed the code behind Mirai and its massive botnet did not have to discover or exploit any complicated vulnerabilities to pull of this attack. The poor security of IoT devices did most of the work for them.

The Mirai botnet was enabled by the use of default passwords on many IoT devices. A list of 61 different username/password combinations was collected by the developer of Mirai and included in the source code of the malware. The malware would then scan for potentially vulnerable IoT devices and try to log into them using this list of common credentials. If successful, the device was added to the botnet and used as a resource in the hacker’s DDoS attacks against other victims.

While Mirai is an extreme case of poor design and security of IoT devices, it’s far from normal. Many other botnets have been developed to take advantage of vulnerabilities in poorly secured IoT devices. The vulnerability exploited by Mirai, the use of weak default passwords, is still a common one and routinely exploited by IoT malware. As a result, IoT devices are vulnerable to compromise by this malware and used as a component in a DDoS attack or a stepping stone to compromise an organization’s protected internal network.

The New Face of Mirai

While the Mirai botnet was bad enough, the damage caused by this malware wasn’t limited to the original instance. The source code of Mirai was made open source, allowing anyone to make a copy and modify it to their own specifications. Since the exploitation mechanism used in the code is relatively simple and easy to understand (scanning for open ports and trying a list of usernames and passwords), this has led to a rash of botnets descending from the original Mirai code.

One disturbing feature of a new variant of Mirai is the use of the TOR network to hide the identity of the malware’s command and control server. In general, tracking down and taking down a malware’s command and control server is an effective way to neutralize a botnet since it no longer can receive instructions from the botnet herder.

However, this only works if the malware’s command and control server can be found. The TOR network is designed to obscure the source of a transmission, making it difficult to find the server hosting websites using onion addresses. This new Mirai variant’s use of a list of thirty different TOR websites for command and control makes it difficult or impossible for these sites to be taken down. As a result, the botnet cannot be easily taken down, making it necessary to identify and clean infected machines to take it down. If IoT-focused malware continues to make use of the TOR network for anonymity, IoT botnets may be difficult or impossible to eradicate.

DDoS attack prevention

IoT and DDoS

Internet of Things devices are a rapidly growing demographic on the Internet. These devices can provide a great deal of convenience to their owners, but their poor security is a headache for everyone else. Malware like Mirai is designed to take advantage of negligence on behalf of the device manufacturers, like the use of default passwords, to compromise these machines and collect them into botnets. These botnets are then put to use by hackers to perform DDoS attacks against legitimate organizations’ websites.

The growth of the IoT and its endemic poor security make the use of robust DDoS protection solutions an integral part of any organization’s cybersecurity strategy. As the Internet of Things grows, the potential scale of a DDoS attack grows as well, meaning that organizations need access to massive scrubbing capabilities at a moment’s notice in order to protect their web presence from being disabled by hackers.


Leave a Reply

Your email address will not be published. Required fields are marked *