Mirai Botnet 2021 Attack
Monday, January 11, 2021, we discovered a version of the Mirai botnet attacking some of our systems. We stopped these attacks and are fully engaged in defending our systems.
Wednesday, January 13, 2021, we are seeing more systems that appear to be infected that are attacking our systems and other systems with the Mirai botnet code.
It appears, we have the beginnings of another massive Mirai Botnet distributed denial of service (DDoS) attack.
Here is the history on these types of attacks:
On October 12, 2016, a massive, distributed denial of service (DDoS) attack left much of the internet inaccessible on the U.S. east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was in fact the work of the Mirai botnet.
This attack, which initially had much fewer grand ambitions — to make a little money off Minecraft aficionados — grew more powerful than its creators ever dreamed possible. It is a story of unintended consequences and unexpected security threats, and it says a lot about our modern age. But to understand it, you need a little background.
How botnets work
A botnet is a collection of internet-connected computers — the “bots” — that are under remote control from some outside party. Usually, these computers have been compromised by some outside attacker who controls aspects of their functionality without the owners knowing.
Because there are many bots, the controllers basically have access to a sort of hacked-together supercomputer that they can use for nefarious purposes, and because the bots are distributed over various parts of the internet, that supercomputer can be hard to stop. The very first botnet was built in 2001 to send spam, and that is still a common use: because the unwanted messages are being sent from so many different computers, they’re hard for spam filters to block. Another common use — and the one the Mirai botnet served — is as foot soldiers in a DDoS attack, in which a target server is simply bombarded with web traffic until it’s overwhelmed and knocked offline.
How to make a botnet
Traditionally, botnets are created by compromising home PCs, which often had several vulnerabilities. PCs could be captured either through unprotected network ports or via trojans or other malware, often spread by spam, that would open backdoors attackers could access. Once the PC is compromised, the controller — known as a bot herder — issues commands via IRC or other tools. Sometimes commands come from a central server, though more often now botnets have a distributed architecture that makes their controllers harder to track down.
What is an IoT botnet?
Over the years, PC makers have gotten savvier about building security into their computers. But another tempting target is out there for botnet builders: Internet of things (IoT) devices, a blanket term for various gadgets that most people don’t think of as computers, but that still have processing power and an internet connection. These devices, ranging from home routers to security cameras to baby monitors, often include an embedded, stripped down Linux system. They also often have no built-in ability to be patched remotely and are in physically remote or inaccessible locations.
By 2017, there were 8.4 billion of these “things” out there on the internet, ripe for the plucking. Mirai took advantage of these insecure IoT devices in a simple but clever way. Rather than attempting to use complex wizardry to track down IoT gadgets, it scanned big blocks of the internet for open Telnet ports, then attempted to log in using 61 username/password combos that are frequently used as the default for these devices and never changed. In this way, it was able to amass an army of compromised closed-circuit TV cameras and routers, ready to do its bidding.
What was the Mirai botnet attack?
But let us back up a bit. Who built Mirai, and what was its purpose?
While much of the malware ecosystem emerges from the murky underworld of Eastern European organized crime or nation-state intelligence services, we have names and places to go with this particularly striking attack. Paras Jha, an undergraduate at Rutgers, became interested in how DDoS attacks could be used for profit. He launched a series of minor attacks against his own university’s systems, timed to match important events like registration and midterms, all the while trying to convince them to hire him to mitigate those attacks.
He also was big Minecraft player, and one of the quirks of the Minecraft economy is that there’s good money to be made in hosting Minecraft game servers — which leads to running skirmishes in which hosts launch DDoS attacks against their rivals, hoping to knock their servers offline and attract their business.
Mirai was another iteration of a series of malware botnet packages developed by Jha and his friends. Jha, who loved anime and posted online under the name “Anna-Senpai,” named it Mirai (Japanese for “the future”, 未来), after the anime series Mirai Nikki, or “future diary.” It encapsulated some clever techniques, including the list of hardcoded passwords. But, in the words of an FBI agent who investigated the attacks, “These kids are super smart, but they didn’t do anything high level—they just had a good idea.”
Mirai DDoS
Mirai’s first big wave of attacks came on September 19, 2016 and was used against the French host OVH — because, as it later turned out, OVH hosted a popular tool that Minecraft server hosts use to fight against DDoS attacks. A few days later, “Anna-Senpai” posted the code of the Mirai botnet online — a not-uncommon technique that gives malware creators plausible deniability, because they know that copycats will use the code, and the waters will be muddied as to who created it first. The big attack on October 12, 2016 was launched by somebody else against Dyn, an infrastructure company that among other things offers DNS services to a lot of big websites. The FBI believes that this attack was ultimately targeting Microsoft game servers.
In December 2016, Jha and his associates pled guilty to crimes related to the Mirai attacks. But by then the code was in the wild and being used as building blocks for further botnet controllers.
Mirai botnet source code
the Mirai botnet code was released into the wild. That means that anyone can use it to try their luck infecting IoT devices, and launching DDoS attacks against their enemies or selling that power to the highest bidder. Many cybercriminals have done just that or are tweaking and improving the code to make it even harder to fight against.
Mirai botnet analysis and detection
Here is the current analysis (more will be listed soon):
• Mirai can launch both HTTP flood and network-level attacks.
• There are certain IP address ranges that Mirai is hard-wired to avoid, including those owned by GE, Hewlett-Packard, and the U.S. Department of Defense
• Upon infecting a device, Mirai looks for other malware on that device and wipes it out, to claim the gadget as its own.
• Mirai’s code contains a few Russian-language strings—which, as we later learned, were a red herring about its ultimate origins.
Reference 1: www.csoonline.com – mirai botnet explained.
Adept Historic Analysis Reference 1: April 27, 2016 – US Confirms BlackEnergy Malware Used In Ukrainian Power Plant Hack.
Adept Historic Analysis Reference 2: November 20, 2016 – German nuclear plant suffers cyber attack designed to give hackers remote access.
Be safe!
Let us try to prevent Bad hacking history from repeating.
Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and software technology.
