As we begin our journey into 2017, many of us will take the opportunity to look back on how 2016 went. This time of year is conducive to self-reflection and introspection, learning from the past to prepare for the future. Though there were many incidents over the course of the past twelve months, none captured my attention as much as the Mirai botnet. Adaptable, difficult to detect, and enormously disruptive, I believe Mirai to be the first in a series of new threats which will impact the world on a scale that was previously unimaginable.

Cried Out In Unison – Biggest DDoS of 2016

Mirai first came into the media’s attention around September when researcher Brian Krebs was targeted by a historically large DDoS attack. In his debrief with Akamai, it was noted that rather than relying on DNS amplification to achieve such traffic, it seemed to have come from many different sources. This suggested that a enormous number of devices were compromised, and soon enough the world started to hear and read the word “Mirai”. This enterprising botnet took advantage of the insecurity of internet-connected smart devices like cameras, printers, DVRs. By using a brute force attack and trying commonly used administrative passwords, Mirai took over millions of devices all around the world. This translated into more available bandwidth for attackers to use and overwhelm servers.

Analyzing data coming from a honeypot built similarly to those designed by arm5077 and robertdavidgraham, we were able to gather 111,783 connections in a period of just 30 days. After removing the duplicates, we were left with 8,578 unique IPs to work with.

Mirai geolocated IP addresses

Based on served HTTP banners and Shodan data we identified:

  • 2,861 surveillance cameras
  • 759 DVR players
  • 1,088 routers
  • 76 firewall devices

The results help to clarify Mirai’s significant difference from classic botnets — its choice of targets. We can see that rather than attacking home computers, its victims were internet connected devices which have long been under the scrutiny of security researchers, and that choice made it incredibly successful. By striking at things that were both insecure and extremely popular, the botnet was able to gain ground quickly. With unprecedented DDoS power, attackers were able to go after huge targets: after Krebs, French host OVH was attacked, then Dyn, then the country of Liberia, and most recently Deutsche Telekom. In the span of just a few months, vital pieces of the internet’s infrastructure have been assaulted by Mirai, and there’s no reason to believe this will subside in the coming years as more IoT devices make their way into homes everywhere.

Vulnerable devices can be found almost anywhere. Geolocation of captured IP addresses indicates that majority of the infected devices are based in Taiwan (1,152), Vietnam (1,136), China (789), Brazil (650), Turkey (483), Russia (426) and India (408).

Visualization of IP addresses used by Mirai

Mirai’s Future – Predicted Paths

Based on observed combinations of default credentials used by bots, we predict that the next devices which will be targeted by Mirai include:

  • ACTi IP Cameras
  • ANKO Products DVRs
  • Axis IP Cameras
  • Dahua Cameras and DVRs
  • Dreambox TVs
  • HiSilicon Cameras
  • Mobotix Network Cameras
  • Realtek Routers
  • SMC Routers
  • Ubiquiti AirOS Routers
  • VideoIq Systems

When the source code of Mirai was released to hackers, this made it only more attractive for ambitious malicious actors looking to adapt it to their needs. Recently, it has been modified to create domains through a DGA to better avoid detection and keep a constant contact with C&C servers, and it seems likely that changes will be made to start implementing Tor and other traffic obfuscation methods. David Rodriguez recently profiled this new DGA enabled variant in a blog post, and the data he gathered combined with the analysis done by other researchers has revealed Mirai to be a thoroughly interconnected piece of malware, sharing space with ransomware distributors and other assorted awful things on the internet.

Visualization of domains generated by Mirai and cooccurences.

Into the Breach – Next Steps

So where do we go from here? What can be done about Mirai and other IoT botnets that are sure to follow? The largest share of the burden lies with manufacturers who continue to fail to address the issue of using weak security practices with their products. Devices should be sent from the factory with unique credentials instead of collectively sharing an easily guessed login and password combination such as “admin/admin” or “admin/password”. It would also be very helpful to limit access through commonly used ports and protocols like Telnet. IoT devices need to be designed with built-in protections against intrusion and compromise by using unique device passwords and preventing insecure remote logins. Individual users and administrators can help themselves by logging into the devices in their possession and changing weak passwords, as well as implementing port defenses to keep remote communications at bay. Though this might make a dent in reducing the amount of devices that are vulnerable, the most effective place to make this change is at the manufacturer’s level. Further, ISPs and DNS providers need to be aware of the problem and work closely together. The possibility of attacks at this scale must spur changes, both to the underlying architecture of the internet and the companies that deliver it as well as to the methods of response to massive DDoS attacks from the entire internet community. Given that IoT botnets will grow larger as more devices connect to the web, we must change the internet’s ability to handle it and our responses to it.

2017 will prove to be a very interesting year, and rather than simply watching it as it unfold, we must be willing to meet its challenges head on. The future is here, and we must prepare ourselves now.

Thanks to Austin McBride for contributing visualizations.

This post is categorized in: