Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

Mirai Goes Open-Source and Morphs into Persirai

How can companies prevent IoT devices from becoming unwitting members of a Persirai botnet?
By Robert Hamilton
Jul 31, 2017

The Mirai malware has become notorious for recruiting Internet of Things devices to form botnets that have launched some of the largest distributed denial-of-service (DDoS) attacks recorded to date. Mirai came onto the scene in late 2016 as the malware behind very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It's also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into an even more aggressive and effective botnet tool.

When the research team at Imperva accessed the Incapsula logs after the Krebs attacks last fall, they found that, indeed, the Mirai botnet had been active well before the notorious September attack. Imperva discovered a botnet of nearly 50,000 Mirai-infected devices spread throughout 164 countries, with the top-infected countries identified as Vietnam, Brazil and the United States. But even before Mirai became public, the Imperva team saw vulnerable IoT devices as a problem in the making.

Back in 2014, Imperva started seeing a massive increase in the number of weekly unique DDoS bot sessions and identified closed-circuit television (CCTV) surveillance devices as a contributing factor, most of which were open to easily guessable default passwords. In 2015, Imperva discovered a botnet executing HTTP GET flood DDoS attacks peaked around 20,000 requests per second from 900 CCTV cameras throughout the globe. The Imperva research foreshadowed the targeting of IoT devices as a new and plentiful source of botnets.

It wasn't until Mirai was publically announced on Hack Forums in October that Imperva's IoT prediction gained energy. Like legitimate source code, Mirai has seen a number of improvements since its release. Mirai's focus on effectiveness at aggressively recruiting some of the most vulnerable IoT devices has made it a popular choice for hackers who want to create very large botnets.

Only weeks after the release of the original Mirai source code, Imperva documented a new variant that was found to be responsible for exploiting a newly discovered TR-069 vulnerability on wireless routers. To make the malware even more effective, the authors added the ability to close the vulnerability after the router was infected, making it more difficult to update the devices remotely until they could be rebooted.

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations