A strategy used by malicious attackers to scale up their cyber attacks is the use of botnets.
A botnet is a network of computers that have been infected by malware and are remotely controlled by a malicious actor. Such a malicious actor controlling a group of infected computers is called a bot herder. Individual infected devices are referred to as bots.
Bot herders command and control the group of infected computers, allowing them to conduct cyber attacks on a much larger scale. Botnets have been used prominently in large-scale denial of service, phishing, spamming attacks, and data theft.
An example of malware that has since gained notoriety for hijacking digital devices to create very large botnets is the Mirai Botnet malware. Mirai is a botnet malware that targets and exploits vulnerabilities in Internet of Things (IoT) devices running Linux.
Upon infection, Mirai hijacks the IoT device turning it into a remotely controlled bot that can be used as part of a botnet to launch massive cyber attacks. Mirai was written using C and GO.
The malware gained prominence in 2016 when it was used in a distributed denial of service (DDOS) attack on DYN, a Domain Name System provider. The attack prevented internet users from accessing sites like Airbnb, Amazon, Twitter, Reddit, Paypal, and Visa, among others.
Mirai malware was also responsible for DDOS attacks on the cybersecurity site Krebs on Security and the French cloud computing company OVHCloud.
How Mirai Was Created
The Mirai malware was written by Paras Jha and Josiah White, who at the time were students in their early 20s and also the founders of ProTraf Solutions, a company that offered DDOS mitigation services. Mirai Malware was written using C and Go programming languages.
Initially, their goal for Mirai was to take down competing Minecraft servers using DDOS attacks so that they could get more customers by doing away with the competition.
Their use for Mirai then shifted to extortion and racketeering. The duo would launch DDOS attacks on companies, then reach out to the companies they had attacked to offer DDOS mitigations.
Mirai Botnet caught the attention of authorities and the cyber security community after it was used to take down the website Krebs on Security and its attack on OVH. As Mirai Botnet started making headlines, the creators leaked the source code to Mirai Botnet on a publicly accessible hacking forum.
This was likely an attempt to cover their tracks and to avoid being held responsible for the DDOS attacks done using Mirai Botnet. The source code for Mirai Botnet was taken up by other cybercriminals, and this led to the creation of variants of Mirai Botnet such as Okiru, the Masuta and the Satori, and the PureMasuta.
The creators of the Mirai Botnet were, however, later captured by the FBI. However, they were not jailed and instead got lighter sentences because they cooperated with the FBI in capturing other cyber criminals and preventing cyber attacks.
How Mirai Botnet Works
An attack by Mirai Botnet involves the following steps:
- Mirai Botnet first scans the IP addresses on the internet to identify IoT devices running Linux on the Arc Processor. It then identifies and targets devices that are not password protected or are using default credentials.
- Once it has identified vulnerable devices, Mirai tries a variety of known default credentials to try to gain network access to the device. If the device is using default configurations or is not password protected, Mirai logs into the device and infects it.
- Mirai Botnet then scans the device to find if it has been infected by other malware. In case it has, it removes all the other malware so that it is the only malware on the device, giving it more control over the device.
- A Mirai-infected device then becomes part of the Mirai Botnet, and it can be remotely controlled from a central server. Such a device simply awaits commands from the central server.
- Infected devices are then used to infect other devices or used as part of a botnet to conduct large-scale DDOS attacks on websites, servers, networks, or other resources accessible on the internet.
It is worth noting that Mirai Botnet came with IP ranges it did not target or infect. This includes private networks and IP addresses assigned to the United States Department of Defense and the United States Postal Service.
Types of devices targeted by Mirai Botnet
The primary target for Mirai Botnet is IoT devices using ARC processors. According to Paras Jha, one of the authors of the Mirai bot, most of the IoT devices infected and used by the Mirai Botnet were routers.
However, the list of potential victims for Mirai Botnet includes other IoT devices that use ARC Processors.
This could include smart home devices such as security cameras, baby monitors, thermostats, and smart TVs, wearable devices such as fitness trackers and watches, and medical IoT devices such as glucose monitors and insulin pumps. Industrial IoT devices and medical IoT devices using ARC processors can also be victims of the Mirai botnet.
How to Detect a Mirai Botnet Infection
Mirai Botnet is designed to be stealthy in its attack, and thus, detecting that your IoT device is infected with Mirai Botnet is no easy task. However, there are not easy to detect. However, look for the following indicators which might signal a possible Mirai Botnet infection on your IoT device:
- Slowed internet connection – Mirai botnet can cause your internet to slow down as your IoT devices are used to launch DDOS attacks.
- Unusual network traffick – In case you regularly monitor your network activity, you might notice a sudden increase in network traffic or requests being sent to unfamiliar IP addresses
- Reduced device performance – Your IoT device performing suboptimally or exhibiting unusual behavior, such as shutting down or restarting on its own, could be an indicator of a possible Mirai Infection.
- Changes in device configurations – Mirai Botnet might make changes to your IoT devices’ settings or default configurations to make the devices easier to exploit and control in the future. In case you notice changes in the configurations of your IoT devices, and you’re not responsible for them, it could point to a possible Mirai Botnet infection.
Although there are signs you can watch out for to know if your device has been infected, at times, you might not easily notice them simply because Mirai Botnet is made in such a way that makes it very hard to detect. As a result, the best way to deal with it is to prevent Mirai Botnet from infecting your IoT devices.
However, in case you suspect an IoT device has been detected, disconnect it from the network and only reconnect the device after the threat has been eliminated.
How to protect your devices from Mirai Botnet infection
Mirai Botnet’s key strategy in infecting IoT devices is testing a bunch of well-known default configurations to see if the users are still using the default configurations.
If that is the case, Mirai logs in and infects the devices. Therefore, an important step in protecting your IoT devices from Mirai Botnet is avoiding the use of default usernames and passwords.
Make sure to change your credentials and use passwords that cannot easily be guessed. You can even use a random password generator to get unique passwords that cannot be guessed.
Another step you can take is regularly updating your device’s firmware and also installing security patches whenever they are released. Companies often release security patches in case vulnerabilities are discovered in their devices.
Therefore, installing security patches whenever they are released could help you stay ahead of attackers. In case your IoT device has remote access, consider disabling it, too, in case you don’t need that functionality.
Other measures you can take include regularly monitoring your network activity and segmenting your home network such that IoT devices are not connected to critical networks at home.
Conclusion
Although the creators of the Mirai Botnet were apprehended by authorities, the risk of Mirai Botnet infection still persists. Mirai Botnet source code was released to the public, and this led to the creation of lethal variants of Mirai Botnet, which target IoT devices and have more control over the devices.
Therefore, while purchasing IoT devices, the security features offered by the manufacturer of the device should be a key consideration. Buy IoT devices that have security features that prevent possible malware infections.
Additionally, avoid using default configurations in your devices and regularly update your device’s firmware and install all the latest security patches whenever they are released.
You may also explore the best EDR Tools to detect and respond to cyber-attacks quickly.