The Mirai Botnet, Tip of the IoT Iceberg

The Mirai botnet is malware designed to take control of the BusyBox systems that are commonly used in IoT devices. BusyBox software is a lightweight executable capable of running several Unix tools in a variety of POSIX environments that have limited resources, making it an ideal candidate for IoT devices. It appears the DDoS attacks of October 21 have been identified as sourced from XiongMai Technologies IoT equipment.

IoT devices have proliferated at a rapid pace, and anyone that can take control of them can wield significant power. This power came into full display on September 20, 2016 when the Mirai botnet launched a record DDoS attack, estimated at around 620 Gbps in size, inevitably taking the Krebs on Security website offline.

But this appears to be just the beginning of IoT-based attacks, as the source code for Mirai has been published online.

The IoT Security Challenge

The challenge with IoT devices is that not only are they often insecure by design, but they lack the options to apply patches or upgrade. Enterprises deploying IoT devices may spend the time needed to change default credentials, place the devices in a segregated network zone, or otherwise harden their systems – but consumers are highly unlikely to implement any such measures.

Opening Pandoras Linux Box

With the Mirai source code published, and no plan in place to patch or otherwise protect vulnerable IoT devices, it was inevitable that the source code would be used for malicious purposes, or even out of curiosity.

The AlienVault labs team analysed the source code and developed signatures to detect Mirai activity.

With the data in Open Threat Exchange (OTX), the team was able to see a significant spike in Mirai activity after the source code went live, both in terms of how many times the signature was hit, and in the number of affected devices.

Outlook

IoT device security has been spoken about, even joked about for some time. IoT manufacturers have overwhelmingly chosen convenience and neglected to heed any of the security warnings.

The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done.

With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider architecting fundamental security principles into the designs, such as avoiding the use of default credentials.

Until such a time that IoT devices have secure options, these devices will continue to feature prominently at the forefront of cyber security attacks.

You can find IOC’s related to the Mirai infrastructure in Open Threat Exchange:

It's free to join OTX, and the platform offers an API to integrate Indicators of Compromise (IoC's) into other security controls. AlienVault Unified Security Management™ includes this integration and alerts you when IoC's from OTX are detected in your environment.