Code driving IOT botnets

Code driving IOT botnets

Code driving IOT botnets

With rapidly growing Internet of Thing (IoT) devices, IOT devices have become a much more attractive target for cyber criminals. Recently a record-breaking Distributed Denial of Service (DDoS) attack was seen against the France-based hosting provider OVH that reached over one Terabit per second (1 Tbps), which was carried out via a botnet of infected IoT devices.

Now, such attacks are expected to grow more rapidly as someone has just released the source code for IoT botnet, which was ‘apparently’ used to carry out world’s largest DDoS attacks i.e. now you can build your own mega-botnet.

A hacker going by the name “Anna-senpai” released the source code that controlled an army of zombified Internet of Things devices that recently barraged KrebsOnSecurity, a website operated by Brian Krebs, an independent security researcher, and blogger. An attacker had used the code to launch a massive distributed denial of service attack against the site’s computer servers, reaching a staggering maximum of 620 gigabits per second (Gbps) in bogus Internet traffic during the pummeling.

Krebs spotted the leak on a forum called HackForums a day after Anna-senpai posted it on Friday. Krebs confirmed that the malicious software, called “Mirai” by the hacker, was responsible for the attack on his site, he wrote in a blog post, without providing additional details. (various agencies have reached out to Krebs to request more information.)

The dynamics

Mirai worked by scouring the Internet for unsecured devices, like webcams and routers, which are protected only by easily hackable default passwords. The malware corralled these machines into a sprawling network under the control of administrators who could then blast websites of their choice.

The hacker claimed to be dumping the code because it was now attracting unwanted attention. The likely logic: releasing Mirai into the wild where others can pick it up might help mask the identity of its originator as investigators start poking around.

As per Anna-senpai who’s the cyber criminal who dumped the code, he wrote, “When I first go in DDoS industry, I wasn’t planning on staying in it long,”. “I made my money, there are lots of eyes looking at IOT now, so it’s time to GTFO,” he wrote, using the slangs.

Figure 1 - The Hackforums post that includes links to the Mirai source code.

Figure 1 – The Hackforums post that includes links to the Mirai source code.

Thomas Pore, director of IT and services at Plixer, a network monitoring firm, wrote that “The code is a gift to cyber criminals looking to enter the popular market of DDoS as a Service,” where entrepreneurial botmasters rent out their networks for others’ use.

Dale Drew, chief security officer at Level 3 Communications LVLT, a telecom provider based in Broomfield, Colo., told Fortune, “By releasing this source code, this will undoubtedly enable a surge in botnet operators to use this code to start a new surge in consumer and small business IoT compromises.”

The hacker said that after striking Krebs, Internet service providers have been “slowly shutting down and cleaning up their act” and that the network had dropped to roughly 300,000 infected devices from around 380,000 at its height.

Google swooped in to save Krebs’ trampled site last week after Akamai, the cloud provider that had been protecting Krebs from denial of service attacks free of charge, dropped him.

As per Reiner Kappenberger, global product manager at HPE,“The current lack of guidance and regulations for IoT device security is one of the biggest problems in this area and why we see breaches in the IoT space, rising.” He added, “Companies entering this space need to think about the longer term impact of their devices.”

Command and Control Center

Using numerous machine learning techniques to analyze DDoS attacks traced from known susceptible devices, Level 3 Threat Research Labs was able to identify a number of command and control servers associated with this botnet. Additionally, the IP addresses identified pointed to domains containing “” (.cx is a top-level domain of Christmas Island) and were prefixed by “network” and “report” to denote their role in the botnet.  As a challenge to the security community, an IP from one of the network COMMAND AND CONTROL CENTERs was also once resolved to “” as opposed to the usual “”.  By querying DNS records, these ‘COMMAND AND CONTROL CENTER (C&C)’ IPs were easily enumerated.  A list of COMMAND AND CONTROL CENTER IP addresses and domains can be found in the table at the bottom of this post.

Structure of the Botnet

Structure of a Mirai botnet

Structure of a Mirai botnet

By analyzing the communication patterns of the Mirai COMMAND AND CONTROL CENTER IP addresses, Level 3 were able to identify and enumerate Mirai’s infrastructure. This analysis was later confirmed accurate when the Mirai source code was released. It is interesting to note the initial Mirai infrastructure was much more complex than the various variants that were analyzed by Layer3. The diagram outlines the basic functionality of Mirai and its components.


As with the gadget malware family, Mirai targets IoT devices.  The majority of these bots are DVRs (>80percent) with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.  The devices often operate with the default passwords, which are simple for bot herders to guess.  From the source code, it has been found that Mirai’s scanning protocol utilizes a list of generic and device-specific credentials to gain access to susceptible devices.

Mirai C2s – Report C2s

  • –
  • –
  • –
  • xyz, –,
  • –

Next steps of the malware

Malware that can build botnets out of IoT products has gone on to infect twice as many devices after its source code was publicly released. The total number of IoT devices infected with the Mirai malware has reached 493,000, up from 213,000 bots before the source code was disclosed around Oct. 1, according to internet backbone provider Level 3 Communications. “The true number of actual bots may be higher,” as per Level 3.

Since Mirai’s source code was released, hackers have been developing new variants of the malware, according to Level 3. It has identified four additional command-and-control servers associated with Mirai activity coming online this month. About half of the infected bots, Level 3 has observed resided in either the U.S. or Brazil. More than 80 percent of them were DVR devices.

Many of the DDOS attacks launched by Mirai botnets are used against game servers and residential IP addresses as per Level 3. Artificial intelligence is no longer a buzzword or a coming attraction. It’s here today and composed to change the world for the better through its ability to augment human capabilities.

A few vendors that produce devices vulnerable to Mirai are encouraging their customers to take steps to mitigate the risk. Sierra Wireless, for instance, has issued a bulletin, advising users to reboot one of their products and change the default password. However, it’s unclear if other vendors are taking any steps to do the same. Security firm Flashpoint has identified Chinese company Hangzhou Xiongmai Technology as another maker of DVR products susceptible to the Mirai malware.

Potentially, half a million devices from the company are vulnerable partly due to their unchangeable default passwords, according to Flashpoint.

Security Challenges and Recommendations

With the mass adoption of smart devices across industries specifically home and industrial usage, the Internet of Things (IOT) ecosystem also introduces a large amount of data which gets embedded and synchronized across these devices. These devices are thus capable of being controlled by any exposed APIs provisioned by third party platforms and smart devices.

Since most of the Internet of Things (IOT) projects are independent projects created by beginners and less experienced people, many systems are also poorly designed and implemented using multiple technologies and products having a complex configuration. This introduces new challenges from a security perspective. Some of them includes:

  • Unauthorized access to the customized application and interfaces
  • Network attacks such as Man in the Middle attacks (MITM), spoofing etc.
  • Malicious traffic from the internet compromising privacy and security of the communications over internet originating from your device

The following security controls are recommended at minimum for Raspberry projects implementing smart home capabilities:

  1. Implement layered security protections and security gateways to defend IoT assets. The ability to inspect, audit and control the communications into and out of your network is essential as the number, variety, and complexity of connected devices increases.
  • Firewall – restricting ports and services
  • Intrusion Detection System – blocking all the malicious traffic
  • File Integrity Monitoring – identifying unauthorized changes in the file system and device
  1. Implement a strong authentication / authorization mechanism for the device
  2. Log all the key events to identify unwanted changes and access to the device
  3. Do not log sensitive information (personal information in the device).
  4. Disable non-essential services
  5. Use secure protocols: Protocols such as HTTPS and SSH are designed to support encryption, and strong authentication
  6. Ensure internet-managed and IoT management hubs and services are secure: If you choose to use a hub or service that allows management of multiple IoT devices, be aware these services can be a central access point to compromise all of your devices. Look for robust, built-in security capabilities that will easily integrate into existing systems


Leave a Reply