One of the most powerful pieces of malware began with the efforts of three American teens who were motivated by playing “Minecraft” in 2014. Called Mirai, it would go on to crash Germany’s largest internet provider, knock Dyn’s Domain Name System servers offline and disrupt all of Liberia’s internet connections.
“Minecraft” gaming server operators back then would often employ distributed denial-of-service attacks as a competitive advantage to stymie the opposing team’s progress in the game. It’s ironic that from such humble beginnings, the Mirai DDoS malware would grow to become a global business threat that’s still active today.
Indeed, Mirai is still being developed. Earlier this year it was observed by Palo Alto Networks Inc.’ Unit42 researchers in three campaigns using a new variant. The attacks collectively have exploited 13 vulnerabilities that could lead to remote code execution.
The malware creates large global networks of compromised internet of things devices such as webcams and routers that are used to launch the DDoS attacks. The Mirai origin story, as told by IEEE Spectrum last week, shows how the then-teens Paras Jha, Josiah White and Dalton Norman got together to build their DDoS prevention racket — they used the attacks to create demand for these services — and make the malware more potent.
DDoS attacks work by sending tons of traffic to overwhelm web and application servers. The sudden crush of this traffic typically causes the servers to stop functioning, and the “distributed” part of its name describes how there is typically a coordinated attack from thousands of sources called botnets that have been hijacked and are under remote control by the attacker.
There are many different kinds of DDoS attacks, such as ones that exploit protocol errors or bugs within the web software itself. Since the early days of Mirai, most countries have passed laws making them illegal, and various criminals have been caught using them and sent to prison.
The first version of Mirai was launched in August 2016 and spread to more than 65,000 devices in its first day of operation. The next month attackers made two tactical errors, first targeting security blogger Brian Krebs’ website and then uploading their code to a hacking discussion forum.
The uploaded code created one of the first malware-as-a-service businesses and brought about a bunch of copycat hackers who then launched their own attacks. Picking on Krebs’ website wasn’t a good idea either, because he was then motivated to seek out and track down the culprits. In 2018, the trio, now in their early 20s, were eventually brought to justice and cooperated with the FBI to help find many of the copycat groups using their code.
However, their efforts at building Mirai have cast a long shadow, as the Unit 42 report shows. The research uncovered flaws in numerous software products that were leveraged by these latest Mirai attacks, including Asterisk communication servers, maintained by Sangoma Technologies Corp., and Atlassian Corp. plc’s Confluence software.
New versions have cropped up over the years, including the Torii variant discovered by Avast researchers. It combined DDoS with an infostealer and expanded its reach beyond IoT devices to other types of computers. Another variant called Mukashi was discovered in 2020 that was exploiting Zyxel Communications Corp. network-attached storage devices, and others exploited Linux-based routers, Polycom enterprise conferencing systems and phony network time services.
Mirai brought about a new era of DDoS attacks that quickly became more potent and more global. DDoS became the foundational technology that was then used to create ransomware, software supply chain exploits and others.
Mirai exposed the soft underbelly of IoT security, which often has hard-coded default passwords that make them easy to compromise and subsequently control in a DDoS attack. It is a hard problem to enumerate all of these devices, update them and change their default passwords where that’s even possible.
Plus, many enterprise networks have open ports that make the IoT devices easy targets. “When organizations leave them accessible, they are directly contributing to the botnet problem,” said Stephen Gates, principal security engineer for Horizon3.ai Inc. “It is utter negligence.”
The work-from-home movement has also created yet another new opportunity for the spread of IoT botnets that can originate from home networks.
Limited tools to fight attacks
All this means that securing IoT is still very much an issue. There are a number of endpoint protection products that can help, but often organizations don’t even know the dimensions of the problem until a botnet takes over their equipment.
Other tools that are relevant include better password managers and better network visibility utilities, such as how Domain Name Services are consumed across the enterprise: Many botnets leverage this and substitute the attackers’ services as a starting point. These DDoS attacks have spawned an entire defensive industry to provide protection and mitigation, and now a business is wise to employ these tools, such as from Cloudflare Inc. and Akamai Technologies Inc.
No doubt this isn’t the last time we’ll hear about Mirai. And it’s a stark lesson to organizations and cybersecurity providers alike that malware born from such humble beginnings continues to serve as a major malware platform.
Your vote of support is important to us and it helps us keep the content FREE.
One-click below supports our mission to provide free, deep and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.