Mirai and the Botnet – Is There Really Anything to Fear?

The recent media reports on how the ‘Mirai botnet’ had leveraged IoT devices to mount an attack on the very foundation of the internet only served to compound an already substantial body of #IoT-related Fear, Uncertainty and Doubt. Indeed, they may have added the word ‘botnet’ to your #IoT vocabulary.

But did you know that botnets are nothing new? They have simply evolved from their simple beginnings as a Windows worm to exploiting ever smaller and smarter Linux devices to, more recently, the Linux Edge devices that are commonplace across the IoT.

In this article we explore what botnets are, how they arose, and what they mean to the #IoT ecosystem as a whole.

Right… What’s a botnet?

Quite simply, if you Google ‘what is a botnet’ you will find:

There are two typical types of botnet:

• Command & Control: One or more computers within the network act as the centralized controllers direct the rest of the botnet in a well-timed, coordinated attack on a specific website or resource.
• Peer to Peer: A decentralized, viral attack where infected devices search for other devices to infect in an uncoordinated and unpredictable attack that ‘craws’ through the network.

Where did botnets originate?

Windows PCs provided the ideal platform for the first botnets, which appeared around 2004: PC numbers were increasing; more and more were connected to the Internet numbers; levels of protection varied; and users with email accounts readily downloaded the infection (known as the worm).  

The Beagle worm is widely believed to be the first example. It infected Windows PCs, turning them into ‘bots’ able to respond to external commands while running silently in the background, unbeknownst to users. This collective ‘network’ of ‘bots’ became the first ‘botnet’.

While Beagle was relatively harmless, sending out spam emails, it planted the seed for more destructive future botnets.

The bots turn on Linux

In the following years Linux began to overtake Windows as the preferred server operating system, with corporate IT organizations worldwide were setting up new Linux servers and running them without any significant issues. There were exploits, but IT policies and commercial penetration tests, coupled with the momentum of Open Source progress, allowed Linux to remain a safe bet for server infrastructure.

In parallel, small devices (such as mobile devices, routers and gateways) were becoming smarter. Enhance capabilities demanded lightweight operating systems and that same Linux core provided the ideal solution. And so Linux began to appear in the lightly controlled environment of Edge devices often referred to as ‘Small Office/Home Office’ or ‘SOHO’.

This is where the story takes an ugly turn. These smaller Linux environments were an ideal platform for the botnets: anti-virus protection was scarce and devices could be infected without needing users to click on emails.   

The Lizard Squad compromises Christmas

The first significant SOHO botnet attack came during the 2014 Christmas holidays. A Distributed Denial of Service (DDoS) attack by a group calling themselves the Lizard Squad rendered Microsoft’ Xbox Live and Sony’s Playstation services unavailable to millions of gamers looking forward to playing their new PS4 and Xbox games.

This attack compromised thousands upon thousands of, primarily, small Wi-Fi routers found in a typical home or business setting, directing them to make seemingly legitimate Web requests to the Microsoft and Sony services.

This happened because the flavor of Linux operating system used in these devices contained all the exploits and attack vectors that had been discovered within Linux over time.

Why? If you compare them with well-established corporate Linux hosts:

1. The home and small business owners were not aware they were running a Linux server
2. They were not able to apply patches to their Linux server
3. They did not change the default password for their router
4. They didn’t know that their router had been compromised since they didn’t run intrusion detection and impacts on the router were unnoticeable.

IoB = ‘Internet of Bots’?

When reviewing this attack in January 2015, security guru Brian Krebs foresaw the use of IP cameras as bots:

“…there is no reason the malware couldn’t spread to a wide range of devices powered by the Linux operating system, including desktop servers and Internet-connected cameras.”

Fast forward to September 21, 2016. A major global hosting provider, OVH, is experiencing a DDoS attack with a relatively small cumulative volume of 1.1 TB/sec. This comparatively low-level attack is coming from upwards of 140,000 discrete devices and begins to compromise the availability of some of OVH’s services. OVH reacted marvelously, preventing any outage.

Attributed to a new botnet attack named ‘Mirai’ (Japanese for ‘Future’), this attack used vulnerable devices running a Linux variant found in the home and small office setting. Sound familiar? CCTV cameras, CCTV camera controllers, digital video recorders and several other device types were all compromised with the Mirai botnet code.

Despite being exposed to the open internet, these devices still had their default passwords. De ja vu! Services such as Shodan (http://www.shodan.io) that allow you to search for devices connected to the internet made it easy for attackers to find them.

Attacking the foundation

Just last week the Mirai botnet was used in a successful and unique attack that served as a ‘wake up call’ for IoT Security experts.

This attack was directed at DynDNS, a DNS (think of Internet address book) lookup provider for major internet sites. Amazon, Reddit, PayPal, GitHub and others were intermittently unavailable for several hours.

The same exploits (Linux systems, default passwords, Denial of Service) involved in many previous botnet attacks leveraged IoT devices to attack one of the internet’s foundational services.

We all have a part to play

Given the latent fear around IoT devices before these attacks, Mirai came at a particularly sensitive time. However, the story is far from the IoT doom and gloom painted by the media:

1. Botnets existed before IoT and do not require IoT devices to operate.
2. Poorly secured systems, no matter how small or big, are a huge target for exploitation.
3. Lax security policies (allowing default passwords to persist) expose all of us to potential danger.

While the vast majority of traffic came from Asia (Taiwan, South Korea, Vietnam, China), meaning no change in US policy would likely have had any impact on this particular set of devices, there is one thing we can all do to reduce the risk of future attacks:

CHANGE YOUR DEVICE PASSWORDS as soon as you install your Device

There is nothing in Mirai – or indeed the Lizard Stresser Botnet that is also appearing in the media – that should hamper your plans around IoT. Just as you have a Corporate IT plan for securing your devices inside your firewall, you should also have a plan for securing your devices at the Edge, whether partner, customer or your own locations. It’s as simple as that.

Learn more...

If you’re interested to know more about IoT Security, see our prior blog post:

• IoT Security in the Real World: Part 1 - Securing the Edge
• IoT Security in the Real World: Part 2 - Enter the Cloud
• IoT Security in the Real World: Part 3 - The Cloud and the Human Machine

If you are interested in learning more about Momenta Partners' security advisory, contact us.