Mirai, The Internet of Things Bot, Goes Open Source

Gameover Botnet Visualization
Gameover, a family of malware used to carry out denial of service attacks was spun out of the Zeus malware after its source code was published online. (Image courtesy of Dell Secureworks.)

In-brief: The code for malicious software that is behind a worldwide network of compromised cameras and home routers has been released on the Internet, a move that may lead to a rapid increase in use of the software.

The code for malicious software that is behind a worldwide network of compromised cameras and home routers has been released on the Internet, a move that may lead to a rapid increase in use of the software.

The website KrebsonSecurity reported on Saturday that the code for Mirai was released on Hackforums, an English language hacking community. The site does not offer proof that the leaked code is for the Mirai botnet. However, there are reports of Mirai infections hitting connected devices including surveillance cameras and home routers in recent weeks.

Reporting on KrebsonSecurity, Brian Krebs wrote on Saturday that the alleged source code dump was the work of Hackforums member with the handle Anna-senpai. A message accompanying the post said that the code was being released because “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO.”

Hundreds of thousands of devices infected with the Mirai software are believed to be responsible for launching the largest distributed denial of service (DDoS) attack against Krebs’ website and other targets, such as the French hosting firm OVH. Those attacks weighed in at more than 600 Gigabits per second (Gbps), far larger than the previous high water mark for DDoS. Security experts believe that the devices are often connected to the Internet and protected only by a default administrator account and password. That makes it easy for the malware to spread between devices. A post by Johannes Ulrich at The SANS Institute on Sunday said that a vulnerable DVR connected to the Internet with default credentials is attacked within a minute or so of coming online.

In the wake of the high profile attacks on Krebs’ website and other targets, the Mirai author said that life had become harder. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Mirai isn’t the first malware family to have its source code released to the public. The Limbo Trojan was first released as an open source project in 2009. And, in 2011, the source code for the Zeus (or Zbot) malware was posted online, as well. That led to a massive expansion of the use of Zeus and, eventually, to the creation of whole new branches of the Zeus family, such as Dyre and Gameover, which are also open source.

In some instances, security researchers have also released proof of concept malware as open source. For example, in 2014, researchers Adam Caudill and Brandon Wilson published the source code to their own version of Karsten Nohl and Jakob Lell’s BadUSB malware and published it to Github. And, in February, the Turkish security group Oktu Sen published the source code for a piece of proof-of-concept ransomware dubbed “Hidden Tear.” Though intended to be used for educational purposes, Hidden Tear was quickly adopted by cyber criminal groups, researchers the the firm Trend Micro reported.

Spread the word!

Comments are closed.