Tag Archives: Mirai

It’s Back – The Mirai Botnet

A little over a year ago, the Mirai botnet launched a sustained attack on the servers of the Internet  provider Dyn, taking it offline and thereby knocking its customers, including Twitter, the Guardian, Netflix, Reddit, CNN and others, offline.  The Mirai botnet was simple – find Internet of Things devices (IoT) that still had their default passwords and take them over.  Use those IoT devices to launch an attack at your target.  At its peak, Mirai controlled about 600,000 devices.  The attack generated between 500 Gigabits and 1,000 Gigabits of traffic per second, the largest attack ever seen.

Well it’s back and it has a new plan.

Rather than taking over webcams and DVRs, this time it plans to take over light bulbs and other low end devices and there are way more light bulbs than cameras.  Since the attack itself is very simple, it does not require a powerful device to run the attack.  Just a lot of them.

And just to dispel any myths, Mirai was not a nation state attack.  It was the brainchild of a couple of college age kinds who wanted to knock their competitor’s Minecraft servers offline.  The FBI caught them and they pleaded guilty.

In this case, the target is the ARC processor, which sells over 1 billion units a year.  Very simple processor.  Used everywhere.

Do the math.  If 600,000 devices or less could take down Twitter, Netflix and a host of other sites, what damage could a billion devices do.

Of course we can’t assume all of those devices could be compromised, but 1% of those devices is a million and that is almost double the size of the original Mirai at its peak.

How many people change the password for their light bulb?

This variant is called Mirai OKIRU and a number of anti virus products detect it.   Only problem is that people don’t run A-V on their light bulbs.

Many people have been saying for a long time that the security of the IoT is a joke; as useful as a screen door on a submarine.  IF this botnet takes hold, we may see how useful that screen door is. IF it takes hold.  Maybe we caught this in time,but I am not holding my breath.

Information for this post came from The Inquirer.

Mirai Botnet Creators Plead Guilty

The creators of the Mirai botnet pleaded guilty earlier this month in an Anchorage courtroom.

The Mirai botnet unleashed a distributed denial of service attack on the French cellular carrier OVH and another DDoS attack against DYN, the DNS provider for Amazon, Netflix and many other heavy duty web sites.

The DDoS attacks took those and other sites down, confusing and inconveniencing users.  For a while, the feds those this was going to turn into an attack on critical infrastructure.

But the interesting part is what Paul Harvey used to call “the rest of the story”.

Mirai was created by a Princeton University student and two others.  But the why is the interesting part.  They were running a Minecraft server and in order to make more money, they had to get more kids to sign up for their server rather than their competitors.  The easy way to do this – take out their competitor’s Minecraft servers.  And take them out, they did.  Along with a LOT more.

In the first 20 hours, Mirai took over 65,000 Internet of Things devices.  It then DOUBLED in size every 76 minutes, eventually stabilizing at around 200,000 to 300,000 devices.  At it’s highest level, it was controlling 600,000 devices.

The scary thing is that the attack was not very sophisticated.  The Reaper attack that I wrote about the other day is way more sophisticated and way more dangerous if it is weaponized.

When Mirai went after OVH, the attack peaked at 1.1 terabits per second of garbage traffic.  Before then, a large DDoS attack was in the 10 to 50 gigabits per second range, so this attack was probably 20 to 100 times the size of what was considered a large attack.

For some sites like Brian Krebs, who was also attacked, the attack was so large that their DDoS prevention services – in Brian’s case, Akamai – shut down his web site.  Brian was off the air until Google stepped in to host him.  For Google’s engineers, this was likely considered a challenge.  After all, I am sure that Google faces lots of attacks themselves and if they could stop this attack (almost 700 gigabits per second), then they would be able to stop a similar attack against them.

We do not know what kind of sentences these three will face, but I am completely OK if it is a very long one.  They did some serious damage.

Information for this post came from Wired.


The Day The Internet Died

Well, not exactly, but close.  And it was not due to pictures of Kim Kardashian.

Here is what happened.

When you type in the name of a website to visit, say Facebook.com, the Internet needs to translate that name into an address.  That address might look like .

The software that translates those names to numbers is called DNS or Domain Name System.  DNS services are provided by many different companies, but, typically, any given web site uses one of these providers.  The big providers work hard to provide a robust and speedy service because to load a single web page may require many DNS lookups.

One provider that a lot of big websites use is called Dyn (pronounced dine).  Today Dyn was attacked by hackers.  The attack technique is called a Distributed Denial of Service Attack or DDoS.  DDoS is a fancy term for drowning a web site in far more traffic than it can handle until it cannot perform the tasks that customers expect it to do.

In this case, customers included sites like Amazon, Paypal, Twitter, Spotify and many others.  These sites were not down, it was just that customers could not get to them.

The attacks started on the east coast, but added the west coast later.  Here is a map that pictures where the worst of the attack was.  In this picture from Downdector.com, red is bad.


There were multiple attacks, both yesterday and today.  The attackers would attack the site for a few hours, the attack would let up and then start over again.  For the moment, the attack seems to be over, but that doesn’t mean that it won’t start back up again tomorrow, Monday or in two weeks.

You may remember I wrote about the DDoS attack against Brian Krebs web site and the hosting site OVH.  Those two attacks were massive – 600 gigabits per second in the Krebs attack and over 1 tb per second in the OVH attack.  The attackers used zombie security cameras and DVRs and the Marai attack software to launch these two attacks.

After these attacks, the attacker posted the Mirai software online for free and other attackers have downloaded it and modified it, but it still uses cameras and other Internet of Things devices that have the default factory passwords in place.

As of now, we don’t know how big this attack was, but we do know that at least part of it was based on the Mirai software.  And that it was large.  No, HUGE.

It is estimated that the network of compromised Internet of Things, just in the Mirai network,  includes at least a half million devices.  Earlier reports said that the number of devices participating in this attack was only a fraction of the total 500,000 – which means that the attack could get much bigger and badder.

The problem with “fixing” this problem is that it means one of two things: Fixing the likely millions of compromised Internet of Things devices that are part of some compromised attack network or shutting there devices down – disconnecting them from the Internet.

The first option is almost impossible.  It would require a massive effort to find the owners of all these devices, contact them, remove the malware and install patches if required.  ISPs don’t want to do this because it would be very expensive and they don’t have the margin to do that.

The second option has potential legal problems – can the ISP disconnect those users?  Some people would say that the actions of the infected devices, intentional or not, likely violates the ISP’s terms of service, so they could shut them down.  However, remember, that for most users, if the camera is at their home or business, shutting down the camera would likely meaning kicking everyone at the home or business off the Internet.  ISPs don’t want to do that because it will tick off customers, who might leave.

Since there is no requirement for users to change the default password in order to get their cameras to work, many users don’t change them.  Vendors COULD force the users to create a unique strong password when they install their IoT devices, but users forget them and that causes tech support calls, the cost of which comes out of profit.

As a result of all these unpalatable choices, the problem is likely to continue into the future for quite a while.

Next time, instead of Twitter going down, maybe they will attack the banking infrastructure or the power grid.  The good news is that most election systems are stuck way back in the stone age and they are more likely to suffer from hanging chads than hackers.

Until IoT manufacturers and owners decide to take security seriously – and I am not counting on that happening any time soon – these attacks will only get worse.

So, get ready for more attacks.

One thing to consider.  If your firm is attacked, how does that impact your business and do you have a plan to deal with it?

The thousands of web sites that were down yesterday and today were, for the most part, irrelevant collateral damage to the attacks.  Next time your site could be part of the collateral damage.  Are you ready?

Information for this post came from Motherboard and Wired.