Mirai “not going anywhere”, expert warns as source code continues to spawn botnet offspring

“Weaponised” IoT botnet code gives malware authors a robust foundation to refine their attacks on the Internet of Things

More than 18 months after it broke new ground as a targeted attack on poorly-secured Internet of Things (IoT) devices, an IoT security researcher is warning that the widespread availability of MIrai source code is continuing to spawn new innovation that is likely to continue for years to come.

As “proven attack code”, the public release of the Mirai source code in October 2016 gave malware innovators a leg up in finding find new ways of bypassing network defences and compromising target home and business networks, NETSCOUT Arbor manager of threat intelligence Richard Hummel told CSO Australia.

Early efforts saw the number of infected devices climb steadily, with 493,000 devices reported just weeks after the release. But as knowledge of individual devices’ vulnerabilities spread through hacker circles and new variants of Mirai became even more responsive to change, Hummel warned, those numbers were set to continue growing dramatically.

“In previous months there was a kind of lull around MIrai activity, but I would definitely say it’s not dead,” he explained. “Development cycles become a lot shorter when something like this is leaked – and with the addition capabilities such as proxy abilities, domain generation algorithm abilities and targeting of flaws in routers, the activity is definitely still ongoing.”

Despite slow improvements in security amongst manufacturers, the high penetration of such devices has created a lingering exposure that has continued to grow as IoT adoption continues to soar, both in the home and in the enterprise.

Last month, the VPNFilter malware took the game up a notch after infecting half a million routers across 54 countries.

That malware – which affected Linksys, MikroTik, NETGEAR, TP-Link and QNAP network devices and borrowed from the previously-observed Black Energy malware attributed to Russian hackers – had been under scrutiny by Cisco for some time, but a surge in infections led to its unmasking and subsequent overpowering by the US FBI.

That sort of attack comes as no surprise to Hummel, who warns that IoT security continues to lag conventional security – and that hackers have redoubled their efforts on the back of the success of Mirai and, now, VPNFilter.

“A lot of these big devices are dumb and have very simplistic code,” he says. “Most of the code is unchangeable, and there’s no way for the average consumer to go into the device and interface with them at an admin level. This leaves that average consumer pretty defenceless against this stuff.”

Vendors have been slowly assuming the burden of better IoT security. However, given the disparate nature of the IoT market, hoping for a sudden revelation in security thinking is too optimistic.

Rather, Hummel advises, companies should be thinking about upstream protection, such as monitors that watch for behaviours typical of Mirai and other increasingly well-understood IoT malware.

“As we get more advanced, there is more attack surface available to attackers,” he explains. “But we know what the attacks look like, and what that’s going to represent across the network. We can create a policy that looks for that activity, and when it sees that it can drop the connection.”

Policy-based observation had occasionally helped the NETSCOUT Arbor security team pick out telltale signs that malware authors were testing new Mirai-based botnets. A similar approach had helped security researchers track the Zeus Trojan since it was first identified in 2007 – and, like Mirai, Zeus had been used to spawn myriad offspring that leveraged its malicious base code.

“Even though it’s not as prevalent, we still see Zeus,” Hummel said, “and I honestly don’t see Mirai going anywhere any time soon. It is proven attack code, and as long as they’re using that base code they can add and remove functionality. That’s fairly easy for an attacker to do – and they are going to evolve with the changing code too.”