New Mirai Botnet Threat Hides in the Tor Network

Distributed denial of service (DDoS) attacks are continually becoming more sophisticated. Proof of this emerged last week, when researchers from Trend Micro discovered a new variant of the infamous Mirai botnet using Command and Control (C&C) servers hidden in the Tor network. You may recall that the Mirai botnet crashed the website of cybersecurity expert Brian Krebs in October 2016 with a massive DDoS attack by harnessing vulnerable Internet of Things (IoT) devices. Ever since the original Mirai code was released into the wild shortly after that attack, cybercriminals have been evolving the malware.

The latest Mirai variant has added at least three exploits to its arsenal, and it is noteworthy for two reasons:

1. The hackers have hidden the C&C servers in the anonymous Tor network to evade the ability to track its IP address, thereby avoiding being shut down entirely once found. in; by doing so, hackers have made it much more difficult for cybersecurity professionals to take down or seize a Command & Control server. (It is much easier to take down a C&C server that is located on the surface Web.)

2. According to Trend Micro, the code they found had 30 hard-coded IP addresses (providing indirect paths to C&C servers hidden in the Tor network) in the sample, whereas prior Mirai variants typically had direct access to between one and four C&C servers.

Tor Network Can Mask Illicit Activity

The Tor Network is a bit of a “double-edged sword.” It is funded by a non-profit, the Tor Project, because it enables legitimate users to surf the Internet, chat, and send instant messages anonymously. This helps users who are under authoritarian regimes that restrict Internet usage and expression. Unfortunately, the downside of the Tor network is that it also allows users to conduct nefarious activities and communications anonymously, as is the case with this Mirai variant code.

Enterprises Should Improve Their DDoS Defense

DDoS cybercriminals are always on the offense, which means that organizations must constantly be in a defensive mode. DDoS attacks can still disable or degrade your network even if all your IoT devices are properly managed. The risk persists regardless of whether the local network physical assets are secure because there are billions of other IoT-connected devices around the world that are not secured, and therefore can, and will, be recruited by cybercriminals into botnets that hurl damaging DDoS attacks at their targets.

Even with legacy DDoS systems in place, it’s hard for organizations to effectively protect themselves against either the large, volumetric or short, sub-saturating, DDoS attacks. The majority of DDoS attacks are short, sub-saturating attacks that often fly under the radar of human security analysts. However, such attacks can degrade network performance and distract security staff from other malicious intrusions. And, by the time a volumetric attack has reached a network, the volume of traffic far outweighs an enterprise’s capacity and almost immediately impacts network availability.

DDoS Mitigation Options to Protect Your Organization

However, relief from all types of DDoS attacks can be obtained with proper DDoS mitigation technology. Organizations can purchase an on-premises solution, deploy a hybrid combination of an on-premises appliance and a cloud scrubbing center, or get protection from a hosting provider or Internet service provider (ISP). Because many more Service providers now offer DDoS protection as a service, we often recommend that enterprises discuss DDoS protection options with their hosting provider or ISP.

The use of the Tor network for hiding IoT botnet code is a new and troubling aspect of DDoS attacks that does not bode well for organizations who are caught unprepared. Unfortunately, we expect hackers will increasingly leverage the Tor network for their benefit in the months and years ahead.

For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.