Mirai Botnet DDoS Attack Type

What is Mirai Botnet

Mirai is a self-propagating botnet virus.   The source code for Mirai was made publicly available by the author after a successful and well publicized attack on the Krebbs Web site.  Since then the source code has been built and used by many others to launch attacks on internet infrastructure (ref Dyn).

The Mirai botnet code infects poorly protected internet devices by using telnet to find those that are still using their factory default username and password.   The effectiveness of Mirai is due to its ability to infect tens of thousands of these insecure devices and co-ordinate them to mount a DDOS attack against a chosen victim.

How Mirai Works

There are two main components to Mirai, the virus itself and the command and control center (CnC).  The virus contains the attack vectors, Mirai has ten vectors that it can launch, and a scanner process that actively seeks other devices to compromise.  The CnC is a separate image that controls the compromised devices (BOT) sending them instructions to launch one of the attacks against one or more victims.

The scanner process runs continuously on each BOT using the telnet protocol (on TCP port 23 or 2323) to try and login to IP addresses at random.  The login tries up to 60 different factory default username and password pairs when login succeeds the identity of the new BOT and its credentials are sent back to the CnC.

The CnC supports a simple command line interface that allows the attacker to specify an attack vector, a victim(s) IP address and an attack duration.  The CnC also waits for its existing BOTs to return newly discovered device addresses and credentials which it uses to copy over the virus code and in turn create new BOTs.

The Mirai Code

The virus is built for multiple different CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) to cover the various CPUs deployed in IoT devices.  The image itself is small and employs several techniques to remain undiscovered and to obscure its internal mechanisms from reverse engineering attempts.

Once the virus is loaded into memory on the BOT it deletes itself from the BOT’s disk.  The virus will remain active until the BOT is rebooted.  Immediately after a reboot the device is free of the virus however it only takes a few minutes before its once again discovered and re-infected.

The attack vectors are highly configurable from the CnC but by default Mirai tends to randomize the various fields (port numbers, sequence numbers, ident etc) in the attack packets so they change with every packet sent.

How to Defend Against Mirai Botnets DDoS Attacks

Mirai will continue to be a threat until the poorly protected devices are secured, however the shoring up these devices is not something victims of Mirai attacks have any control over.

The Corero SmartWall® Threat Defense System (TDS) has various protections against Mirai type attacks. The Corero Security Operations Team (SOC) also has in-depth experience in dealing with Mirai attacks and can enable additional mitigation functions for customers not already taking advantage of the SecureWatch® Managed Service offering.

Additional & Related Information