IoT machines at risk as hackers release zombie code into the wild

4 Oct 2016

Hackers are using poorly secured IoT devices to take websites offline. Image: Tithi Luadthong/Shutterstock

The massive DDoS attacks that hit OVH and Brian Krebs are likely to escalate after hackers publicly released the Mirai source code, which can turn poorly secured web devices into a zombie army on the attack.

In recent weeks, prominent infosec journalist Brian Krebs succumbed to what was then the biggest distributed denial of service (DDoS) in history, with a 620Gbps DDoS attack. Within a week, this record was broken by an even bigger attack on French hosting player OVH that ran at 1.5Tbps, as 145,000 poorly secured webcams and CCTV cameras were enlisted to join the onslaught.

Now the fear is that any home or business with internet of things (IoT) devices ranging from robot vacuums to child monitors could be enlisted to join attacks, after a hacker by the name ‘Anna-senpai’ released the code to the public.

The malware, known simply as ‘Mirai’, can effectively raise a zombie army of poorly secured IoT devices and direct a major DDoS attack against any business or individual.

A DDoS attack can take a business offline by using thousands of IP addresses to crowd the entrance of an online store, for example.

Mirai and Bashlight are only the start of a challenge that threatens future of IoT devices

Krebs said that the release of the Mirai code virtually guarantees that the internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

Mirai effectively spreads to vulnerable IoT devices by continually scanning the internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Krebs warned that once seeded with the malware, the devices can be turned into bots that assemble at a central control server, which can then be used as a staging ground to mount powerful DDoS attacks.

In this way, hackers can simply knock websites offline at a whim.

The source code was leaked on Friday to the hacking community Hackforums.

Anna-senpai said: “When I first got in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IoT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone.

“However, after the Krebs DDoS, ISPs [have] been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

It is understood that as well as Mirai, another zombie-building DDoS attack coordinating malware is on the loose. It is known as ‘Bashlight’ and is believed to be responsible for enslaving almost 1m IoT devices.

Both sets of code are understood to be competing for notoriety.

While infected devices can be cleaned up by rebooting them, Krebs reported that because of the constant scanning by the malware, cleaned systems are likely to be reinfected within minutes.

The development is worrying in light of the fast growth of the IoT and sets out a challenge for device makers to make their products more secure.

Zombie attack. Image: Tithi Luadthong/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years