CyberCrimeSecuritySecurity Management

Mirai Botnet Hits US College With Massive 54 Hour Attack

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Mirai returns (or at least a variant of it) warns researchers at Imperva Incapsula who witnessed the attack

Security researchers at Imperva Incapsula have uncovered a new variant of the Mirai malware.

The Mirai botnet is notorious as it was used in an high profile attack that brought down Twitter, Reddit, Netflix and other high-profile sites last year.

In January, security journalist Brian Krebs, whose website was one of the targets, identified the IoT malware as being written by a young developer who started off in the business of protecting servers from denial-of-service attacks.Botnet

New Variant

Last year the Mirai botnet had spread like wildfire and infected 2,398 home routers across the UK, with 99 percent of them being TalkTalk routers.

But now researchers at Imperva Incapsula warned in a blog post that they have discovered a new variant of the malware.

“Given the success of those attacks, along with the public availability of the Mirai source code, it was clearly only a matter of time before botnet herders began experimenting with new versions of the malware,” warned the researchers.

They said that a few weeks ago what could possibly be yet another version of Mirai (capable of launching application layer attacks) hit one of its customers, a US college, with a 54 hour long attack that generated the highest traffic flow Imperva Incapsula has ever seen out of a Mirai botnet.

“The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS – the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests,” they wrote.

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” they said. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.”

“Looking at the bigger picture, this variant of Mirai might be a symptom of the increased application layer DDoS attack activity we saw in the second half of 2016,” the researchers concluded.

“That said, with over 90 percent of all application layer assaults lasting under six hours, an  attack of this duration stands in a league of its own.”

IoT Malware

The Mirai botnet is not the only piece of malware to utilise poorly protected Internet of Things (IoT) devices.

Earlier this month for example, researchers discovered malware targeting a security bug in a popular line of Internet-connected cameras.

Prior to that researchers have detected powerful denial-of-service attacks launched from a botnet made up of 900 hacked CCTV cameras.

Users are advised to always protect IoT devices with security products that check Internet traffic passing between the router and the devices connected to it.

Quiz: Do you know all about security in 2016?