Hacker Releases IoT Botnet Source Code

ENISA botnet report, Mirai

The ‘Mirai’ family of botnets hijacks Internet-connected devices and uses them to launch large-scale attacks

A hacker has released the source code of “Mirai”, which controls botnets that hijack Internet-connected devices, meaning a surge in attacks using such networks is likely to be on the way.

The code was released on discussion board Hackforums by a user with the pseudonym anna-senpai, security journalist Brian Krebs said in a report on Saturday.


‘Eyes on IoT’

The user, who claimed to have used Mirai to launch a major denial-of-service attack on Krebs’ website last week, said they were releasing the code in response to increased scrutiny of hacked Internet of Things (IoT) devices by Internet service providers.

“I made my money, there’s lots of eyes looking at IoT now, so it’s time to GTFO,” the hacker wrote.

Anna-senpai added that Mirai had previously been able to take control of about 380,000 devices using only one specific telnet exploit, but that following the attack on Krebs’ site ISPs were tightening security.

As a result, the software was now able to hack 300,000 devices or fewer, the hacker wrote.

Covering tracks

Hackers often publicly release the source code for their tools when they are looking to cover their tracks, Krebs said.

“Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants,” he wrote.

He and other computer security experts said the release is likely to mean wider use of the botnet software is on the way.

“My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth,” he wrote.

According to researchers, Mirai is one of the main botnets that launch attacks using malicious traffic originating from hacked Internet-connected devices such as security cameras, home routers and television set-top boxes, the other being “Bashlight”.

Botnet families

The two botnet families control about 1.2 million hacked devices, according to Internet backbone provider Level 3 Communications.

Both scan for devices using default access passwords that are publicly known, including Internet-connected cameras manufactured by Dahua and a line of digital video recorders, Level 3 has said.

All those devices include the same code, a form of embedded Linux called BusyBox, making the units easy to hack, researchers said.

In addition, newer versions of Mirai encrypt the traffic passing between infected devices and control servers, making infections more difficult for ISPs to spot..

Hackers use the botnets to effectively shut down access to websites, and then demand a ransom to stop the attack.

“For the attacker, using a botnet means they pay nothing to succeed,” said IT security firm Sucuri in an recent advisory. “The victim has to pay for additional servers and bandwidth, while attackers get it for free using their malicious botnets.”

So far hackers have been able to assemble large IoT botnets with minimal effort, but it is only a matter of time before they begin casting a wider net, which would be likely to affect many more Internet-connected consumer devices, according to Level 3 chief security officer Dale Drew.

Analysts Gartner forecast late last year that 6.4 billion IoT devices would be in use around the world in 2016, up 30 percent from 2015, with 5.5 new devices being conneted each day. Gartner said it expected that figure to rise to 20.8 billion by 2020.

Are you a security pro? Try our quiz!