The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others.
Mirai is highly effective as it targets devices which often run unattended, do not have anti-virus installed, and have no external visual indication that they have been compromised. Mirai works by systematically trying the 62 most common default username/password combinations against the Telnet/SSH port of internet connected devices in an attempt to gain administrative access to the device. Whilst simple, the sheer number of vulnerable devices on the internet means that “botmasters” (the creators and controllers of the collections of compromised computers and IoT devices (each a bot and together a botnet)) have been able to create and sustain botnets containing up to 100,000 devices. Botmasters are then able to sell the use of their botnets online to the highest bidder for use in, for example, Distributed Denial of Service attacks against specific targets (e.g. Dyn).
Following the public release of the source code for Mirai in September of last year, several new and notable versions of Mirai have emerged. Some of these new variants are novel and may shed light on the direction of travel for IoT malware. These new Mirai variants include:
- Bitcoin mining malware: In April 2017 a Mirai variant was discovered which used compromised devices to “mine” for Bitcoin (essentially solving computationally complicated mathematical problems relating to the Bitcoin blockchain in exchange for the virtual currency Bitcoin). By leveraging the distributed computing power of its IoT botnet (essentially other people’s computers), the botmaster is able to generate Bitcoins for him/herself far quicker than could be achieved using a single machine.
- The BrickerBot malware: BrickerBot, facetiously named after its effect of transforming each of its targets into something as technologically useful as a brick (also called a Permanent Denial of Service attack), has so far been detected in four variations. Instead of growing and propagating itself as all previous Mirai based worms have, BrickerBot instead borrows just the exploit vector of Mirai and upon gaining access to its target it, amongst other things, corrupts the file system of the target to such an extent that the device is essentially destroyed. Recently, an anonymous internet user claiming to be BrickerBot’s author has come forward and stated that his/her motivation for creating the malware was to remove devices that are able to be compromised from the internet and to force device manufacturers to address device security themselves, rather than leaving it to potentially unskilled end consumers. Whilst the identity of the malware’s author has not been confirmed, and whilst the function of the malware is undoubtedly illegal, BrickerBot’s form of internet vigilantism has apparently been effective, with estimates suggesting that approximately 2 million devices will have been “bricked” by BrickerBot by the end of April 2017.
In addition to the above more drastic evolutions of the Mirai source code, other less modified variants have also been detected. These range from versions targeting Microsoft Windows systems (the original Mirai botnet specifically targets Linux devices) to versions targeting specific weaknesses on certain ports of internet routers (the original malware conducts Telnet/SSH focused attacks).
These latest Mirai based malware variants illustrate the threat posed by the growing trend of hackers and cyber criminals posting malware source code on the internet. After this source code has been made available, future hackers and cyber criminals are able to build on what others have done before them in order to create increasingly sophisticated malware variants.
Whilst IoT malware can pose a significant risk, the steps to prevent it spreading are generally straightforward for manufacturers and simply require that devices do not use the same default credentials to authenticate access. To date, many manufacturers have left it to consumers to secure their own devices. However, at least some of the compromised devices have hard-coded passwords which cannot be changed by the end-user. With the likes of BrickerBot permanently disabling vulnerable devices, manufacturers may start to feel commercial pressure (e.g. in the form of consumers returning “bricked” devices under warranty) to ensure that the devices they produce are secure by design.
Indeed, since the emergence of BrickerBot, a number of routers provided to customers of a Canadian ISP have reportedly been “bricked” by the malware. The ISP reacted by initially replacing the affected routers but quickly ran out of spares and had to resort to the time consuming process of manually fixing each router, leaving some customers without internet access for extended periods of time. If a trend of such activity was to emerge, it is not difficult to imagine intermediary companies (such as ISPs) seeking legal recourse against their suppliers with the aim of recovering losses that they will contend are a direct result of being supplied with unsecured products.