By: Gabriel Schram
June 24, 2021
Mirai Claims IoT Devices With Weak Passwords
By: Gabriel Schram
June 24, 2021
The internet of things (IoT) is any device that can connect and share data with other devices through a connected network or internet connection. At the end of 2020, more than 20 billion connected devices (Sujay Vailshery, 2021). The IoT has been integrated into devices of all types and vastly applied to daily life and infrastructure. An increase in IoT reliance raises the issue of securing their integrity. IoT devices create a newer attack surface for threat actors and cybercriminals. The digital footprint of the average user is growing with the number of connected devices they use. Many IoT devices reveal traceable information about their human users, such as their location, activity, communications, etc. This is often done passively or without the knowledge of the user. The security for these devices is often overlooked to the point of not even changing the default password. In addition to weak passwords, IoT devices continue to present newer vulnerabilities that advancing threat actors are capitalizing on.
Mirai is a malware variant that takes advantage of this vulnerable attack surface. It exploits susceptible IoT devices and uses them as part of a botnet. A botnet is a network of connected devices infected by malware under the control of a central authority. Botnet malware typically has low visibility until infected machines are directed for malicious purposes like a Distributed Denial of Service (DDOS). A DDOS is a directed flood of internet traffic to disrupt a targeted server or network. The Botnets are a core element in DDOS attacks because they provide the means for a flood of internet traffic. When bots are not being used, the malware stays dormant as a background process.
Paras Jha was the developer of Mirai malware. As an undergraduate student, he launched DDOS attacks on his school’s network against his opponents in Minecraft (an online game). The first significant cyberattack he conducted was a DDOS hosting web service in France on September 19, 2016. The next day, Krebs on Security was taken down via DDOS from a Mirai botnet. The specific DDOS attack on Krebs pushed between 600 and 700 billion bits per second. About ten days later, the source code was released. Mirai and variants have been making a significant impact through continued DDOS, among other things.
Mirai as a Threat
It conducts frequent internet scans for potentially vulnerable devices using TCP SYN probes via Telnet TCP ports 23 and 2323 (Antonakakis et al., 2017). Once discovered, Mirai carries out a dictionary attack, a form of brute force login meant to bypass authentication by trying a list of provided login credentials. Successful logins are reported back to the controller. This process repeats to grow the total number of machines in the botnet continuously. However, it also contains a list of domains that it does not engage with. This blacklist includes the Department of Defense, the US Postal Service, General Electric, and a select few other IP addresses.
Once infected, It runs mostly as a background process but uses some bandwidth to slow down the target machine. Exploited machines take direction from a Command and Control (C2) server; this is how the malware botnet controllers sustain DDOS capabilities. Mirai offensively kills other processes that use SSH, Telnet, and HTTP (Bekermen, Zeifman, & Herzberg, 2016). Moreover, it will eradicate other malware, including its variants. When Paras Jha released the source code for Mirai, several variants have been reported, and unique adjustments have been made. In 2017, the author and his associates pleaded guilty to their crimes relating to Mirai.
However, major DDOS attacks are taking place using Mirai variants, and some even offer DDOS as a service. This malware made a significant impact in pointing out how many vulnerable IoT devices are connected to the internet. They are increasingly implemented into daily life, and their added conveniences need to be holistically balanced with a secure environment.
Mirai is not a particularly advanced variant of malware. It simply took advantage of poor cybersecurity practices in a growing environment of connected IoT devices. Therefore, users must consider and be aware of the number of connected devices they actively use. Default passwords should be immediately changed to stronger passwords on ALL IoT devices because the malware stores itself in memory, restarting the infected device eradicates the infection. Nonetheless, preventing reinfection will require a stronger password. Lastly, Telnet is an insecure protocol and runs on port 23 (some IoT devices use port 2323 as a secondary Telnet port). As a result, restricting access to probes via Telnet port 23 and 2323 is necessary and a primary cybersecurity practice that can harden the surface against Mirai malware. It was highly successful because of how poorly IoT devices were secured. This pattern can be expected to continue with the growing sophistication of IoT threats and connected devices.
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., . . . Zhou, Y. (2017). Understanding the mirai botnet. Paper presented at the USENIX Security Symposium, 1093-1110. Retrieved from https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
Bekermen, D., Zeifman, I., & Herzberg, B. (2016, ). Breaking down mirai: An IoT DDoS botnet analysis. Retrieved from https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/
Sujay Vailshery, L. (2021). Number of internet of things (IoT) connected devices worldwide in 2018, 2025 and 2030(in billions). Statista, Retrieved from https://www.statista.com/statistics/802690/worldwide-connected-devices-by-access-technology/