He says Akamai has observed this effect. “With less traffic but more packets, you can break the network gear in the middle,” he says. “We saw both sides of that equation in those attacks last week.”
Who’s behind it?
“One of the most interesting things revealed by the code was a hardcoded list of IPs Mirai bots are programmed to avoid when performing their IP scans,” Imperva says. Those include the U.S. Department of Defense, the U.S. Post Office, HP, GE and the Internet Assigned Numbers Authority.
That leads the Imperva researchers to speculate that the creators of the malware are naïvely trying to avoid attention by eliminating those IP ranges, then following up by using it to launch one of the most scrutinized attacks ever. “Together these paint a picture of a skilled, yet not particularly experienced, coder who might be a bit over his head,” they write, but not a veteran cyber criminal.
The code uses English for its command and control interface but also contains strings in Russian. “This opens the door for speculation about the code’s origin, serving as a clue that Mirai was developed by Russian hackers or—at least—a group of hackers, some of whom were of Russian origin,” they write.
Whoever is behind Mirai might have launched the big attacks as a demonstration of its capabilities so the threat of a similar attack could be used to extort cash from potential victims in order to avoid the DDoS attack, Shaul says.
Those who download the software might be someone who has assembled a general-purpose botnet and wants to weaponized it as a DDoS army that could be used, say, in a DDoS-for-hire business. “I’d be surprised if we don’t see that happen,” he says. “The person who’s got the skills to do botfarming may not have the skills to do DDoS.”
Individuals probably won’t download Mirai to carry out a spiteful DDoS attack because it’s much more efficient to hire a service, he says.
Recruiting IoT botnets has a lot of advantages over trying to compromise PCs and servers, experts say:
- Many IoT devices have publicly exposed administrative ports protected only by default passwords.
- The devices lack security software such as anti-virus.
- Residential customers and small businesses that lack security sophistication are in charge of protecting the devices.
- Typically IoT gear is connected to the internet all the time.
- Attackers don’t have to deal with social engineering, email poisoning or expensive zero day attacks.
Akamai came across what came to be known as Mirai via a honeypot it set last summer that drew attempts to log into the box. Most of the attempts came from China, he says, and most were trying to log in to root. Many of the passwords being tried to log in to the honey pot were unique default passwords for IoT devices – closed circuit cameras and DVRs.
Sign up for CIO Asia eNewsletters.