BusyBox Botnet Mirai – the warning we’ve all been waiting for?

On Tuesday, September 20th around 8:00PM, KrebsOnSecurity.com was the target of a record-breaking 620Gbps volumetric DDoS attack designed to take the site offline. A few days later, the same type of botnet was used in a 1Tbps attack targeting the French webhoster OVH. What’s interesting about these attacks was that compared to previous record-holding attacks, which were less than half the traffic volume, they were not using amplification or reflection. In the case of KrebsOnSecurity, the biggest chunk of the attack traffic came in the form of GRE, which is very unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack.

Soon after the attacks, a user called anna-senpai posted the source code and instructions for building the bot and CnC involved in the attacks on hackforums.net and named it Mirai. It would seem that the author of Mirai was also the author of botnet malware Qbot.

Concept of computer data encryption. Data protection. Security enhancement

The Mirai bots are self-replicating and use a central service to control the loading and prevent multiple bots being loaded on already harvested devices. Every infected device scans for open telnet ports and performs a brute-force login using 60+ factory default credentials of BusyBox -based Internet of Things (IoT) devices. Once the bot finds a new victim, the victim’s IP and credentials are sent to a centralized ScanListen service, which passes this information to the bot-load service that subsequently loads and starts the bot on the new victim. From that point forward, the new victim will help in harvesting new bots. This self-replicating pattern results in an exponentially growing number of bots in the botnet, reportedly up to 500 brute results per second at peak.

[You might also like: 5 Ways Hackers Market Their Products and Services]

Through research we found that the Mirai code appears professional. The loader and bot are coded in C, while the scanListen and CnC service are written in Go, leveraging go-routines and channels in an efficient CSP (Communicating Sequential Processes) design pattern. This distributed micro-service architecture allows for scalable control of bots and executing attacks in very large botnets. It should not be surprising that malware and bots are designed and coded by professionals. The economics of cyber-attacks are well established and covered in a recent blog by Ron Winward.

The most concerning fact, and the genius of Mirai, resides in its simplicity for victimizing IoT devices. Simple use of telnet and a limited list of factory default usernames and passwords result in botnets with sizes that thwart our imagination. This makes Mirai one severe warning for IoT vendors and device makers. It also shows that for security, one should not rely on the average user to protect and harden his devices, especially for IoT and smart devices that are starting to invade everyone’s homes.

This warning might be the most severe in its kind, but it was certainly not the first about the security risks from the IoT. The FBI and Department of Homeland Security have issued public service announcements about the associated security risks as early as September 2015.

These incidents once again demonstrate the need for IoT platforms designed with security in mind from the ground up, not adding security as an afterthought. To date, the number of connected devices is estimated at 6 billion, compared to an estimated internet user count of 3.5 billion. By some sources, the number of connected things will reach 20 billion by the year 2020, of which 13 billion will be in the consumer space.

Learn more about cyber-attack detection and trends in the 2016 Global Application and Network Security Report.

Download Now

Pascal Geenens

As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center