Mirai botnet ‘fracturing,’ weakening say researchers

The once-mighty Mirai botnet has fragmented since its source code was publicly posted on the internet, researchers say, and remediation efforts by internet companies appear to be shrinking the numbers of infected devices in the U.S.

The botnet has been used in attacks on cybersecurity journo Brian Krebs’ website in September and took major e-commerce entities offline for several hours last month. But an attempt this week to use it against the websites of the two candidates in the U.S. presidential election turned out to be a flop, wrote security researchers from dark web intelligence outfit Flashpoint in a Monday evening blog post.

Mirai is malicious software designed to use factory-default passwords on web-connected devices like DVRs and webcams. The infected devices become part of the botnet — using their internet connectivity to bombard a target website with fake requests, known as a Distributed Denial of Service or DDoS attack.

“The IoT botnet landscape appears to be saturated with too many would-be controllers and not enough new vulnerable devices,” the Flashpoint researchers state.

Although the original Mirai botnet had over 300,000 infected devices, Flashpoint’s data “suggests that currently, the largest active Mirai botnet appears to be composed of between 92-96,000 devices,” according to John Costello, the company’s senior cyber analyst for the Asia-Pacific.

Security company Rapid7 has used a different a different methodology to track the overall numbers of devices infected across the globe since early October, said Chief Security Data Scientist Bob Rudis. He said that, over the past few days, the numbers of infected machines overall had been climbing — although “There are competing botnets out there right now” and none of them approached the size of the original.

The release of the Mirai source-code on the internet at the beginning of October, “has caused many hackers to compete with one another for control of IoT devices that remain susceptible to Mirai malware,” Costello added.

After infecting a device, Mirai “disables the communication methods that initially facilitated the infection,” effectively blocking further infection, Costello told CyberScoop by email.

With hackers competing to infect IoT devices “the botnet’s fracturing has significantly lowered the impact, efficacy, and damage of subsequent attacks,” the Flashpoint researchers conclude.

More intriguingly, Rudis noted, starting on Nov. 2, networks operated by Verizon Business and Comcast showed a marked reduction in traffic from Mirai-infected devices — suggesting they’d been doing some kind of remediation.

By Nov. 6, the reduction in traffic had knocked the U.S. out of the top 10 countries for infected devices, he told CyberScoop.

The Mirai source code includes a simple way to define the command and control server that infected devices get their DDoS targeting orders from.

This means the botnet can scale easily, because when a command and control (C&C) server is in danger of becoming overwhelmed by the number of infected victims it is directing, the author can just re-write that part of the code, using a different server address to send commands to future recruits.

But it also means it’s easy to spot the C&C servers and block their traffic or take them offline.

“It’s fairly easy to identify the traffic associated with infected devices,” Rudis said, “If an [internet service provider or] ISP wanted to stop [that] traffic, they could do that” — and that’s what it appears that Verizon Business and Comcast may be doing.

“Both those companies have great security teams and they are highly technically capable,” he said.

If a C&C server is taken down, the infected devices it was running will be effectively liberated from the botnet, but unless they are patched or their password is reset — or unless some other remediation is done — they will remain open to rediscovery and attack, by either the same botnet or a competing one, according to Filip Chytrý, a threat intelligence researcher at Avast Software.

“Are they still vulnerable?” he asked, “In most cases, they are and can be used again to … perform another attack.”