Mirai and IoT: Understanding DDoS Impact Means Accurately Analyzing the Past

Mirai has been making headlines over the past couple of months, but this family of malware is a very new part in the larger history of the abuse of vulnerable Internet of Things (IoT) devices. When the record-breaking DDoS attacks happened against Brian Krebs and OVH in September 2016, this was seen as a major moment, but the factors that made this possible had been quietly building up for years before this.

Given our in-depth research on Mirai, and since we, with Akamai, helped Dyn identify this malware in its October 2016 distributed denial of service (DDoS) attack, we want to ensure that our customers and the broader security community have the most accurate information possible. IoT malware is no longer controlled by amateurs and attention seekers; Mirai is in the hands of professionals now.

The Hacking Scene

Before Mirai was public, IoT devices such as routers, IP cameras, and digital video recorders (DVRs) were typically abused by a variety of similar malware, which went by a number of different names. Some variants were superior and more private, but most were copied off public source code dumps.

Some of the names given to the malware by researchers and threat actors were gafgyt, bashlite, torlus, ballpit, Darkrai, Palkia, Lizkebab, and more private variants existed such as Remaiten. This malware will be referred to generically as gafgyt, since they are so similar.

Many spread as Telnet worms initially, but some branched out to new exploits. We also saw attempts at botkilling, custom packing, new exploits, echo loaders, device patching, and other tactics. It was (and continues to be) a petri dish of experimentation and evolution, and the fittest specimens grew largest.

And even before this, much of this Telnet worm activity came to the forefront after the Lizard Squad DDoS attacks against gaming companies throughout 2014. In January of 2015, the nature of their botnet was exposed to the public as a Telnet worm that used low end IoT devices for a DDoS botnet. Soon afterwards, the source code was dumped (under the name Lizkebab), and once the source code could be modified by many people, the variety of malware abusing Telnet default passwords exploded.

Natural Selection in the IoT World

Every iteration and new development in the IoT malware space involved some change that made one species fitter than the older, dominant species. The malware behind the Lizard Squad DDoS attacks was itself not new at the time, but a couple of innovations allowed it to become dominant and spread far beyond its predecessors; specifically, it had a worm function and a function that killed duplicate instances of itself. But it was not going to remain dominant for long — it was soon replaced by successors with vital modifications that killed rivals and spread to new devices that were immune to infection from old variants. The use of the “echo loader” was not unique to Mirai nor was it the first family of malware to use it. Pnscan.2 and Remaiten and others made use of the echo loader because it allowed for infection of machines that didn’t have “wget” installed.

Mirai is different because it was truly designed from the ground up by someone who most likely had a formal education or coding experience. It was likely written by people who had prior experience with the gafgyt malware family because it contained design solutions that addressed the major problems that gafgyt operators had to face. It incorporated many of the design features that the fittest malware species in the IoT space were already using. It also incorporated anti-analysis tricks against the techniques used by defenders at the time, which showed an awareness of how IoT botnets were being fought against.

When the owner of this botnet wrote a July 2016 Hackforums thread named “Killing all Telnets”, he was right. Our intelligence around that time reflected a massive shift away from the traditional gafgyt infection patterns and towards a different pattern that refused to properly execute on analysts’ machines. This new species choked out all the others.

In September, when the massive DDoS attacks hit Krebs and OVH, the primary suspect was this mystery monster which had so completely dominated this space for months. In collaboration with trusted research partners and victims, we realized that these suspicions were right.

Shortly afterwards, the individual(s) behind this action released the source code. The download link they provided was the same domain they had used for command & control of their botnet.

The aftermath of this Mirai source code release mostly mirrored the aftermath of the gafgyt source code release. A large number of copycats sprung up, turf wars ensued, and more sophisticated actors have built upon the source code to improve the fitness and functionality of their malware.

From Amateur to Professional

We have observed the evolution of these botnets for some time and have noticed a clear trend. Based on the infection techniques, malware complexity, and choice of DDoS targets, we have historically seen IoT malware as a space controlled mostly by amateurs, gamers, young people, and attention seekers. Some of these groups attempt to profit from their botnets, but this area of cybercrime generally doesn’t have stable profitability as do more established areas such as fraud. That is, it’s good for pocket change, but it won’t support a family. Even the original Mirai operators were most likely amateurs; despite their claims of profits and a couple of advertisements, there was little evidence to support the claim of a large customer base for Mirai. On top of that, the original botnet only ran for a few months before the operator(s) destroyed it through their own actions. Professional cybercriminals tend to keep a low profile and do not self destruct.

Since the source code release, different operators have upgraded their malware of choice to Mirai. Some of these are former gafgyt users, and some of them are more professional DDoSers. One particular variant of Mirai, nicknamed “Annie” by its creators, appears to be linked to a large botnet. This operation employs a number of anti-defender countermeasures which are more advanced than what has been seen before this. This group appears to be the most professional group so far to become involved in infecting IoT devices.

As this space continues to march forward to increasing heights of sophistication, we will see larger attacks — issued by botnets that are harder to take down — with faster turnaround time between IoT exploit release and IoT exploit abuse. While this space has traditionally been associated with petty takedowns of rival gamers, we need to start taking this problem more seriously. The people taking over this space are not young amateurs, and they’re not going to choose small-time targets.

As we begin 2017, we must look at this problem with fresh eyes and a sober mind, and ask ourselves what the Internet is going to look like when the professionals muscle out the amateurs and take control of extremely large attack power that already threatens our largest networks.