New botnet variant strikes using 10,000 connected devices.
Since the Mirai malware was discovered last August, it’s been used to front several high-profile DDoS attacks, including last September’s assault on cybersecurity expert Brian Krebs. But now a new variant of the Mirai botnet malware has been found to behind the massive DDoS (Distributed Denial of Service) attack that was responsible for targeting an as yet unnamed US college in February in an online assault that lasted for a straight 54 hours.
While the Mirai based attack happened some time ago, it was only this week that cyber-security firm Incapsula, made the news public. Incapsula were responsible for trying to mitigate and blunt the full force of the attack when it was launched.
“Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers. While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,” said a spokesperson for Incapsula. “…. The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS – the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests.”
Mirai is considered dangerous because it attacks connected peripherals such as insecure routers, IP webcams, and other smart devices that users leave with either no security, or easily crackable passwords. The U.S. topped the list by having almost 20% percent of the botnet IPs, with Israel following with 11.3% and then Taiwan with just under 11%.
Mirai works by spreading itself across the internet searches for “vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.”
During the sustained DDoS attack on the college, researchers studying the data observed a pool of attacking devices normally associated with Mirai such as CCTV cameras, DVRs and routers. Attack traffic came from just under 10,000, with 70% of the infected device traffic coming from just 10 countries.
No motive for the attack has so far been forthcoming, but less than a day after the first attack, a second one began. This time however the intensity and severity of the attack was much lower, and the attackers stooped 90 minutes after they had begun.