Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The secret behind the success of Mirai IoT botnets

Tim Greene | Oct. 28, 2016
Public posting of the source code makes it script-kiddie simple

These hijacked IoT devices often use randomly assigned and changing IP addresses issued by service providers via DHCP. That means the IP address that identifies attack traffic coming from a single device might change over time, making it more difficult to nail it down as an attacker.

Why IoT devices?

IoT devices represent an ideal category of potential bots. There are millions of them and they have several problems:

Many of them have exposed administrative ports protected by weak passwords. They lack anti-virus and other security software, and they are turned on and connected to the internet all the time. The owners of these devices are often consumers or businesses who don’t have the training to secure these devices.

Because attackers go directly to open ports used for administration – typically SSH and Telnet – they don’t have to deal with things like social engineering, email poisoning or zero-day attacks to hijack devices.

Many of the devices used in the Mirai attacks were made by or included components made by a single vendor, XiongMai Technologies, which has issued recalls and sofware updates for some of its products to make them more secure.

Are you infected?

One indicator that an IoT device might be infected with Mirai is that the SSH and Telnet ports (22 and 23) are closed. Mirai does that so administrators can’t get in and nobody else can attack the machine in the same way. Since Mirai is in memory, rebooting the machine should open them again. This should be done offline and afterwards the default password should be changed to help avoid reinfection. In some cases it’s not easy or even possible to change the passwords.

If firewalls are set to block traffic to IoT devices they protect, they should be protected from infection, say researchers at Imperva.

There are steps businesses can take if they are worried about whether their Web sites will be taken down by future attacks on DNS services. The top one is to hire more than one DNS provider so if one is impaired another can pick up the slack. They should also formulate a plan for what they are going to do when they do suffer such an outage and have the names and phone number s of those who will be involved. Everyone should be aware of their responsibilities and the team should practice their responses in simulation exercises.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.