The source code used to build a robust computer virus that finds, infects and spreads to vulnerable internet-connected devices — and which was recently employed to help launch a massive distributed denial of service attack, against independent journalist Brian Krebs’ blog — is already being adopted by random hackers and used against new targets, experts say.
That’s got onlooking internet companies worried.
The code to create the malware, dubbed “Mirai,” was posted to an online hacking community forum called Hackforums last week. The code, now openly visible to anyone surfing the public internet, can be used to hack into and take control of non-traditional, current internet-connected devices like security cameras, DVRs and routers — many of which are shipped with default passwords and usernames that can be easily cracked.
Publication of the Mirai source code is noteworthy, experts tell CyberScoop, because it will lower the technical barriers once required for hackers to build immense botnets.
The ability to combine infected computers with other internet-connected devices gives hackers a streamlined avenue to increase the strength, scope and size of future DDoS and other bot-centric cyberattacks.
“We think the release of the source code is a significant event that could have some major consequences,” said Dale Drew, senior vice president and chief security officer of internet service provider Level 3 Communications, “This could be the start of a surge of attacks against IoT devices in the consumer space.”
In broad strokes, DDoS attacks are used to interrupt or temporarily suspend the services of a specific host by flooding their online address with artificially created internet traffic. The flow and quantity of traffic used to launch a denial of service-style attack matters because it translates into how powerful said DDoS can be — and equally, it impacts the ability of providers to host content and mitigate traffic. The bigger the DDoS, the more costly and difficult it is to deal with and recover from.
“We see this [development] as a potential game changer in DDoS attack scale. As bad guys begin to focus their attention on the hundreds of millions of IoT devices deployed, this could have significant impacts on DDoS attacks in the future,” said Drew, who along with other experts mentioned that tech vendors developing IoT devices must be more cognizant of cybersecurity.
He added, “usually, large DDoS attacks have to come from amplifications attacks, where the bad guy does not have control over the type of traffic hitting their victim. Whereas in very large DDoS networks such as with IoT devices, the bad guy now has ‘FULL’ control over the types of DDoS attacks they get to launch as they can control the protocols, the payloads, etc.”
For Akamai — the content delivery network provider that originally protected Krebs’ website pro bono and then subsequently discontinued service because of exceeding data usage costs caused by the DDoS attack — the spread of this Mirai malware symbolizes a shift in hackers’ capabilities.
“These recent, large attacks are most likely a harbinger for what the industry will likely now face on a more regular basis,” said Martin McKeay, Akamai’s senior security advocate. “This happens every couple of years. A new attack – think of Operation Abibal from a couple of years ago — creates a new high water mark. Those providing mitigation create new defenses against the attacks, only to have the attackers evolve further. It’s a vicious cycle and one that will continue for as long as people want to DDoS websites.”
Ultimately, there is a limited pool of vulnerable devices to compromise at any point in time. But it’s growing on a daily basis.
The more insecure devices that make up the Internet of Things, the more power this type of botnet will have. Fundamentally, it’s less about the malware and more about the insecure nature of the newer devices we’re increasingly connecting to the Internet, explained McKeay.
From the view of a company that defends businesses from DDoS, the rise of more powerful attacks begs the question of whether the economics and capability of an existing solution makes sense. “Businesses that are in DDoS as a secondary or tertiary product line might start looking at it as an expensive and untenable product in the not too distant future,” McKeay said.