Blog: Internet Of Things

What is Mirai? The malware explained

consultant-placeholder03 Andrew Tierney 03 Nov 2016

miraicamMirai is a piece of software that is used to form a malicious botnet; a large number of connected devices (bots) that can be controlled to attack others on the Internet. This is done without the owner’s consent.

Generally, these attacks take the form of Distributed Denial of Service (DDoS) attacks. This involves hundreds or even thousands of bots sending traffic to a server, consuming resources and stopping the server responding.

What makes Mirai different?

Botnets have been around for several years. Mirai is different in a couple of important respects.

First, the scale of Mirai is larger than anything that has been seen before. Mirai botnets of 50k devices have been seen. This allows huge attacks, generating obscene amounts of traffic, to be launched. These can take down even the biggest – and best defended – services like Twitter, Github, and Facebook.

Second, the type of device Mirai infects is different. Most previous botnets have comprised of user’s PCs, infected via malware. Mirai infects IoT equipment – largely security DVRs and IP cameras.

How is Mirai infecting devices?

The mechanism that Mirai uses to infect devices isn’t even a hack or exploit as such – it’s just logging into the device with a known set of credentials.

The devices are all running a telnet server. Telnet is an outdated protocol used to remotely administer servers. Mirai connects via telnet and attempts to login using a list of 60 known credentials.

If the login is successful, the bot software is installed. It’s that simple.

What does the bot then do?

The bot will then carry out the following actions:

  1. It attempts to kill processes that would prevent it from running and persisting on the device. The telnet server, and often web server, is killed at this stage.
  2. It connects to a command and control server, waiting for commands to attack other machines.
  3. It continuously scans for other devices that may be vulnerable, attempting to login with the list of known credentials.

How can I tell if I am infected?

If you have exposed port 23 of a DVR or IP camera to the Internet, then it is likely you have been infected.

How do I remove Mirai?

The original version of Mirai does not have any mechanism to survive a reboot of the device. Restarting the device will therefore remove Mirai.

It only takes a few minutes for the device to be found and re-infected, so it is also vital that you close the hole that allowed you to become infected in the first place.

However, we can’t rule out variations on Mirai persisting through reboots.

How can I protect myself from being infected again?

In the very near term, close off all access to port 23 on the affected device. This will stop Mirai infecting the device again.

If possible, attempt to change the default password. Unfortunately, this isn’t possible on most devices.

But Mirai is not the only risk.

In general, embedded or IoT systems are not secure or robust enough to be exposed to the Internet. Web interfaces are often riddled with serious bugs, and custom binary protocols often allow access without proper authentication.
Ask yourself if you really need remote access to the device. When it comes down to it, the risk of burglary or other crime is very low in comparison to the risk of being hacked.

If you require remote access to a DVR, then it should be done over a VPN connection, preventing anyone else connecting to the DVR in the first place.

What could the manufacturers have done?

Most users of these devices are totally unaware that telnet is running. Telnet isn’t mentioned in documentation. It serves little to no purpose. Many of the devices will have never been logged into via telnet by a genuine user.

A very simple step – that would stop Mirai and variants from infecting devices – would be to not run telnet in the first place.

However, defense-in-depth suggests it would be wise to take additional steps to prevent devices being compromised.

The logins used by Mirai are default logins – common across every device. It’s clear that this is a bad idea. Each device should have its own password, whether that is randomly generated in the factory or by an enforced password change at first boot.

There are many issues beyond this, but these are the two big ones.

What kind of attacks is Mirai carrying out?

First, it’s worth noting that there is not a single Mirai botnet. Many people have started running their own botnets, limiting the maximum size and power of any one of them.

The first attack carried out by Mirai was against a popular security site – krebsonsecurity.com. This generated the largest DDoS attack ever seen.

After that, an attack against the DNS provider, Dyn, caused outages of big services like Twitter, Giithub and Facebook. This attack against Dyn itself was far smaller than the attack against krebsonsecurity.com; the knock-on impact was larger.

Since then there have been hundreds of DDoS attacks, but none with significant impact. The devices are spread out over a wider number of smaller botnets, so have less power. There’s also significant evidence that those operating the botnets have no idea what they are doing, launching ineffective attacks time and time again.

What about this vulnerability in the code?

The code quality of Mirai is average. It’s not written defensively to stave off attacks against it, it’s just written to function. There are a number of theoretical vulnerabilities in the code, with one of these being exploitable to an extent.

When an individual bot carries out a HTTP (web) attack, it is possible to send a response that will crash the process carrying out the attack. The bot itself remains running, ready to perform further attacks.
At most this can be used to mitigate HTTP attacks. There is no chance it can be used to take control of the botnet.
The bot itself is written in C. The command and control server in a language called Go, which is far less likely to suffer from serious vulnerabilities. As such, it’s not likely to be possible to take down the command and control network using a vulnerability.

How could Mirai evolve?

Mirai itself is likely at a dead-end.

We are already seeing other bots using the same credentials. Hajime uses the same infection vector – telnet with fixed credentials – but the command and control network is far more advanced, using a peer-to-peer protocol that has been used by other botnets in the past. That removes the single point of failure found in Mirai, as well as making it harder to track down the perpetrator.