With the rapid expansion of Internet of Things (IoT) devices and their stark lack of security, cyber criminals have a plethora of devices to recruit for their botnets. Botnets are networks of connected devices infected with malware.
Botnets are often collectively used to launch Distributed Denial of Service (DDoS) attacks. With the mass quantities of IoT devices connected to the Internet, the new trend for cyber criminals is to infect these devices and use them in coordinated attacks.
Recently, a security blogger, Brian Krebs, was the target of a massive DDoS attack. A DDoS attack is where a network is flooded with requests in order to overload the system and make it unable to respond to legitimate requests, basically taking down a website.
The Krebs attack was one of the largest DDoS attacks on record at over 620 Gbps. The attack sparks interest because it was launched by a botnet of IoT devices powered by Mirai malware.
Mirai malware infects a device and starts the process by removing all other competing malware on the device. Then it scans the Internet for other vulnerable devices to add to its botnet. Once a new device is found, it uses a brute force dictionary attack with a short list of common default usernames and passwords to gain access. Apparently, 380,000 IoT devices infected with Mirai were used in the Krebs attack.
The Mirai malware’s source code has since been released on the Internet, so there’s a good chance we’ll see this problem expanding with more IoT botnets forming. After attacking Krebs’ blog, a Mirai botnet is credited with the massive attack on the Internet service provider Dyn, which took down several major websites in the process.
Vulnerable IoT Devices
The security industry has identified this as a major problem for quite some time. Most IoT devices have huge security concerns and can easily be leveraged in these coordinated attacks. For now, the IoT botnets primarily consist of routers, network-enabled cameras, or printers.
The main reason malware like Mirai is so effective is that most IoT devices never have the default credential changed. Default usernames and passwords for many devices can be found on the Internet, making it easy for them to be compromised.
To remove Mirai malware from an infected IoT device:
- Disconnect the device from the network.
- Perform a reboot. Mirai malware exists in dynamic memory, so rebooting clears the malware.
- Change the password for the device. Make sure the default password is changed and use a strong password.
- Reconnect to the network.
To prevent Mirai malware from infecting your IoT devices:
- Ensure all default passwords are changed to strong passwords.
- Update IoT devices with patches as soon as possible. This isn’t always applicable, as many IoT devices don’t push security patches.
- Disable Universal Plug and Play on routers unless it’s absolutely necessary.
- Monitor IP port 2323/TCP and port 23/TCP for attempts to gain unauthorized control using the network terminal protocol.
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware using port 48101.
[Mitigation and prevention measures referenced from the US-CERT alert here.]