The Mirai malware continues to recruit vulnerable IoT devices into botnets at a record pace, one that’s only gone up since the source code for Mirai was made public two weeks ago.
Level 3 Communications, a telecommunications company and Internet service provider in Colorado, has identified the Mirai C2 infrastructure compromising and communicating with owned IoT devices. It also estimates that the number of compromised CCTV cameras, DVRs, home networking equipment overrun by Mirai has more than doubled from 213,000 to 493,000.
“The true number of actual bots may be higher based on an incomplete view of the infrastructure,” said a report from Level 3 Research Labs published Monday.
Most of the compromised devices are in the United States, but Brazil and Colombia are also high on the list.
Perhaps more disturbing is the growing number of attackers taking advantage of the opportunity presented by these available connected devices. For example, Level 3 said that 24 percent of the hosts in the Mirai botnet overlap with bots used in the gafgy, orBashlite, attacks.
“Such a high overlap indicates that multiple malware families are targeting the same pool of vulnerable IoT devices,” Level 3 said.
The Mirai source code is a major culprit. It’s public availability starting at the beginning of the month gave researchers an equal opportunity to study its behaviors. The malware’s main job is to continuously scan the Internet looking for connected devices and exploit them with brute-force attacks trying to access the devices with known default or weak credentials. The bots then join a large botnet used inDDoS attacks.
Level 3 chief security officer Dale Drew said criminals are benefiting from the source code leak.
“While it does help the security research community, proving a better understanding of the semantics of how the botnet operates and works, it greatly assists the criminal network as they now have access to and can easily modify, a fully functional botnet code base to be able to quickly start a botnet campaign which we have directly seen,” Drew said.
Level 3 also identified some of the command and control infrastructure associated with the botnet, including a number of snarky domains with the .cx domain, the top-level domain of Christmas Island, such as santasbigcandycane[.]cx. The domains are prefixed with “network” or “report” based on their roles in the botnet. Level 3 published a list of the domains it enumerated in its report.“We are working to notify and assist botnet victims,” Drew said as to the current status of those domains. “We also are issuing takedown requests to the owners of the command control infrastructure and will null route across our network if they do not act.”
Level 3 said that one a few command and control IP addresses are active at a time with new network C2 IPs coming online every two days or so. Drew said the constant switching up of domains is done to frustrate detection.
“They switch between C2s so people tracking won’t be able to easily correlate the communication between the botnet and the C2,” Drew said.
Level 3 also noticed that the attackers behind gafgyt and Bashlite attacked the Mirai command infrastructure on a number of occasions with gigabit-per-second DDoS attacks around Sept. 18.
“We don’t know if this is concern over competition, attempting to shutdown the Mirai operations, ortake control of the Mirai compromised nodes,” Drew said.
The phenomenon of using IoT devices in large-scale DDoS attacks peaked with the takedown of Krebs on Security in September. Ultimately, it was learned that Mirai was behind the Krebs attack. Mirai was the second such malware family herding these IoT cats into botnets behind Bashlite, which Level 3 disclosed in August.
Bashlite is responsible for compromising more than one million web-connected cameras and DVRs . It accelerated its activity quickly in July, communicating at first with a handful of bots and before long hundreds of thousands. Level 3 said 95 percent of bots were cameras and DVR, four percent home routers and the remaining devices linux machines. Hundreds of command and control servers were used to communicate with these compromised endpoints.