Scott Tenaglia, Research Director at Invincea Labs, says that a bug in the Mirai IoT malware source code can be used to stop certain types of DDoS attacks launched by the botnet.
Tenaglia discovered last weekend a memory corruption issue that allows a DDoSed target to fight back and stop malicious traffic coming from Mirai-infected bots.
Unfortunately, this issue can be leveraged only when the target is bombarded with an HTTP-based DDoS attack, and not for DNS-based floods, the type of attack that brought down managed DNS server provider Dyn on October 21 and 22.
Buffer overflow in Mirai leads to SIGSEV errorAs Tenaglia explains in a technical blog post, the issue is a buffer overflow that occurs when the Mirai bot (on an infected device) processes a reply from a DDoSed target.
This causes a segmentation fault (SIGSEV) error, which in turn crashes the bot's DDoS attack process, shutting down that particular packet flood.
While the bug is extremely technical and low-level, DDoS mitigation firms could weaponize it into an offensive protection measure that can stop Mirai DDoS attacks before they do any major damage.
Mirai botnet reaches 775,000 botsTenaglia says that this bug can't be used to remove Mirai from infected hosts, but merely stop their attacks.
The only way to remove Mirai from a host is to reboot the device, but researchers say that if the Telnet port remains open to the Internet and the user continues to use factory default passwords, the device is likely to be compromised between two and five minutes.
Mirai, which appeared at the start of September, is one of today's most dangerous malware families, with around 775,000 bots, according to data from Qihoo 360 , and responsible for the world's largest DDoS attacks, on sites such as Dyn, KrebsOnSecurity, and French ISP OVH.
Evolution of Mirai botnet