The availability of the Mirai malware source code online isn’t a guarantee that just anyone can quickly convert it into a money-making IoT-based DDoS botnet.
Researchers at Digital Shadows have been combing dark web sites such as the Hackforums where black hat Anna-Senpai dropped the Mirai code in September. While numerous frequenters of the underground forum have grabbed the source code, a good percentage need help in making practical use of the malware.
“Although the source code is freely available, it is by no mean free to set up for hackers,” said Michael Marriott, a research analyst at Digital Shadows. “It requires at least four servers to set it up. You need a certain measure of expertise so that rules out many low-level actors. And as it begins to mutate and people develop on top of the existing source code, you need further expertise to ensure you’re getting the full breadth of devices into your botnet.
Digital Shadows said Mirai has given rise to a service industry of hackers charging decent money to help others set up the malware. The research firm shared screenshots with Threatpost of a number of requests for help posted to Hackforums. Most of the requests are taken offline, away from the forum, but the message is clear: There’s help available and it’s available for a fee. One posted a price list that totaled more than $700 for six hours worth of work that includes setting up servers, quality checks and labor costs.
Others shared bare minimum requirements for setup, which apparently includes at least four servers (separate servers for command and control, a MySQL database, a scan receiver and loading).
“Previously, when source code has become available online we’ve seen a similar type of evolutionary approach,” Marriott said. “The initial source code is released, then breaks off into variants, then it’s very much survival of fittest. We are still quite early in the evolutionary stage with Mirai.”
With DDoS service providers emerging online around Mirai, Digital Shadows is also monitoring how attackers with different motivations, such as hacktivists, criminals and nation-state actors, are looking at Mirai. The emerging services market around IoT botnets could further support the protest efforts of hacktivists, extortion scams of criminals, and geopolitical campaigns run by APT groups.
Mirai, nonetheless, has been a game-changer. Starting with the Krebs on Security, OVH and Dyn attacks of the second half of this year, the malware has been responsible for recruiting unsecure connected devices into giant botnets. The high-profile takedowns, Dyn in particular, has put pressure on manufacturers to secure devices by design, and has encouraged influential experts to call on lawmakers to consider regulation to address the problem.
While connected devices such as IP-enabled closed-circuit cameras were the primary targets of Mirai, experts are concerned about the overall security of IoT devices, including critical infrastructure and medical devices.
Not only are lawmakers watching, but international law enforcement as well. Europol last week conducted an operation against DDoS-for-hire services operating in a dozen countries. More than 30 individuals were arrested, including a California graduate student who bought a DDoS tool he used against a San Francisco-based technology provider.