Brace yourselves—source code powering potent IoT DDoSes just went public

A hacker has released computer source code that allows relatively unsophisticated people to wage the kinds of extraordinarily large assaults that recently knocked security news site KrebsOnSecurity offline and set new records for so-called distributed denial-of-service attacks.

KrebsOnSecurity's Brian Krebs reported on Saturday that the source code for "Mirai," a network of Internet-connected cameras and other "Internet of things" devices, was published on Friday. Dale Drew, the chief security officer at Internet backbone provider Level 3 Communications, told Ars that Mirai is one of two competing IoT botnet families that have recently menaced the Internet with record-breaking distributed denial-of-service (DDoS) attacks—including the one that targeted Krebs with 620 gigabits per second of network traffic, and another that hit French webhost OVH and reportedly peaked at more than 1 terabit per second

Until now, the botnets created with the newer and technically more sophisticated Mirai have been greatly outnumbered by those based on its rival Bashlight, with about 233,000 infected devices versus 963,000 respectively. Friday's release could allow the smaller and more disciplined Mirai, which Russian antivirus provider Dr. Web briefly profiled last week, to go mainstream. That, in turn, could turn the mass compromise of cameras and other Internet-connected devices into a full-blown epidemic that could push record DDoSes to ever-higher volumes. In an e-mail to Ars, Drew wrote:

There is already a surge in botnet operators attempting to find and exploit IoT devices in order to gain access to uniform and sizable botnet networks. These botnets are largely being used in [DDoS-for ransom] campaigns, which is netting the operators significant revenue and the ability to spend more time to improve their capabilities and add additional layers of sophistication.

By releasing this source code, this will undoubtedly enable a surge in botnet operators to use this code to start a new surge in consumer and small business IoT compromises. And while most of the current IoT compromises have been around a very specific telnet exploit, I predict that botnet operators–eager to command multi hundred thousand botnet nodes–will be searching for a larger inventory of IoT exploits to take advantage of. This could be the start of a surge of attacks against IoT devices in the consumer space.

Both Mirai and Bashlight exploit the same IoT vulnerabilities, mostly or almost exclusively involving weakness involving the telnet remote connection protocol in devices running a form of embedded Linux known as BusyBox. But unlike Bashlight, the newer Mirai botnet software encrypts traffic passing between the infected devices and the command and control servers that feed them instructions. That makes it much harder for researchers to monitor the malicious network. There's also evidence that Mirai is able to seize control of Bashlight-infected devices and possibly even patch them so they can never be infected again by a rival botnet. About 80,000 of the 963,000 Bashlight devices now belong to Mirai operators, Drew said.

So far, Level 3 has identified IP cameras manufactured by Dahua as one of the most commonly compromised devices making up the botnets. The company also said a line of digital video recorders using the H.264 format is also common, but the vendor is not yet known.

"By all accounts it looks like the camera is still operational while it's being used by both [Bashlight and Mirai] bad guys for DDoS purposes," Drew told Ars. "It might be slower, but by all accounts it looks like it's still running."

Based on more than a month of monitoring by Level 3, Drew said that Bashlight is controlled by about 200 command servers, which in turn are controlled by a dozen or so separate operators. He said Bashlight botnets are likely responsible for all or most of the junk traffic hitting KrebsOnSecurity and OVH. Most of the recent coverage from Ars and other news outlets has significantly underreported the number of infected devices because only small portions of the them—in the case of OVH, reportedly somewhere from 140,000 to 165,000—were actually deployed.

He said other researchers who have doubted his estimates of 1.2 million devices making up the combined Bashlight and Mirai botnets lack the network visibility of Level 3, which as one of the world's biggest backbones, sees a more complete picture. DDoS mitigation services, by contrast, often see only the traffic and IP addresses that are attacking their client, he said.

According to Krebs, the Mirai source code was posted to the hacking community HackForums by a user with the handle Anna-senpai. Krebs said the leaker provided the following explanation:

When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.

While it's encouraging that Internet service providers are starting to contain the botnet, but the extraordinary firepower isn't likely to die overnight. With the source code now in the public domain, the technically superior Mirai botnets could easily surpass 1 million devices in the coming weeks. That, in turn, could stoke a battle of botnets that inflicts massive collateral damage.