Here is all that you need to understand about Mirai in short.
IoT (Internet of things):
It all started in the 1990s. An Evolution of mobile, home, and embedded applications is pictured as IoT, that are connected to the internet integrating greater computer capabilities and using data analytics to extract meaningful information. Billions of devices are connected to the internet. Hundreds and billions of the connected devices become an integrated system of systems. And when these devices and system of systems share data over the cloud and analyze it, they transform our businesses, our lives, and our world in many countless ways.
For more information on IOT, kindly refer the below link: http://niiconsulting.com/checkmate/2015/07/the-internet-of-things-and-smart-cities-security-and-privacy-aspects/
Mirai is a Japanese word for “future” and was initially discovered in August 2016. The word Mirai is derived from some discovered binaries having the name “Mirai. ()”. Mirai is a new virus which is detected in Linux. It is tough to detect the virus and it already exists in the wild. A new variant of the Gafgyt, (aka BASHLITE, aka Torlus) malware is utilized by the distributed denial of service (DDoS) service provider. It focuses mainly on:
- Remote Cameras,
- CCTV Cameras,
- Routers, Web IP cameras, Linux servers, and other devices that are running Busybox.
Reasons why IoT devices are infected?
Many IoT devices have poor security which makes them soft targets and attackers often pre-program their malware with commonly used and default passwords. Processing power limitations and basic operating systems state that many IoT devices do not have advanced security features. IoT devices are frequently designed to be plugged in and forgotten about. It gets easier for an attack to take place on such devices when the security updates are not applied.
How does Mirai Malware Infect?
Mirai Malware scans for vulnerable IoT devices. The ease of accessibility determines the weakness of the device over the internet and whether they have default passwords. It operates by continuously scanning for IoT devices.
For telnet or SSH accounts, Mirai uses the default password to gain shell access. Once it gains access to an account, the malware is installed. The installed malware creates delayed processes and then the files that might alert the antivirus software of its presence are deleted.
Due to all this, it is difficult to identify an infected system without doing a memory analysis.
Mirai opens ports and a connection is created with botmasters and starts looking for other devices it can infect. The malware forces infected systems to report to a central control server, thus turning them into a bot that can be used in various DDoS attacks.
After this, it will wait for more instructions. While it is still waiting, it conducts no activity and no files left on the system due to which it becomes difficult to detect.
Where has Mirai been used?
Mirai was utilized in an attack which took place on a French hosting company OVH that peaked at 1Tbps. This attack on Dyn brought the internet to a standstill. The attack had grabbed a lot of attention and had also raised questions about how powerful these DDoS attacks could become. It was observed that 10s of millions of discrete IP addresses associated with Mirai botnet were a part of the attack.
Steps to protect devices and prevent them from getting infected?
- Before you purchase an IoT device research about the capabilities and its security features.
- An audit should be performed on the IoT devices used on your network.
- For Wi-Fi networks and device accounts, use unique and strong
- When setting up a Wi-Fi network access, use a strong encryption method.
- Features and services which are not required should be disabled.
- Telnet login must be disabled and SSH must be used wherever possible.
- In IoT devices, modify the default privacy and security settings as per your requirements and security policy.
- Wherever possible use wired connections instead of wireless.
- For firmware updates, regularly check the manufacturer’s website.
It is said that Mirai’s source code was leaked on the internet. Attackers can modify the source code for creating a variant of this malware for targeting IoT devices. The variant could be more powerful. Security researchers have uncovered a whole host of compromised home routers, which is hijacked and enslaved as part of a new Mirai variant botnet. For more information, read here.
Mirai malware global – http://betanews.com/2016/12/01/mirai-malware-global/