New scanner allows users to check IoT devices for Mirai malware infection

Imperva has launched a new scanner to allows consumers and businesses to scan devices for Mirai malware infection or vulnerabilities.

Mirai has been implicated in DDoS attacks on KrebsOnSecurity and Dyn, about a month apart from each other.

The attack on DNS infrastructure managed by Dyn caused issues among popular sites such as Twitter, the New York Times and Spotify.

Imperva was also subject to Mirai attacks, in mid-August. In a blog post presenting the new scanner, Imperva said: "We've had a chance to dig into the leaked source code to understand it better. We've discovered that Mirai malware infects IoT devices and then uses them as a launch platform to perform DDoS attacks.

"Mirai scans IP addresses across the internet to find unsecured devices and is programmed to guess their login credentials. It's also predatory--it can even remove and replace malware previously installed on a device. Mirai is particularly fond of IP cameras, routers and DVRs."

The scanner works by clicking on "Scan My Network Now", which allows it to discover the user's public IP address (i.e. the address assigned to the device or cable modem by the user's ISP).

The device often works as a router and Wi-Fi access point, by connecting other devices on one's network to the Internet. By checking the user's gateway from outside his network, the Mirai Scanner can see whether any remote access ports are vulnerable to Mirai attacks.

The Mirai scanner is only able to scan public IP addresses. The beta download can be found here.

03/10/2016: Hackers release source code for Mirai botnet A week after carrying out a record-breaking DDoS attack on security researcher Brian Krebs' website, one of the creators of the Mirai botnet malware has released the source code for the IoT-powered behemoth.

The source code was released on Hackforums by a user going by the name of Anna-senpai accompanied by the following message: "When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there're lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.

"So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after Kreb (sic) DDoS, ISPs been slowly shutting downs and cleaning up their act. Today, max pull is about 300k bots, and dropping."

In a blog post on this latest twist in the tale, Brian Krebs wrote: "It's an open question why anna-senpai released the source code for Mirai, but it's unlikely to have been an altruistic gesture: miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the code's original authors aren't the only ones found possessing it if and when the authorities come knocking with search warrants.

"My guess is that ... there will soon be many internet users complaining to their ISPs about slow internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth."

Thomas Pore, director of IT and services at Plixer, shared Krebs' sentiment, saying: "This is an interesting twist and likely proliferated as a means to draw law enforcement attention elsewhere. The code is a gift to cyber criminals looking to enter [the] popular market of DDoS as a Service, and it will be interesting to see who takes control over vulnerable IoT devices, because it's clear the author of this code is trying to get out."

23/09/2016: Security blog Krebs stays online despite massive DDoS attack

Security blog KrebsOnSecurity has been subject to a massive DDoS attack, which Akamai has revealed is the biggest it has seen.

Although KrebsOnSecurity is frequently attacked using such methods, this particular assault measured between 620Gbps and 635Gps. The second largest measured by Akamai was 336Gbps.

Another reason this recent DDoS strike caught Akamai's eye is because it was launched almost exclusively by a very large botnet of hacked devices. Amazingly, the website managed to stay online, despite being bombarded by bots.

"The largest DDoS attacks on record tend to be the result of a tried-and-true method known as a DNS reflection attack. In such assaults, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge traffic floods," site founder and investigative journalist Brian Krebs explained.

"But according to Akamai, none of the attack methods employed in Tuesday night's assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods," he continued.

This is with the exception of traffic that appeared to originate from generic routing encapsulation (GRE) data packets, which are commonly used to build a direct, point-to-point connection between network nodes.

"Someone has a botnet with capabilities we haven't seen before," Akamai's senior security advocate, Martin McKeay said. "We looked at the traffic coming from the attacking systems, and they weren't just from one region of the world or from a small subset of networks they were everywhere."

"Seeing that much attack coming from GRE is really unusual. We've only started seeing that recently, but seeing it at this volume is very new."

Krebs concluded that the attack was probably launched in response to posts he had written regarding the takedown of the DDoS-for-hire service vDOS.