The Metamorphosis of an Open Source Bot - Mirai to Persirai

By Robert Hamilton

The Mirai malware has become particularly notorious for recruiting IoT devices to form botnets that have launched some of the largest distributed denial of service (DDoS) attacks ever recorded. Mirai came onto the scene in late-2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date.

When the research team at Imperva went into the Incapsula logs after the Krebs attacks last fall, they found that indeed the Mirai botnet had been active well before the notorious September attack. Imperva discovered a botnet of 49,657 Mirai-infected devices spread over 164 countries with the top infected countries Vietnam, Brazil and the United States. They also found that Mirai was fond of IoT devices, particularly webcams. But even before Mirai became public, the Imperva team identified vulnerable IoT devices as an increasing source of DDoS botnets and saw a problem in the making.

Back in 2014, Imperva started seeing a massive increase in the number of weekly unique DDoS bot sessions and identified CCTV surveillance devices [Note: link opens a PDF] as a contributing factor, most of which were open to abuse through easily guessable default passwords. In 2015, Imperva discovered a botnet executing HTTP GET flood DDoS attacks that peaked around 20,000 requests per second from 900 CCTV cameras throughout the globe. The cameras were all running BusyBox—a package of stripped-down Unix utilities for systems with limited resources. The research foreshadowed the targeting of IoT devices as the next-generation source of botnets.

But it wasn’t until Mirai was publically announced on Hack Forums in October that this IoT prediction gained energy. Aside from broad availability, one of the benefits of open source code is that it becomes more effective over time. Like legitimate source code, we’ve seen consistent improvements in the effectiveness of the Mirai malware since it was released eight months ago. Mirai’s focus on effectiveness at aggressively recruiting some of the most vulnerable IoT devices has made it a popular choice for hackers that want to create very large botnets.

Only weeks after the release of the original Mirai source code, Imperva documented a new variant that was found to be responsible for exploiting a newly discovered TR-069 vulnerability on wireless routers. With the exploit code added, the new variant was able to knock more than 900,000 Deutche Telecom customers offline. To make the malware even more effective, the authors added an ability to close the vulnerability after the router was infected making it more difficult to update the devices remotely until they could be rebooted. This ability to shut the door behind itself was an early “improvement” and is now a trademark of Mirai.

Mirai continued to evolve by adding a new bot recruitment capability less than three months after it went open source. Trend Micro discovered in February that Mirai was enhanced with a new Windows Trojan that continuously scans more ports to find additional IoT recruits. The Mirai C&C server instructs the Trojan to scan designated IPs. When the Trojan finds a Linux device, it installs the Mirai malware. If the machine is running Windows, the Trojan replicates itself to add the Windows PC to its recruitment force.

In March, Imperva Incapsula mitigated a Mirai-based attack that indicated the malware had mutated yet again. Before this attack, it appeared as though the Mirai botnet DDoS attacks focused on launching network layer DDoS attacks—attacks that try to flood the network pipes forcing traffic to slow to a crawl. This new attack saw a Mirai botnet launch an application layer attack on a U.S. college website that lasted over 54 hours. The average traffic flow came in at over 30,000 requests per second (RPS) and peaked at around 37,000 RPS—the most Imperva has seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests. What’s interesting about Mirai’s ability to launch application layer attacks is that it takes far fewer bots to bring a website down through an application attack. In this case, it took fewer than 10,000 infected IP cameras, DVRs and routers to launch a sizable attack.

This brings us to Persirai, the newest version of Mirai that was also discovered last month by researchers at Trend Micro and comes equipped with even more advanced “features.” Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Persirai’s ability to leverage the previous features, plus its password stealing capability has led to a massive increase in the number of infected devices. By tracking thousands of infected IoT devices, Trend Micro discovered over half of the those in the U.S. are infected, with almost two-thirds of the cameras in Japan infected.

Persirai is on an aggressive recruitment push. Within a month after being released, Persirai has come to dominate the Mirai-variant infected devices with over 64 percent of all infections. Particularly alarming is the password stealing feature of the new Persirai variant which renders previous recommendations about simply updating passwords outdated. While a Persirai-infected device is not likely to malfunction, no organization wants to host a battalion of DDoS foot-soldiers. Additional measures to ensure IoT devices do not become unwitting members of a Persirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. To avoid being the victim of a DDoS attack regardless of the botnet, consider subscribing to a DDoS mitigation service.


About Robert Hamilton

Robert Hamilton is the Director of Product Marketing for the Incapsula service at Imperva. Incapsula is a cloud-based application delivery service that protects websites and increases their performance, improving end user experiences and safeguarding web applications and their data from attack.

More About Robert