Typically when we see open source software we envision a community of programmers working together to develop useful software. However, hackers have been utilizing the same concept in developing and distributing viruses and malware with great success. Mirai, the software behind the world’s largest Distributed Denial of Service (DDos) attack, reportedly went open source Saturday on a popular english hacking community site Hackforums.
Open source malware dates back as far as 1999 and started with the hacking group Cult of the Dead Cow with their Trojan, Back Orifice. Since then numerous virus and malware has been released via open source allowing others to either use or modify the code to create new versions. In 2009, the Zeus malware was widely distributed among hackers and at the peak had infected 3.6 million PCs and allowed for an estimated $70 million dollars to be stolen from their victims.
Krebs noted on his site that Mirai going open source is “virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
In an unwelcome development, the source code for the ‘Mirai’ IoT botnet family has been released https://t.co/TZvgPIb00A
— briankrebs (@briankrebs) October 1, 2016
If there is a silver, we can find it in what could be a sign that future attacks with Mirai may not be as successful. Posted along with the source code was this statement: “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
While the threat from Mirai might be shrinking, we are not out of the woods yet as there are a predicted 6.2 billion IoT devices to be connected on the internet by years end. Among these 6.2 billion devices are home routers, IP cameras, DVRs, and televisions, many of which are likely connected to the internet with default or simple to guess usernames and passwords.
Most devices can rid the malware by just rebooting but according to Krebs “vulnerable IoT devices can be re-infected within minutes of a reboot” and the only sure fire way to prevent automated infection in the first place is by changing the default passwords.