In September 2016, the Mirai botnet attack turned Internet of Things devices running on the ARC processor and the Linux OS into bots that could be used as part of large-scale network attacks. The malware lurked on fringe social media channels and blogs, eluding the FBI until it became one of the largest and most disruptive distributed denial of service (DDoS) attacks.
The Mirai botnet hack took advantage of insecure IoT devices. The attack scanned big blocks of the internet for open telnet ports, then attempted to hack default passwords. When successful, it was able to take control of a device and amass a botnet army.
While the Mirai botnet continues to lurk, understanding why the attack was so harmful has helped safeguard businesses even as IoT expansion makes them more vulnerable than ever.
Why the Mirai Botnet Attack Was So Harmful
The Mirai malware attack not only hit quickly and violently, but seemingly came from nowhere and stayed on internet channels the FBI was least likely to monitor. Despite the FBI's quick actions to attribute and neutralize the threat, companies lost hundreds of thousands in revenue when the DDoS attack downed networks.
The FBI found a portion of the losses came from devices that companies were unaware had been compromised. "It was surprising the number of companies we talked to that had no idea they had devices participating in these attacks because they weren't completely clear what devices were in their networks,” FBI agent Elliott Peterson tells BizTech.
Mirai targeted IoT devices to spread across the globe. Once one device was infected, it began to scan the internet in search of other exposed IoT devices to compromise. Devices infected by Mirai continue to function normally, if a bit sluggishly. Some companies saw downed devices using more bandwidth as they sought out other devices to infect, but many companies weren’t monitoring network usage and remained blind to what was happening.
Several companies attempted to reboot infected devices, which did oust the malware. However, rebooted devices were quickly and easily reinfected if passwords weren’t changed before reboot. Without a way to stop the spread of the attack, the countless IoT devices in existence were sitting ducks.
What Businesses Can Do to Protect Against the Next Mirai
Mirai was not an isolated incident. Today, the Hajime botnet is nearly 300,000 strong, making it a latent threat nearly as powerful as Mirai. The number of devices that might be infected with the Hajime worm is at least 1.5 million.
PC World recommends these six steps to protect against botnet attacks.
- Hire a web-filtering service: Since attacks such as Mirai exploit DNS, web filtering services scan sites for unusual behavior or known malicious activity and block them from users. Popular services include McAfee’s web filtering module and the Barracuda Web Security Gateway 310.
- Switch browsers: Malware is most often written to target Internet Explorer or Mozilla Firefox, two of the most popular browsers. Switching to Google Chrome, Safari or Avant Browser could help protect systems.
- Disable scripts: Disabling browsers from running scripts can slow down botnet attacks.
- Deploy intrusion detection and intrusion prevention systems: IDS and IPS systems look for botnet-like behavior and alert users before machines are completely destroyed.
- Protect user-generated content: Company websites should let members swap files but limit those files what’s relatively safe — .jpeg or .mp3 extensions, for instance. A lax environment can open up a site to worms.
- Use a remediation tool: Companies such as Symantec can detect and clean even the deepest infections. In Symantec's case, it uses Veritas technology to allow an anti-virus scanner to bypass Windows file system APIs, which are controlled by the operating system and therefore vulnerable to manipulation by a botnet.