Hackers offer a huge Mirai botnet as a DDoS-for-hire service

Pierluigi Paganini November 27, 2016

The hackers Popopret and BestBuy are offering a DDoS-for-hire service leveraging a Mirai botnet composed of around 400,000 compromised devices.

We have written a lot about the Mirai botnet after the clamorous attacks against the Dyn DNS service and the OVH hosting, it is a dangerous threat that was designed to target IoT devices that could be used to power massive DDoS attacks.

The Mirai botnet is becoming very popular in the criminal underground, so it is natural that crooks started offering it as a DDoS hire service to other cyber criminals.

The hackers Popopret and BestBuy are offering a DDoS-for-hire service leveraging a Mirai botnet composed of around 400,000 compromised devices.

We recognize BestBuy as the author of the GovRAT malware that offered the source code of his threat, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

Popopret was linked by experts from threat intelligence firm InfoArmor to Bestbuy, the researchers pointed out that Bestbuy started using also the moniker “Popopret.”

The RAT was delivered through spear-phishing and drive-by downloads attacks. Among the victims, government and military organizations. Stolen data from military organizations were also offered for sale on the black market.

Catalin Cimpanu from Bleeping Computer published an interesting post that confirms that the two monikers Popopret and BestBuy (it is not clear if they are the same person) are renting access to a Mirai botnet composed of more than 400,000 infected bots, the largest one till date offered for rent.

“Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest.” wrote Cimpanu.

This botnet offered by Popapret and BestBuy represents an evolution of the original Mirai botnet because it included new features like SSH supported brute-force attacks to exploit zero-day vulnerabilities.

The experts at the Bleepingcomputer highlighted the fact that this Mirai botnet isn’t cheap because Popopret requests its customers to rent it for a minimum period of two weeks.

“Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.

Customers could get a discount if they rent the Mirai botnet for long DDoS cooldown time, which is the time between two consecutive DDoS attacks.

“DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.” reported BleepingComputer.

Popopret provided an example of price for this Mirai Botnet, 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time goes for roughly 3-4k per 2 weeks. The experts highlighted that the service is very expensive.

The botnet is controlled through a console hidden on the Tor network that could be accessed via Telnet.

mirai botnet for-rent

Source: Bleeping Computer

The hackers Popopret and BestBuy declined to run a test in order to show real capabilities of their botnet.

You can monitor the Mirai botnet with the following tracker.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mirai botnet, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment