Imperva observed a new variant of the Mirai botnet unleashes 54-Hour DDoS attack

Pierluigi Paganini March 30, 2017

According to security experts at Imperva, a newly discovered variant of the Mirai botnet was used to power a 54-hour DDoS attack.

According to security experts at Imperva, a newly discovered variant of the dreaded Mirai botnet was used to power a 54-hour distributed denial of service (DDoS) attack.

The new variant of the Mirai botnet was observed targeting a customer of the company, a US college. The DDoS attack peaked at around 37,000 RPS, the experts highlighted that this is the highest of any Mirai botnet previously detected.

“The attack, which started on February 28 and ran for 54 hours straight, targeted one of our customers, a US college.” reads the blog post published by Incapsula.

“The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests.”

Mirai botnet traffic

The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.

It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.

The Mirai botnet was used last year in two large attacks against the website of the popular investigator Brian Krebs and the Dyn DNS service. In October, the source of the Mirai bot was leaked online and new variants were spotted in the wild.

A reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

On January 2017, experts spotted a new Windows variant of Mirai allegedly used to spread the Linux Trojan to more IoT devices.

The experts at Imperva speculate the attack was powered by a variant developed from the source code leaked. Previous versions of the Mirai botnet powered network layer DDoS attacks, the new variant launched an application layer assaults instead.

The experts determined that the botnet used to launch the attack was mostly composed of CCTV cameras, DVRs and routers. The researchers speculate the IoT devices might have been compromised by exploiting known vulnerabilities that the botnet exploited via open telnet (23) ports and TR-069 (7547) ports.

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” continues the blog post published by Imperva.

The DDoS bots used in the attack used different user-agents instead the five previously seen hardcoded in the default Mirai version. The technical detail suggests the new variant of the Mirai botnet might have been improved to power more sophisticated application layer attacks.

“Overall, in the course of the attack, we spotted the following 30 user-agent variants” continued the post.

The analysis of the traffic originating from 9,793 IPs worldwide, revealed that more than 70% of the devices were located in the following countries: United States (18.4%), Israel (11.3%), Taiwan (10.8%), India (8.7%), Turkey (6%), Russia (3.8%), Italy (3.2%), Mexico (3.2%), Colombia (3.0%), and Bulgaria (2.2%).

“Less than a day after the initial assault ended, another one began that lasted for an hour and a half with an average traffic flow of 15,000 RPS. Based on our experience, we expect to see several more bursts before the offender(s) finally give up on their efforts,” concluded the post.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

you might also like

leave a comment