For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.
Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.
400K botnet spawned from original Mirai source code
After the OVH and Krebs DDoS attacks, the creator of this malware open-sourced Mirai, so other crooks could deploy their own botnets and cover some of the malware creator’s tracks.
According to a Flashpoint report, this is exactly what happened, with multiple Mirai botnets popping up all over the web, as small-time crooks tried to set up their personal DDoS cannons.
Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.
The two say that most of the Mirai botnets they follow are relatively small in size, but there is one much much bigger than most.
“You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half,” MalwareTech told Bleeping Computer. “They have more bots than all the other Mirai botnets put together.”
400K Mirai botnet available for renting
In a spam campaign carried out via XMPP/Jabber started yesterday, two hackers have begun advertising their own DDoS-for-hire service, built on the Mirai malware.
The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn’t 100% verify it’s the same botnet observed by 2sec4u and MalwareTech (more on this later).
A redacted version of the spam message is available below, along with the ad’s text.
Botnet developed by reputable hackers
The two hackers behind this botnet are BestBuy and Popopret, the same two guys behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn.
The two are also part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers, so it’s safe to say these are not your regular script kiddies.
Bleeping Computer reached out to both hackers via Jabber. Both Popopret and BestBuy had the time for a conversation but declined to answer some of our questions, not to expose sensitive information about their operation and their identities.
Botnet isn’t cheap
According to the botnet’s ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.
“Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.
Customers don’t get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.
“DDoS cooldown” is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.
Popopret provided an example: “price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks.” As you can see, this is no cheap service.
Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet’s backend, where he can connect via Telnet and launch his attacks.
400K botnet has evolved, added new features
Compared to the original Mirai source code that was leaked online at the start of October, the botnet Popopret and BestBuy are advertising has undergone a serious facelift.
The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.
The 200K limit is because there are about only 200,000 Internet-connected devices that have open Telnet ports and use one of the 60 username & password combinations.
Popopret and BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device.
2sec4u says he suspected new Mirai malware variants might use exploits and zero-days, but this is currently unconfirmed since nobody reverse-engineered recent versions of the Mirai malware binary to confirm Popopret’s statements.
Also Read :