adv

Mirai is the hydra of IoT security: too many heads to cut off

Efforts to stop Mirai, a malware found infecting thousands of IoT devices, have become a game of whack-a-mole, with differing opinions over whether hackers or the security community are making any headway.

The malicious code became publicly available in late September. Since then, it’s been blamed for enslaving IoT devices such as DVRs and internet cameras to launch massive distributed denial-of-service attacks, one of which disrupted internet access across the US in October.

The good news: Last month, police arrested one suspected hacker who may have been behind several Mirai-related DDoS attacks.

In addition, internet backbone provider Level 3 Communications has said it's made a dent in stopping the Mirai malware.

The malicious code has been found on 500,000 to 600,000 IoT devices at one time or another. But the vast majority of those now are “stranded” and no longer under the control of hackers, said Level 3 Chief Security Officer Dale Drew.

That’s because ISPs, including Level 3, are blocking internet access to the servers that hackers are using to control the Mirai-infected devices.

“We had previously been taking down Mirai C2s (command and control servers) monthly, then weekly,” Drew said in an email. “Now, we’re taking them down every four hours.”

This has left only about 97,000 Mirai-infected devices out on the Internet that can be controlled by malicious parties. That doesn’t mean the malware isn't still a threat, Level 3 said.

The bad news: Hackers are still modifying the Mirai source code to infect new devices.

On Monday, security research group Malware Must Die said it found evidence that Chinese hackers were repurposing Mirai to infect a batch of IoT products, in this case from a Taiwanese vendor.