adv

Mirai is the hydra of IoT security: too many heads to cut off

“This could have a huge impact,” the research group said in a direct message over Twitter. “Chinese hackers who used to make DDoS Linux malware are starting to adapt the Mirai source code.”

A screenshot of the DDoS client from the Chinese hackers.

The Chinese hackers appear to have modified the malicious coding to exploit a known vulnerability in products from Avtech, a maker of DVRs and internet cameras.

The new strain of Mirai takes advantage of a web scripting bug in the products, triggering them to visit a URL that downloads the hackers’ malware.

There are about 160,000 devices on the internet that could be vulnerable to the attack, Malware Must Die said. A security researcher has contacted the Avtech about the problem, but it’s unclear if the vendor has issued a patch.

Lingering dangers: Things could get worse.

Authorities may have arrested one suspected hacker connected with Mirai, but others have been making video tutorials on how to use the source code and uploading them to YouTube.

“It really is chopping the head off a hydra,” said Bryant Townsend, CEO of Backconnect, in a reference to the mythical many-headed serpent.

Backconnect, a DDoS protection provider, estimates there are about 250,000 to 300,000 IoT devices still infected with Mirai.

The company gave a higher estimate than Level 3 because it’s detected newer strains of Mirai infecting IoT devices using other known exploits, said Marshal Webb, Backconnect’s CTO.

“That (number) can easily rise into the millions,” he said. For example, it wouldn’t be hard for a hacker to Google known vulnerabilities in IoT devices and then incorporate that information into the Mirai source code, Webb said.

Some existing Mirai strains are also still scanning the internet, looking to infect vulnerable devices.

Johannes Ullrich, a security researcher with the SANS Technology Institute, said on Monday he recently connected his DVR to the internet to see if Mirai would try to infect it.

“Within 5 minutes, it was compromised,” he said.

Although ISPs like Level 3 are reporting progress against Mirai, Ullrich said the tech industry still hasn’t resolved the root problem that’s been fueling the malware’s growth: insecure IoT products that can be easily hacked. That needs to change.

“You still have all these vulnerable devices out there,” he said. “The number of patched devices is still fairly minuscule.”

IDG News Service