When the source code for the malware behind the Mirai botnet was released nearly three weeks ago, security researchers immediately began poring over it to see how the malware worked. Of course, attackers took notice too, and in that time, the number of devices infected by Mirai and associated with the botnet has more than doubled, to nearly half a million.
The size of the Mirai botnet isn’t really what’s remarkable about it; there are many other botnets operating now that are several times its size. It’s the fact that Mirai has mainly infected embedded devices such as DVRs and CCTV cameras that has drawn notice, along with the fact that the botnet has been part of two of the larger DDoS attacks ever seen. The malware scans the Internet for devices with telnet running on an open port and using default credentials, and then connects and installs itself on the device. Each new infected device then starts the scanning process again.
The source code for Mirai became public on Oct. 1, and many attackers took it and ran, creating their own smaller botnets. In that time, researchers at Level 3 said, the total number of Mirai bots has increased dramatically.
“We have been able to identify bots via communications with the C2. Once new bots are identified, their common communications lead to new C2s, which then lead to more bots. Prior to the Mirai source code release, we identified approximately 213,000 bots using this method. Since the code release, multiple new Mirai botnets have accumulated an additional 280,000 bots, bringing the count of Mirai bots to 493,000. The true number of actual bots may be higher based on an incomplete view of the infrastructure,” the researchers said in a new report.
That bot total is from several discrete Mirai botnets, not one overarching network, and the botnets have a number of different C2 servers in play, too. The attackers assembling these botnets are continuing to use them in huge DDoS attacks against a variety of targets, L3 Threat Research Labs said.
“The magnitude of attacks observed can be quite significant. We have observed several attacks using more than 100 Gbps. Large armies of bots participated in attacks, with several using over 100,000 bots against the same victim. We have seen Mirai botnets employ a variety of different attacks, the majority of which are L7 HTTP attacks and UDP and TCP floods, while a smaller fraction utilized GRE. Additionally, we have seen a number of attacks against authoritative DNS infrastructure, sometimes as a part of attacks using multiple of these methods,” the report says.
Most of the infected devices used in Mirai botnets are in the United States, and about a quarter of them also are infected with a different kind of malware known as Gafgyt that also targets IoT devices. L3 researchers said that the public availability of the Mirai source code likely will lead to more botnets popping up in the near future.
“With the public release of the Mirai source code around October 1, it is expected additional actors will continue to utilize the malware to initiate DDoS attacks,” they said.