The source code for the botnet which disrupted Krebs On Security has been published online, leading to fears that the botnet will soon be used by practically anyone to flood the internet with powerful — and expensive — attacks.
At 620 Gbps, Akamai engineers were able to repel the attack, but the company — which gave Krebs a home pro-bono — was forced to let him go as a “business decision” since keeping the blog and weathering more DDoS attacks could have ended up costing the business a fortune.
The botnet responsible is based on malware called Mirai. The malicious code utilizes vulnerable and compromised Internet of Things (IoT) devices to send a flood of traffic against a target.
In this case, the DDoS attack included SYN Floods, GET Floods, ACK Floods, POST Floods, and GRE Protocol Floods.
According to the security expert, the source code of the Mirai malware was released through hacking community Hackforums on Friday.
The malware spreads to vulnerable devices by scanning the web for IoT devices which have either default or hard-coded passwords and usernames, of which, the device is then accessed through publicly-available credentials and is set under Mirai’s control — potentially leading to vast networks of slave devices with relatively little effort.
As noted by Krebs, the release of the source code could lead to the internet being “flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
The individual who released the code, nicknamed “Anna-senpai,” said they have “made their money” and now it is time to get out of the DDoS game with so many security researchers — and potentially law enforcement — now looking at IoT and the malware.
“So today, I have an amazing release for you,” Anna-senpai wrote. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
By making Mirai open-source, threat actors have been given another tool for their arsenal. With the code now freely available online, it may also be more difficult for law enforcement to keep control of the problem and track down operators.
“My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth.
On the bright side, if that happens it may help to lessen the number of vulnerable systems.”
The sheer magnitude of the DDoS leveraged at the security expert’s domain through Mirai forced Akamai to boot Krebs On Security off the firm’s network and the blog’s address was temporarily redirected to 127.0.0.1 to prevent the cloud hosting provider from straining under the weight of more attacks.
Happily for Krebs and his readers, the Krebs On Security blog is now back in business after Google parent company Alphabet’s Project Shield, offered the researcher a home and the clout needed to repel any future DDoS attacks of such magnitude.