The infamous botnet that was used in the recent massive distributed denial of service (DDoS) attacks against the popular DNS provider Dyn, causing vast internet outage last Friday, itself is flawed.
Yes, Mirai malware, which has already enslaved millions of Internet of Things (IoT) devices across 164 countries, contains several vulnerabilities that might be used against it in order to destroy botnet’s DDoS capabilities and mitigate future attacks.
Early October, the developer of the malware publically released the source code of Mirai, which is designed to scan for IoT devices – mostly routers, cameras, and DVRs – that are still using their default passwords and then enslaves them into a botnet, which is then used to launch DDoS attacks.
However, after a close look at the source code, a researcher discovered three vulnerabilities, one of which could be used to shut down Mirai’s ability to flood targets with HTTP requests.
A stack buffer overflow vulnerability was found by Scott Tenaglia, a researcher at endpoint security firm Invincea, in the segment of the Mirai’s code that carries out HTTP flood attacks.
However, if exploited, the vulnerability could crash the attack process, thereby terminating the attack from that bot (infected IoT device), but leaving that compromised device intact and running.
Tenaglia has publically released the exploit, saying his exploit would not have helped in the recent DNS-based DDoS attack against Dyn that rendered major websites inaccessible, but would also shut down Layer 7 attack capabilities present in Mirai.
That’s because Mirai is capable of launching HTTP floods as well as various network DDoS attacks, including DNS floods, UDP floods, SYN and ACK floods, GRE IP and GRE ETH floods, STOMP (Simple Text Oriented Message Protocol) flood attacks.
“This simple ‘exploit’ is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to guard against a Mirai-based HTTP flood attack in real time,” Tenaglia writes in a blog post. “Although it cannot be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device.”
Legal Concerns of Hacking Back:
However, exploiting this vulnerability is to hack back tens of hundreds of IoT devices, which is a controversial and illegit approach and could put defenders in a gray area.
Hacking back involves making changes to systems across various countries without permission from a device’s owner, an ISP or its carrier, and Invincea adds a disclaimer on its research, saying it is not advocating a counterattack.
But since the flaw has the capability of thwarting the threat, white-hat vigilante hackers can silently use this vulnerability against the malware and take Mirai-infected devices away from the criminals.
As we have seen numerous court-ordered botnet takedowns in the past, the authorities can get a court order and hack back Mirai-compromised devices in order to shut down the infamous botnets.
The DDoS attack that hit French Internet service and hosting provider OVH with 1.1 Tbps of junk traffic, which is the largest DDoS attack known to date, also came from Mirai bots.