Three Whitehat Countermeasures to the Botnet Threat

Just in time for Mirai 2.0.

A visitor walks past an installation of a connected home system at the booth of Panasonic during the second press day of the consumer electronics trade fair "Internationale Funk Ausstellung "(IFA) in Berlin September 4, 2014. IFA, one of Europe's biggest showcases of the latest electronic gadgets, is scheduled to open on September 5 and run until September 10, 2014. AFP PHOTO / TOBIAS SCHWARZ (Photo credit should read TOBIAS SCHWARZ/AFP/Getty Images)
With all these devices, your home can be a cybercriminal’s botnet smorgasbord. TOBIAS SCHWARZ/AFP/Getty Images

In late October, about half the internet got shut down when thousands of compromised devices were recruited to attack one of the web’s most widely used “phonebooks,” the domain name service provider Dyn. The villain in this story is now known as the Mirai botnet, a swarm of internet-of-things (IoT) devices that had been compromised by malicious code that wandered the world’s ethernet cables, searching for new devices to take over.

Sign Up For Our Daily Newsletter

By clicking submit, you agree to our <a href="">terms of service</a> and acknowledge we may use your information to send you emails, product samples, and promotions on this website and other properties. You can opt out anytime.

See all of our newsletters

Now, some of the internet’s best bad guys are offering a new and improved Mirai botnet swarm on the Dark Web, as Bleeping Computer has reported. This botnet is about twice the size of the one that took down Dyn. It appears to have grown in part by reaching connected devices in more ways and also exploiting a zero day vulnerability on some undisclosed connected device.

Just to be clear, a botnet works by taking advantage of other people’s devices (routers, wireless cameras and etc). At its core, the Mirai breach was simple: it tried the factory installed default passwords on every device it could find. If it worked, the device got infected. If the owner of the device had bothered to change the administrative credentials, it just moved on.

That’s really it. It wasn’t hacker black magic. They just took advantage of consumer and manufacturer laziness at scale. This new botnet is a bit more clever.

We reported on some of the classic internet-of-things failures last year. For a deeper dive, cloud security firm Imperva went through the Mirai source code line by line on its blog.

Hacker black magic might not have caused the outage, but it might be able to stop it going forward. Here are three measures that could make it harder for others to create their own version of the Mirai botnet and shut down segments of the internet for lulz and profit:

  • An open-source honeypot. A honeypot is a system left open to intentionally let an attacker penetrate and infect it. This makes it possible for security researchers to study its behavior. Cymmetria, a security firm that specializes in the technique, published an open-source honeypot designed for the Mirai botnet on Github. We spoke with Cymmetria after it flagged a doxxing service on the dark web. The Internet Storm Center told the Observer in an email that it will be using the honeypot to look out for Mirai, including future iterations.
  • Make them pay. It costs money to run a botnet, so a group of security researchers have proposed a means of discouraging attacks by making them more expensive. Researchers at Carnegie Mellon University call the strategy SPIFFY in a paper from this year. We came across it at NYU’s recent Cybersecurity Awareness Week. In a phone call with the Observer, Min Suk Kang, one of the authors, explained that some of the most vicious recent attacks have been link flooding attacks, which specifically targets internet exchange points, the places where different internet service providers’ networks meet (not hyperlinks, but physical network links). Because the attacking traffic cannot be distinguished from legitimate traffic, the researchers suggest—counter-intuitively—to increase the bandwidth for all traffic at the choke point the hackers created. Legitimate traffic will increase its flow in response. The attacking IP addresses probably won’t, however, because an attacker is likely to run an attack at its maximum from the start. This makes it simple to identify the malicious traffic “We claim that our defense system causes a trade-off between the cost and undetectability,” Kang said. “That’s an untenable trade-off for the adversary, especially the rational adversary.” Most cybercriminals behave rationally these days, like the unethical businessmen that they are.
  • Encrypt the command and control center. We’ve written about Virgil Security before. It provides end-to-end encryption as a service. In an email to the Observer, Michael W. Wellman, a co-founder, pointed out that botnets are nothing compared to a much more serious fear from weak IoT security: pervasive man-in-the-middle attacks. If routers get compromised they can watch everything users do online. The solution: build devices that won’t obey commands unless they are digitally signed. This one, sadly, only works if manufacturers buy in, however, and security clearly hasn’t been a priority or recruiting bots wouldn’t be so easy.

There is a fourth option that Motherboard reported on: vigilante hackers out to protect the internet could write code that worked the same as Mirai, but it would just brick devices with shoddy security. In other words, stifle a few CCTV cameras so that the free flow of kitten videos might continue. It would be like using the dark side of the Force in service of the light, and it would be very, very illegal.

It would not be surprising, however, as our lives become more and more interwoven with the internet, if one day state level actors did just that on everyone’s behalf. Our economy already depends on the internet working right. Before long, it will be our lives too. Governments might not have much of a choice.

Three Whitehat Countermeasures to the Botnet Threat