Users can now check whether their network is exposed to Mirai, one of the most prolific botnets to have targeted Internet of Things (IoT) devices this year.

The botnet was initially detailed in early September, but it became more popular in early October, when its author released the source code online. The malware, designed to harness the power of insecure IoT devices to launch distributed denial of service (DDoS) attacks, had been previously used in massive incidents targeting Brian Krebs' blog and hosting provider OVH.

With the primary purpose of IoT botnets being DDoS attacks, it’s no wonder that Akamai said that Mirai wasn’t alone in the 665 gigabit per second (Gbps) attempt to take down Krebs. However, security researchers reported that Mirai was increasingly used in DDoS incidents following the source code leak.

One such Mirai attack targeted DNS provider Dyn and disrupted popular websites such as Twitter, Etsy, GitHub, Soundcloud, PagerDuty, Spotify, Shopify, Airbnb, Intercom and Heroku. With infected devices in 164 countries and the use of Internet protocols that aren’t usually associated with DDoS attacks, such as STOMP floods, Mirai continues to wreak havoc. 

Because Mirai’s success is fueled by the existence of IoT devices that aren’t properly secured, it could be easily countered by simply changing the default credentials on vulnerable devices and by closing the Telnet port the botnet uses for infection. That, however, is an operation that users and network admins need to perform, but they might not always be aware of such an issue impacting them.

To help users determine whether their network is exposed to Mirai or not, IoT Defense Inc., a startup company based in the Washington DC Metro area, launched a web scanner that does exactly that: it searches for opened TCP ports and informs users whether they are safe or not. 

The IoT Defense scanner was written using a combination of Python, Node JS and Jade frameworks and scans for nearly a dozen ports that botnets can exploit. Accessing and using the scanner is free and little instructions are needed, as it does all with a simple click of a button.

The tool was designed to scan for ports such as File Transfer Protocol (FTP), Secure Shell (SSH), Telnet (both 23 and the alternative 2323), HTTP, HTTPS, Microsoft-SQL-Server, EtherNet/IP, Telnet (alternative), Microsoft Remote Desktop Protocol (RDP), Web Proxy, and Apache Tomcat SSL (HTTPS).

While not all of these ports are targeted by Mirai, a couple are, with the 2323 Telnet port being specifically attacked. The IoT botnet scans the Internet for exposed IoT devices such as routers, IP cameras, and DVRs, and, when it finds vulnerable devices, it attempts to login to them using a list of default login credentials.

This, however, is a behavior employed by other botnets as well. What’s more, while disinfecting a device compromised by Mirai is very easy, because a simple reboot would suffice, keeping the malware away from that device is more complicated. Because of constant scans, vulnerable IoT products are re-infected within minutes.

Device vendors are those who need to take action, because users rarely do so T. Roy, CEO, IoT Defense, told SecurityWeek via email. They should add in-field auto-updates to their devices, should use per device unique passwords (something that router manufacturers have already started implementing), and should not open up unnecessary ports.

Because their incentives are not aligned with device vendors, it’s clear that users might not be the ones to fix this issue. Users might not care – provided that they are aware of an issue – that their routers, IP cameras, or DVRs are used to DDoS websites and DNS providers. As long as the bandwidth usage doesn’t affect them, they are not disadvantaged, and T. Roy believes that one solution would be for ISPs to impose bandwidth caps.

A set of rules to impose stricter security of IoT devices would also be of help, and steps in this direction are already being taken, with the Department of Homeland Security (DHS) publishing its Strategic Principles for Securing the Internet of Things. The document includes six non-binding principles designed to provide security across the design, manufacturing and deployment of connected devices.

IoT Defense’s CEO also notes that IoT vendors need to have a servicing model in place, to resolve vulnerabilities in their devices when they are discovered. Just as it happens with many other products, vendors would be given a window to resolve the found issues or face consequences. However, he isn’t very optimistic about vendors actually taking stance.

“As of today, IoT device manufacturers have very little to show for security which always gets trumped by new features and time or market concerns. It is wishful thinking to expect device vendors to step up their game and make security and privacy key differentiators for their products,” T. Roy said.

Last year, Gartner said that the number of connected devices will grow above the 20 billion mark by 2020. Now, Juniper Research estimates that there will be 38.5 billion connected IoT devices by that year, and that 70% of these units are expected to be non-consumer devices. Should the level of insecurity within these devices remain the same, the consequences will be dire for consumers, enterprises, and vendors alike.

The good news, however, is that even today enterprises block inbound open external access over protocols such as Telnet and SSH, meaning that IoT devices within corporate environments aren’t exposed. However, as Zscaler points out, these devices remain vulnerable nonetheless, and steps should be taken to defuse the situation, including automating the security and firmware updates and enforcing default password change at initial setup.

The issue at hand remains the existence of not only hundreds of thousands of IoT devices infected with Mirai, but also of hundreds of thousands more vulnerable to the botnet. More importantly, while the main purpose of IoT malware is the launch of DDoS attacks, cybercriminals have focused mainly on infecting complex devices, but could switch to simpler products such as smart toys, home appliances, wearables, and more, which would result in a flood of IoT malware all around us.

T. Roy agrees with that as well: “The day is not too far when Ransomware is going to straddle the boundary between the PC and the smart devices in the consumer's home. Unlike PC based ransomware where your pictures and videos are at stake, with everything being controlled by your smart devices your life and property are at stake.”

“Regulation will likely be the fix for IoT security,” F5 Networks evangelist David Holmes notes in a SecurityWeek column, citing Mikko Hypponen, Chief Risk Officer of F-Secure. However, he also explains that Internet security cannot be regulated like other manufacturing processes. Increasing awareness among users could also help resolve this issue, with the IoT Defense scanner being a small step in this direction.

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:


SecurityWeek RSS Feed

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data

Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

On September 20, 2016, Brian Krebs’ security blog (krebsonsecurity.com) was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4]

The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7]

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.

Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.


In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [8].
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT Tip Choosing and Protecting Passwords for more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[9]
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
  • Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[10]
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

US-CERT Alerts

AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.

Sierra Wireless

Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.

“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.

“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”

ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.

Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.

Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.

Help Net Security