The IoT Zombie Apocalypse

Published By:
Published ON:
November 25, 2016

This blog post will look at the security issues surrounding so-called “smart devices”, and the distributed denial of service (DDoS) attacks that have occurred in recent months. It will attempt to address some of the burning questions that have been asked since, such as how on earth can a zombie army of video recorders and cameras deny access to a large chunk of the internet?

Who would do such a thing and why? And, how vulnerable is the Internet’s infrastructure to these monster botnets?

Big, Bad Botnets

Discussions have been raging since the attack on DynDNS that occurred on the 21st October as to the apparent feeble nature of the domain name system (DNS), and the horrendous security of Internet of Things devices. What is particularly concerning is the sudden proliferation in potency of distributed denial of service (DDoS) attacks, which rely on an army of compromised devices to perform.

On 20th September, the website of security researcher Brian Krebs sustained a DDoS attack that was measured to be around 620 Gbps in size. Two days later a major French web hosting company, OVH, was hit with an attack measured to be 1Tbt in size. The size of the attack on DynDNS has yet to be made public.

Among other things, what connects these attacks is the malicious infrastructure that was used consisted - at least in part – of zombie machines infected by the Mirai malware. Put in simple terms, this malware scans for specific types of smart device such as digital video recorders, CCTV cameras, and printers, and uses the remote login protocols of Telnet and SSH to gain access once they have been discovered. What allows for ease of access is the manufacturers’ less than sensible decision to hardcode credentials (i.e. usernames and passwords) into the devices and to leave the Telnet and SSH ports open by default.

The Mirai botnet is not the first botnet of this kind, nor will it be the last. The now largely defunct Lizard Squad hacking group created a DDoS tool called LizardStresser in 2014 that drew its power from compromised home Wi-Fi routers. More recently, following the leak of the Mirai botnet source code on the Hackforums hacking community website by a member calling themselves Anna-senpai, researchers are discovering several new botnets that have the ability to be even more powerful than the Mirai botnet. As is often the case in underground marketplaces and forums, malware code, tools and techniques are traded, stolen and given away for free.

Now, a security researcher has identified a botnet malware that has the somewhat literal name of Linux/IRCTelnet. As the name suggests, it performs DDoS attacks after infecting Linux devices via the Telnet protocol, using Internet Relay Chat (IRC) for Command & Control purposes. What is interesting about this botnet is how it has drawn its capabilities from those of other botnets. It has been built on the source code of an older form of malware called Aidra, it uses Telnet scanning logic from another (Torlus/Gayfgt), and it uses the hardcoded login credentials discovered by Mirai’s operators to brute force access. As a result, the Linux/IRCTelnet botnet was able to gather 3,500 devices in 5 days.

Who’s behind it all?

Although there have been claims of responsibility for the attack on DynDNS, there is certainly no consensus on who the real culprit is. New World Hackers claimed in a farewell message that they were the ones “who took down the east coast”, a reference to DynDNS being unable to resolve to the East Coast of America during the attack.

It is possible that they had access to a portion of the bots in the Mirai botnet following it going public, however the credibility of this group has been questioned by many in the past. They also claim to have a “supercomputer botnet consisting of over 100,000 IoT devices”, which is significantly fewer than is meant to constitute the Mirai botnet.

As has become routine in recent months, some observers, including an American hacker going by the name of The Jester, believe it to be the work of Russian government affiliated groups seeking to destabilise the American DNS infrastructure. Although there are minor pieces of evidence, such as Russian language in the Mirai source code, the nature of the targets - and the fact that most of the chatter regarding its use has been on hacker forums - does not sit well with the theory that this was state sponsored.

As for the theory that organised crime groups are behind the attack, this has been assessed to be unlikely after DynDNS said publicly that no ransom demands were made. Brian Krebs has also given no indication that a demand for money was made after his website was targeted.

An assessment by Flashpoint rests on the fact that the malicious infrastructure also targeted a video game company, an activity not indicative of nation state or criminal activity but of “script kiddies”. They also pin down the hacking community hackforums[.]net as the most likely breeding ground for this attack. This site is where the previously mentioned hacker known as Anna-senpai released the Mirai source code, and where many DDoS-related activities have been attributed to in the past.

It is also interesting that the attacks on the Krebs website and DynDNS occurred very shortly after they made announcements or speeches on how to combat DDoS attacks. Krebs says that it is possible that the attack was “in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.” The attack on DynDNS came shortly after one of their researchers presented a talk in Texas about DDoS mitigation and the work of Brian Krebs. This is indicative of a hacker mentality, proving a point to those who believe they can defend themselves.

Is the internet over as we know it?

These attacks have brazenly highlighted the negligent culture of security relating to smart devices. It has shown that the desire to roll out new devices without seriously considering the security implications is a serious issue that needs to be addressed.

The Chinese company that produced much of the fodder for the Mirai botnet has begun to recall their products and attempted to issue firmware patches. But for the most part, the problem will get worse before it gets better. Unless changes in regulation and security practices happen, the potency of these botnets will become greater.

Having said this, the attacks on the Krebs website and OVH were both well mitigated, meaning that services were not down for a long time. And while the attack on DynDNS did cause problems for clients trying to access certain sites on the east coast of America, the attack did not create a nationwide outage. The dispersed nature of DNS means that websites can change their nameservers if the one they were using comes under attack. Therefore, it is important for websites to have two or more nameservers for each domain record.

Ultimately, the attack on DynDNS doesn’t signal the imminent death of the internet as we know it, it calls for a more balanced, pragmatic use of the internet routing system, meaning greater resilience against these types of attack.

Find out more about our cyber intelligence services: