In a previous article, we looked at how large numbers of IoT devices were used as bots (or ‘zombies’) to carry out high-profile distributed denial of service (DDoS) attacks. Shortly after we wrote that piece, the source code for the malware behind the attack was made available by someone purporting to be its creator.
Mirai, the virus in question, carries a Trojan horse that makes IoT kit attempt DDoS attacks on various well-known websites. If estimates are correct, it’s had quite an impact: according to MalwareTech, the infection spread to 120,000 devices . Others have suggested the figure is as high as 1.5 million .
Viruses like this are here to stay – so how do we deal with them?
Let’s look at how Mirai spread in the context of medical virology. The spread of a medical infection can be modeled using a susceptible-infected-recovered (SIR) curve. This model can also be applied to the Mirai situation, as the graph below shows.
Once Mirai infects a particular device, it sets about looking for more targets to infect. It does this by randomly spraying the web in search of devices whose Telnet ports are open and login credentials are still set to the defaults. Whenever it finds a suitable target, the virus infects it, meaning it joins the army of zombies and starts looking for targets of its own. This process is shown by the initial steep curve on the chart.
While some of the kit will get cleaned or protected, a significant proportion will remain permanently infected. What’s more, of the devices that do get cleaned, any that aren’t immunized will likely get infected again in the future.
This means that at least in the short and medium term, the virus will continue to renew itself.
Can the virus be killed?
There might be ways to kill Mirai off – or at the very least, contain the impact it has.
Clean every device
This sounds great in theory, but realistically, isn’t going to happen. Most device owners won’t realize their kit is infected. Even if they do, many won’t know how to clean it, or be inclined to spend the time doing so, seeing as the infection doesn’t directly affect them.
Take out the command-and-control servers
When Mirai infects a device, it then needs to get instructions from a command-and-control server. Most likely, these themselves aren’t infected devices – instead, they’re compromised servers. If they can be removed from the equation, it will slow Mirai’s spread.
Defend the targets
DDoS attacks have been around for many years and there are ways to protect potential targets, such as moving the website in question to a different hosting company.
But despite these measures, it’s unlikely we’ll be able to wipe out the infection entirely.
A growing IoT security problem
Mirai is just one example of self-propagating malware that targets the IoT. There will invariably be others, boosted by the widespread availability of the Mirai source code. Miscreants are likely to tweak the way the virus works to make it even more difficult to eradicate,