Mirai Goes Open-Source and Morphs into Persirai

How can companies prevent IoT devices from becoming unwitting members of a Persirai botnet?
By Robert Hamilton

In March, Imperva Incapsula mitigated a Mirai-based attack that indicated the malware had mutated yet again. Before this attack, it appeared as though the Mirai botnet DDoS attacks focused on launching network-layer DDoS attacks—attacks that try to flood the network pipes, forcing Web traffic to slow to a crawl. These new attacks saw a Mirai botnet launch an application layer attack on a U.S. college website that lasted for more than 54 hours. In total, the attack generated more than 2.8 billion requests. What's interesting about Mirai's ability to launch application-layer attacks is that it takes far fewer bots to bring a website down through an application attack. In this case, it took fewer than 10,000 infected IP cameras, DVRs and routers to launch a sizeable attack.

This brings us to Persirai, the newest version of Mirai that was discovered last month by researchers at Trend Micro and comes equipped with even more advanced features. Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera, regardless of password strength. Persirai's ability to leverage the previous features, plus its password-stealing capability, has led to a substantial increase in the number of infected devices.

Persirai is on an aggressive recruitment push. Within a month after being released, Persirai has come to dominate the Mirai-variant infected devices with more than 64 percent of all infections. Particularly alarming is the password-stealing feature of the new Persirai variant, which renders previous recommendations about simply updating passwords outdated. While a Persirai-infected device is not likely to malfunction, no organization wants to host a battalion of DDoS foot-soldiers.

Additional measures to ensure that IoT devices do not become unwitting members of a Persirai botnet include blocking Internet access to admin ports and disabling universal plug-and-play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies, and only let IoT devices communicate with IP addresses that are approved. To avoid becoming the victim of a DDoS attack regardless of the botnet, consider subscribing to a DDoS mitigation service.

Robert Hamilton is the director of product marketing for the Incapsula service at Imperva. Incapsula is a cloud-based application delivery service that protects websites and increases their performance, improving end-user experiences and safeguarding Web applications and their data from attack.

JOIN THE CONVERSATION ON TWITTER
Loading
ASK THE EXPERTS
Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations