Trong quá khứ đã có không ít các cuộc tấn công của tin tặc được cả thế giới biết đến như cuộc tấn công của Mirai botnet. Đây cũng chính là tiếng gọi đánh thức tất cả các kĩ sư, nhà công nghệ nỗ lực, chú trọng hơn các biện pháp bảo mật cho ứng dụng của mình. Điều này có nghĩa là có hàng triệu thiết bị dễ bị xâm nhập - hoặc thậm chí đã bị xâm nhập. Botnet Mirai đã chứng minh rằng, các thiết bị thông minh có thể cung cấp cho tội phạm mạng những gì chúng cần với số lượng thiết bị mà chúng có thể nhắm đến hiện nay Cuộc tấn công SYN Flood là gì? Nếu người tấn công đang sử dụng botnet như mirai botnet. Nhìn chung họ sẽ thành công trong việc che giấu IP về thiết bị bị nhiễm. Bằng cách sử dụng tấn công SYN flood, một kẻ xấu nào đó cố gắng tạo ra sự tấn công Ddos tới thiết bị Botnet mới được đặt tên là Ttint và sở hữu khả năng triển khai tấn công từ chối dịch vụ giống tất cả các thế hệ kế thừa khác của Mirai. Điểm mới là botnet này có thể thực hiện 12 phương pháp truy cập từ xa khác nhau, trong đó có proxy Socket5, sửa đổi DNS và các Mạng botnet Mirai đã trở nên khét tiếng khi nó được sử dụng trong vụ tấn công từ chối dịch vụ phân tán DDoS với quy mô lớn nhằm vào nhà cung cấp DNS nổi danh Dyn. Cuộc tấn công này đã gây ra sự cố mất truy cập Internet trên diện rộng vào ngày 21 tháng Mười vừa qua . Mirai là phần mềm độc hại lây nhiễm các thiết bị thông minh chạy trên bộ xử lý ARC, biến chúng thành một mạng lưới các bot được điều khiển từ xa hoặc “zombie”. Mạng bot này, được gọi là botnet , thường được sử dụng để khởi chạy các cuộc tấn công DDoS .Phần mềm độc hại, viết tắt của phần mềm độc hại, là một thuật ngữ bao gồm sâu máy tính, vi rút, ngựa Trojan, rootkit và phần mềm gián tháng 9 năm 2016, các tác giả của phần mềm độc hại Mirai đã phát động một cuộc tấn công DDoS trên trang web của một chuyên gia bảo mật nổi tiếng. Một tuần sau, họ phát hành mã nguồn ra thế giới, có thể trong nỗ lực che giấu nguồn gốc của cuộc tấn công đó. Mã này đã nhanh chóng được sao chép bởi các tội phạm mạng khác và được cho là đứng sau vụ tấn công lớn đã hạ bệ nhà cung cấp dịch vụ đăng ký tên miền, Dyn, vào tháng 10 năm hoạt động như thế nào?Ai là người tạo ra botnet Mirai?Tại sao phần mềm độc hại Mirai vẫn nguy hiểm?Mirai hoạt động như thế nào?Mirai quét Internet cho các thiết bị IoT chạy trên bộ xử lý ARC. Bộ xử lý này chạy phiên bản rút gọn của hệ điều hành Linux. Nếu kết hợp tên người dùng và mật khẩu mặc định không bị thay đổi, Mirai có thể đăng nhập vào thiết bị và lây viết tắt của Internet of Things, chỉ là một thuật ngữ ưa thích cho các thiết bị thông minh có thể kết nối với Internet. Các thiết bị này có thể là màn hình bé, xe cộ, bộ định tuyến mạng, thiết bị nông nghiệp, thiết bị y tế, thiết bị giám sát môi trường, thiết bị gia dụng, DVR, camera CC, tai nghe hoặc đầu báo botnet Mirai đã sử dụng hàng trăm ngàn thiết bị IoT bị tấn công để hạ bệ là người tạo ra botnet Mirai?Paras Jha hai mươi mốt tuổi và Josiah White hai mươi tuổi đồng sáng lập Protraf Solutions, một công ty cung cấp dịch vụ giảm thiểu cho các cuộc tấn công DDoS. Của họ là một trường hợp kinh điển của đấu giá Doanh nghiệp của họ cung cấp dịch vụ giảm thiểu DDoS cho chính các tổ chức mà phần mềm độc hại của họ tấn sao phần mềm độc hại Mirai vẫn nguy hiểm?Mirai đang biến dù người sáng tạo ban đầu của nó đã bị bắt, mã nguồn của họ vẫn tồn tại. Nó đã sinh ra các biến thể như Okiru, Satori, Masuta và PureMasuta. Ví dụ, PureMasuta có thể vũ khí hóa lỗi HNAP trong các thiết bị D-Link. Mặt khác, chủng OMG đã biến các thiết bị IoT thành các proxy cho phép tội phạm mạng ẩn ra còn có botnet được phát hiện gần đây – và mạnh mẽ, có biệt danh là IoTrooper và Reaper, có khả năng thỏa hiệp các thiết bị IoT với tốc độ nhanh hơn nhiều so với Mirai. Reaper có thể nhắm mục tiêu một số lượng lớn hơn các nhà sản xuất thiết bị và có quyền kiểm soát lớn hơn nhiều đối với các bot của navigation More than three years after its first appearance, the Mirai botnet is still one of the biggest threats to IoT. Learn about its variants and how to protect against them. The Mirai botnet has been a constant IoT security threat since it emerged in fall 2016. The subsequent release of its source code only extended Mirai's reach and is one of the many reasons NetScout labeled it the "king of IoT malware." While Mirai's distributed denial-of-service capabilities aren't anything researchers haven't seen before, "when wielded by a capable attacker, it can launch high-volume, nontrivial DDoS attacks," said Richard Hummel, ASERT threat research manager at NetScout. Its segmented command and control is instrumental to launching simultaneous attacks against multiple unrelated targets, he added. Mirai DDoS attack capabilities include SYN flooding, User Datagram Protocol flooding, ACK flooding and HTTP GET, POST and HEAD attacks. Mirai continues to be successful for a well-known reason Its targets are IoT devices with hardcoded credentials found in a simple web search. Such devices, Hummel said, listen for inbound telnet access on certain ports and have backdoors through which Mirai can enter. Once a device is subsumed in the botnet, he added, it immediately scans for other victims. "The mean time to compromise a vulnerable IoT device is 10 minutes or less," Hummel said. "This means compromised devices that are switched off or rebooted will almost certainly be recompromised unless proactive steps are taken to shield TCP/23, TCP/2323 and TCP/103 access." NetScout research found more than 20,000 unique Mirai samples and variants in the first half of 2019, a number Hummel said dipped slightly in the latter half of the year. Here, Hummel discusses why Mirai is still so prevalent more than three years after its initial attacks and offers advice on how enterprises can defend against it. Editor's note This interview has been edited for length and clarity. Why is the Mirai IoT botnet still such a threat to connected devices? Richard Hummel Richard Hummel The release of the Mirai source code made it trivial for a threat actor with little to no skill to build his own IoT botnets. Many IoT devices, such as home routers, are installed and rarely patched. Updating the original Mirai source code to include newly discovered exploits and hardcoded credentials translates into why we see a rising number of Mirai-based botnets. What are some of the top Mirai variants you're seeing? Hummel The variants we are seeing work like the original Mirai botnet. Threat actors modify the original Mirai source code to include newly released hardcoded credentials and vulnerabilities to exploit vulnerable IoT devices. We also see a mixture of the original DDoS attacks included from the Mirai source code. The top five variants seen by NetScout's honeypot network for 2019 were IZ1H9, Ex0, Ares, LZRD and Miori. Do you expect to see the same number of Mirai variants in 2020 and beyond? Hummel Because of the sheer number of IoT devices coming online - Verizon predicted billion devices to connect by 2020 - they will continue to be targeted by threat actors. Mirai and its variants will continue to dominate the IoT malware landscape in 2020, and we will also see a handful of unique, non-Mirai-based IoT malware as well. Is Mirai solely an IoT threat? What other devices or systems does it target? Hummel Mirai-based variants are continually evolving. In the past three years, we have witnessed Mirai variants target Ethereum mining clients and Linux servers running vulnerable versions of Hadoop YARN. What steps can enterprises take to prevent Mirai and other IoT malware from being successful? Hummel Consumers need to change default credentials and patch and update their IoT devices. When possible, apply proper access controls. From an organizational perspective, the same applies Change default credentials, implement proper patching and updating, apply access controls and deploy DDoS mitigation strategies. This was last published in February 2020 Dig Deeper on Network security botnet By Katie Terrell Hanna It’s all about the bots Examining key trends in 2020 By Derek Manky Mirai descendants dominate IoT threat environment By Alex Scroxton New Mirai malware variant targets enterprise devices By Mekhala Roy Updated 04/21/2022 - 1226 Time to read 5 minutes Mirai malware transforms connected devices, like baby monitors and doorbells, into an army that hackers can control remotely. The so-called Mirai botnet can take down websites, servers, and other key assets for days at a time. A major cyber attack in October 2016 is related to Mirai malware. But the threat isn't over. Mutations to the Mirai virus continue even now. What is the Mirai botnet? The Mirai botnet is made of devices capable of connecting to an internet address. Each device reaches out to a central server that directs the attack. Let's break down the pieces of this threat Devices Connected internet of things IoT devices have stripped-down operating systems, and they can connect to the internet. They're often shipped from the factory with preset usernames and passwords owners rarely change. Infection IoT devices have open Telnet ports. Mirai malware developers search for those open ports, and they attempt to log in with 61 username/password combinations often used as defaults. Malware With login complete, the device downloads and implements malware. Botnet All IoT devices with the malware are part of a network or botnet that works collectively on a goal set by hackers. The Mirai botnet's first iteration was a money-making worm created by two owners of a DDoS mitigation company. In essence, they infected targets and then asked owners to pay them for "protection" from the same attack. The idea was sparked by Minecraft. Players log onto a hosted server, and while they're engaged in the virtual world, they make real-world purchases to lengthen their game time. Knocking a hosting server offline could mean losing thousands of dollars. Victims were willing to pay to stay online. But the Mirai botnet developers started widening their attack surface. What started as an idea used to dominate the Minecraft reality became a tool capable of hurting almost everyone. How does Mirai malware work? When an IoT device is infected with Mirai malware, it can launch tiny attacks against a selected victim. But if thousands of IoT devices are infected, the impact is impossible to ignore. An infected IoT device can Access. The device reaches out to a central server for instructions. Then, it begins to ask for access to a specified server over and over again. Reinfect. Turning off the device can mean stopping an attack and the malware. But if the port stays open, the problem returns with new source code. Dominate. Any other malware on the device is removed, so the Mirai malware is the only one running. Hide. IoT owners may notice slight sluggishness and nothing more. Mirai malware was implicated in a cyber attack in October of 2016. The botnet turned to a website for Dun, which offers domain name system services. The company hosted big-name websites, including Wired. When it went down due to overwhelming traffic due to IoT devices, much of the East Coast went down as well. Entire companies shut down for the weekend due to a lack of connectivity. Authorities got involved, and the Mirai botnet developers panicked. In a rush to protect themselves, they released the Mirai source code. The developers hoped that widespread access to the code could shield them. In essence, they could claim that everyone knew the code, and they got it from elsewhere. Unfortunately, releasing the code ensured that these attacks would persist, in some form, forever. Mirai Bot Changes With Time As soon as the source code was released, hackers started tweaking and adjusting and experimenting. The attacks they launched were devastating. In 2017, for example, a new variant allowed developers to infect home routers secured with strong passwords. When experts discovered it, the botnet was included in an estimated 100,000 devices, all ready to go when the developer offered instructions. This is just one example of many. As long as IoT devices remain even slightly insecure, more variants are likely to appear. Why Can’t We Stop the Mirai Botnet? We know how the Mirai malware works, and we understand how the devices can harm us. Eradication seems a reasonable next step, but unfortunately, it's hard to accomplish. The Mirai worm persists due to Low consumer interest. An infected device still works reasonably well, and it doesn't pose a risk to the person who owns it. People don't feel compelled to change anything about items that seem to work. Poor manufacturer compliance. Cost concerns keep most manufacturing companies from investing in security. The more stripped down the device, the lower the price point. No overarching government insight. Some states have laws about IoT security. In California, for example, IoT devices must be shipped with unique passwords, or manufacturers must require users to set a password before they get started. But there are no federal laws or global laws that ensure widespread compliance. Inadequate skills. Some companies offer security patches for their devices. But some people aren't sure how to apply them to their connected devices, and others have no idea that these patches exist. As long as we live in a world filled with connected devices and poor security practices, the Mirai threat is likely to persist. What Can You Do to Stop the Mirai Worm? Mirai malware is stored in device memory. Rebooting your device, by unplugging it and leaving it that way for a few moments, is usually enough to stop an attack in progress and clean your device. But unless you change your device username and password, reinfection is likely. As soon as you reboot, change those settings. Repeat often for the best chance at protection. If you're not sure how to tackle these steps, contact the device manufacturer for help. Don't expect the manufacturer to install firmware updates. Automatic security setting changes can leave your device vulnerable to man-in-the-middle attacks. References Who Is Anna-Senpai, the Mirai Worm Author? January 2017. Krebs on Security. Source Code for IoT Botnet 'Mirai' Released. October 2016. Krebs on Security. What We Know About Friday's Massive East Coast Internet Outage. October 2016. Wired. 100,000-Strong Botnet Built on Router 0-Day Could Strike at Any Time. December 2017. Ars Technica. IoT Manufacturers What You Need to Know About California's IoT Law. January 2020. The National Law Review. Leaked Mirai Malware Boosts IoT Insecurity Threat Level. October 2016. Security Intelligence. Created by Josiah White, Paras Jha, and Dalton Norman, the Mirai botnet was initially written in C for the bots and Go for the controllers, with the initial purpose to knock rival Minecraft servers offline using distributed denial of service DDoS attacks [1]. The Mirai botnet soon spread to infect thousands of internet of things IoT devices and evolved to conduct full, large-scale attacks. After noticing an increase in infections, Mirai caught the attention of the nonprofit organization MalwareMustDie in August 2016, who then started to research, analyze, and track the botnet [2]. Damaging DDoS Attacks Mirai’s first large-scale attack was in September 2016 against a French technology company, OVH. Mirai’s attack peaked at an unprecedented 1Tbps and is estimated to have used about 145,000 devices within the assault. This attack set the scale for how massive the botnet had become, with the second largest attack peaking around 400 Gbps. After the attack on OVH, Krebs on Security, created by the journalist Brian Krebs, was flooded with over 600 GB of data in late September 2016. Krebs was most likely targeted due to his line of investigative journalism into cyber-related crimes and was seen as a potential threat to the authors [3] . On September 30, 2017, one of the botnet authors decided to release the source code on a popular hacker forum while simultaneously announcing their supposed departure from hacking [2]. There are several possible reasons why the author decided to dump the code, the most likely being to obfuscate their identity and avoid being charged for committed crimes. Soon after the source code’s release, others began using Mirai for their own malicious purposes and their attacks could no longer be tied back to a single user or group as one could do previously. On top of attribution becoming more difficult to accomplish, the release of the code also allowed for threat actors to increase the number of DDoS attacks conducted. Since then, other authors added new and more destructive components, such as modules that allow for an increase in infection numbers or one that increases the speed at which it infects. Additionally, novel variants of Mirai have been created to include Okiru, Satori, Masuta, and PureMasuta [4]. These variants take Mirai and add more functionality, such as the ability to attack computers as well as IoT devices to increase data output. The success of this botnet and its variants relies on the weak security of IoT products and technology. IoT devices built for convenience over security complicate mitigation efforts for the Mirai malware family. Mirai Technical Details Mirai starts as a self-propagating worm T0866 [5] replicating itself once it infects and locates another vulnerable IoT device [3]. Propagation is accomplished through using infected IoT devices to scan the internet to find additional vulnerable targets T0883. If a suitable device is found, the already-infected device reports their findings back to a server. Once the server has their list of vulnerable devices, the server loads a payload and infects the target. Botnets, such as Mirai, focus on infecting as many devices as possible, which is made even more possible with the lack of security within IoT devices. Initially, Mirai compromised these devices with brute force attacks that filled in 64 sets of common usernames and passwords T0812 like “admin” and “password”; however, current modules and variants use up-to-date vulnerabilities to maximize efficiency. This can be seen in newer variants of the botnet, such as “ found in July 2020 and how it uses CVE-2020-10173 to exploit Comtrend VR-3033 routers [6]. Even more recently, AT&T’s Alien Labs had identified a variant named “Moobot” sharply increasing its scans for Tenda routers that are exploitable with a known remote code execution vulnerability T1210, CVE-2020-10987. This recent variant also allowed researchers to trace the malware back to its hosting domain named “Cyberium” and has noted that other variants of Mirai reside here, as well [7]. The global distribution of these IoT devices is peculiar, due to the disproportionate number of infected devices coming from South America and Asia. During the attack on Krebs, he was able to gather the location of attacking devices and noticed an irregularity. In the total number of devices used, of devices came from South America and counting Russia at from all of Asia [3]. Once infected and configured, the IoT device can be controlled from command and control C2 servers TA0011. After amassing thousands of infected devices, these C2 servers tell the devices what to attack. The C2 servers are able to utilize numerous DDoS T1498 techniques such as HTTP, TCP, and UDP flooding [6]. Mirai Botnet Mitigations The Center for Internet Security CIS and Cybersecurity and Infrastructure Security Agency CISA recommend organizations follow the below mitigations to limit damage caused through a potential attack Follow CIS Benchmarks – Follow CIS Benchmarks for best practices in the secure configuration of a target system. [8] Segment your network – Ensure that all IoT devices are on a separate network from systems critical for daily operations. Update IoT devices – Always keep IoT devices up to date to ensure there is less of a chance for infection. Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date. [9] Have an official password policy – Your original passwords may have been compromised. during the infection, so you should change them as soon as possible. [9] Keep operating systems and application software up-to-date – Install software patches so that attackers cannot take advantage of known vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it. [9] Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. [9] Sources [1] [2] [3] [4] [5] [6] [7] [8] [9] What is Mirai? Mirai is a type of malware that targets consumer devices like smart cameras and home routers, turning them into a zombie network of remote controlled bots. Mirai botnets are used by cybercriminals to target computer systems in massive distributed denial of service DDoS attacks. This Article Contains This Article Contains Unlike other cyberthreats, Mirai malware mostly impacts networked smart home devices such as routers, thermostats, baby monitors, refrigerators, etc. By targeting the Linux OS that many Internet of Things IoT devices run on, Mirai malware is designed to exploit vulnerabilities in smart gadgets and link them together into a network of infected devices known as a botnet. Once a part of the botnet, hijacked hardware is then co-opted to commit further attacks as part of a herd of zombie machines. Traditionally, botnets have been used to conduct phishing campaigns and large-scale spam attacks, but the nature of IoT devices make Mirai botnets ideally suited to bringing down websites or servers through DDoS attacks. After infecting a computer, botnet malware like Mirai spreads to other devices before launching a networked attack. How was Mirai created? The origins of Mirai can be traced back to a college student named Paras Jha and his friend Josiah White. Having written the Mirai botnet source code in 2016, they then used their creation to try and extort Jha’s own university by launching DDoS attacks on the institution. Jha and White then took their hacking to another level, targeting servers hosting the immensely popular Minecraft video game, as well as the companies contracted to protect the lucrative gaming servers from precisely this kind of DDoS disruption. Who created the Mirai botnet? The initial development and use of the Mirai botnet against Minecraft gaming servers was the work of Paras Jha and Josiah White. But in September 2016, the pair seem to have leaked their own code online in an effort to obscure the origins of their botnet attacks. Out in the wild, Mirai snowballed out of control, as it was replicated and modified by other cybercriminals. It has continued to wreak havoc in various forms ever since – most notably in a wide-scale DDoS attack that took down large portions of the internet across the US. How does Mirai work? To understand how the Mirai botnet works, you need to start with the vast network of internet enabled household devices known collectively as the Internet of Things. These gadgets are an increasingly common fixture in modern smart homes, but they open up another potential attack surface for cybercriminals to exploit. First, Mirai malware scans IP addresses to identify smart devices running a version of Linux known as ARC. Then, Mirai exploits security vulnerabilities in the IoT device to gain network access via default username and password combinations. If these settings haven’t been changed or updated, Mirai can log in to the device and infect it with malware. As the number of devices caught in the infected network mount, the cybercriminals in control then use the Mirai botnets to crash targeted websites or servers by bombarding it with more traffic that it can handle. The site or service will remain inaccessible to normal users until the DDoS attack is resolved, which increasingly involves the payment of a ransom. Infected devices in a botnet can be used in devastating DDoS attacks. Mirai and smart devices Once Mirai has infected a smart device, it turns it into another zombie in an army of remotely controlled bots. Mirai will even purge any pre-existing malware to ensure the device is securely locked into the botnet — all without the consent or knowledge of the owner. Under the control of the botnet creator, IoT hardware can then be forced to scan networks for other vulnerable devices to exploit, ensnaring yet more victims in the Mirai botnet. And since most smart homes are not equipped with comprehensive network security, smart devices remain vulnerable to Mirai and other IoT botnets. What kind of devices are under threat? Most devices that the Mirai botnet attacks are home routers and cameras, but almost any smart device is susceptible to IoT botnets. The same network connection that gives robot vacuums, IP intercoms, kitchen appliances, and smart vehicles their functionality in a smart home is also a potential backdoor for malware. There are some parts of the IoT which are impervious to Mirai, but this is because the malware’s creators programmed their code not to attack certain IP addresses, such as those owned by the US Department of Defense. What makes Mirai so dangerous? Mirai botnets are particularly dangerous because they’re used in DDoS attacks, which can be commercially devastating and extremely difficult to stop. DDoS attacks have forced businesses to cough up large ransoms in several high-profile cases. In addition to DDoS attacks, IoT botnets can hold devices hostage with ransomware, spread spam emails, and perpetrate click-fraud to harvest personal data and sensitive financial information. Mirai in the real world Mirai emerged in September, 2016, with major DDoS attacks on Minecraft gaming infrastructure, including the hosting service OVH. After the botnet was used to crash the website of the prominent cybersecurity journalist Brian Krebs, people began to take notice. Then, after the Mirai source code was mysteriously shared online by a profile with the username “Anna Senpai,” a series of high-profile Mirai DDoS attacks rocked the internet — a particularly infamous example was the enormous IoT botnet barrage that brought down Dyn, a major DNS provider. Is Mirai still a threat? Although Mirai’s creators were swiftly scooped up by the FBI, the malware they authored remains out there. This means that Mirai, its malware derivatives, and other similar botnets still pose a significant threat to unprotected devices and networks. That’s why it’s so important to protect your device with strong anti-malware software. The Mirai source code lives on Having been shared on the dark web, the Mirai botnet source code continues to evolve as malware creators adapt it to create more advanced variants of Mirai. Recent IoT botnet threats such as Okiru, Satori, and Reaper are all based on the Mirai malware source code. More variants will inevitably emerge due to Mirai’s open source code. Defense against the Mirai botnet Mirai exploits default usernames and passwords, trying to find the right combination to break in. Rather brute-force attacking a single device, Mirai will simply move on to an easier target. So, your top priority should be changing the factory setting log-in keys and creating a strong password for your IoT devices as soon as possible. Using a random password generator to create long, complex passwords that can’t be guessed or cracked helps to secure your otherwise vulnerable IoT devices. But even as cyber threats targeting smart devices grow in scale and sophistication, built-in IoT security protocols are often relatively weak. All it takes is one compromised device to expose an entire system, so it’s important to take additional steps to secure your smart home. The best protection for your devices Once a botnet or other malware has accessed one of your networked devices, the damage has already been done. That’s why it’s so important to approach the security of your digital life and network home proactively — to prevent infections in the first place. Avast One combines six layers of advanced security, leaving nothing to chance when it comes to stopping hackers and shielding you against malicious software. And with heuristic threat detection based on cutting-edge artificial intelligence, you’ll be fully protected against even the very latest emerging threats. Written by Published on March 11, 2022 Updated on February 21, 2023

mirai botnet là gì