When a new strain of malware or other form of attack is successful, you can almost bet with certainty that it will be used many times more. As researchers are now discovering with their investigation into a massive outage for Deutsche Telekom, this theory is once again correct. After roughly 900,000 customers suffered major downtime from a DDoS attack, it was determined that the infamous Mirai botnet was once again wreaking havoc on the world.
As reported by Infosecurity-Magazine, researchers at Tripwire who studied the attack noticed characteristics that pointed to Mirai being the culprit. Craig Young of Tripwire noted in an email correspondence with the publication that "Mirai deletes the original malicious binary and relocates itself to blend in with normal system items." Another indicator present in the DT attack that proved it was Mirai was that “Mirai also attempts to block access to the vulnerable remote management protocol, thereby preventing subsequent attack/infection and also making it that much harder for ISPs to forcibly reset devices.”
The source code of the Mirai botnet is open and thus numerous new strains have been popping up with alarming frequency. The question remains, however, what the end goal for the attackers was in this particular instance. It turns out that knocking out service for Deutsche Telekom was an attempt to hijack the company router services. The reason for this would be to bolster the botnet for a large-scale attack much like the DYN attacks in October.
All of this ties into the major issues that IoT devices pose with regard to DDoS attacks. The security world needs to work as diligently as possible to develop countermeasures that stop massive IoT connections from becoming zombies in a botnet. There will likely never be a total fix, but as this most recent attack proves, malware like Mirai isn't going away anytime soon.
Photo credit: Tony Werman