New scanner allows users to check IoT devices for Mirai malware infection

Imperva launches new scanner to detect presence of the Mirai malware for free

Imperva has launched a new scanner to allows consumers and businesses to scan devices for Mirai malware infection or vulnerabilities.

Mirai has been implicated in DDoS attacks on KrebsOnSecurity and Dyn, about a month apart from each other.

The attack on DNS infrastructure managed by Dyn caused issues among popular sites such as Twitter, the New York Times and Spotify.

Advertisement - Article continues below

Imperva was also subject to Mirai attacks, in mid-August. In a blog post presenting the new scanner, Imperva said: "We've had a chance to dig into the leaked source code to understand it better. We've discovered that Mirai malware infects IoT devices and then uses them as a launch platform to perform DDoS attacks. 

"Mirai scans IP addresses across the internet to find unsecured devices and is programmed to guess their login credentials. It's also predatory--it can even remove and replace malware previously installed on a device. Mirai is particularly fond of IP cameras, routers and DVRs."

The scanner works by clicking on "Scan My Network Now", which allows it to discover the user's public IP address (i.e. the address assigned to the device or cable modem by the user's ISP).

The device often works as a router and Wi-Fi access point, by connecting other devices on one's network to the Internet. By checking the user's gateway from outside his network, the Mirai Scanner can see whether any remote access ports are vulnerable to Mirai attacks.

Advertisement - Article continues below
Advertisement - Article continues below

The Mirai scanner is only able to scan public IP addresses. The beta download can be found here.

03/10/2016: Hackers release source code for Mirai botnet A week after carrying out a record-breaking DDoS attack on security researcher Brian Krebs' website, one of the creators of the Mirai botnet malware has released the source code for the IoT-powered behemoth.

The source code was released on Hackforums by a user going by the name of Anna-senpai accompanied by the following message: "When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there're lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.

"So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after Kreb (sic) DDoS, ISPs been slowly shutting downs and cleaning up their act. Today, max pull is about 300k bots, and dropping."

Advertisement - Article continues below

In a blog post on this latest twist in the tale, Brian Krebs wrote: "It's an open question why anna-senpai released the source code for Mirai, but it's unlikely to have been an altruistic gesture: miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the code's original authors aren't the only ones found possessing it if and when the authorities come knocking with search warrants.

"My guess is that ... there will soon be many internet users complaining to their ISPs about slow internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth."

Advertisement - Article continues below

Thomas Pore, director of IT and services at Plixer, shared Krebs' sentiment, saying: "This is an interesting twist and likely proliferated as a means to draw law enforcement attention elsewhere. The code is a gift to cyber criminals looking to enter [the] popular market of DDoS as a Service, and it will be interesting to see who takes control over vulnerable IoT devices, because it's clear the author of this code is trying to get out."

23/09/2016: Security blog Krebs stays online despite massive DDoS attack

Advertisement - Article continues below

Security blog KrebsOnSecurity has been subject to a massive DDoS attack, which Akamai has revealed is the biggest it has seen.

Although KrebsOnSecurity is frequently attacked using such methods, this particular assault measured between 620Gbps and 635Gps. The second largest measured by Akamai was 336Gbps.

Another reason this recent DDoS strike caught Akamai's eye is because it was launched almost exclusively by a very large botnet of hacked devices. Amazingly, the website managed to stay online, despite being bombarded by bots.

"The largest DDoS attacks on record tend to be the result of a tried-and-true method known as a DNS reflection attack. In such assaults, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge traffic floods," site founder and investigative journalist Brian Krebs explained.

"But according to Akamai, none of the attack methods employed in Tuesday night's assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods," he continued.

Advertisement - Article continues below

This is with the exception of traffic that appeared to originate from generic routing encapsulation (GRE) data packets, which are commonly used to build a direct, point-to-point connection between network nodes.

"Someone has a botnet with capabilities we haven't seen before," Akamai's senior security advocate, Martin McKeay said. "We looked at the traffic coming from the attacking systems, and they weren't just from one region of the world or from a small subset of networks they were everywhere."

"Seeing that much attack coming from GRE is really unusual. We've only started seeing that recently, but seeing it at this volume is very new."

Krebs concluded that the attack was probably launched in response to posts he had written regarding the takedown of the DDoS-for-hire service vDOS.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020