New scanner allows users to check IoT devices for Mirai malware infection

Imperva launches new scanner to detect presence of the Mirai malware for free

Imperva has launched a new scanner to allows consumers and businesses to scan devices for Mirai malware infection or vulnerabilities.

Mirai has been implicated in DDoS attacks on KrebsOnSecurity and Dyn, about a month apart from each other.

The attack on DNS infrastructure managed by Dyn caused issues among popular sites such as Twitter, the New York Times and Spotify.

Imperva was also subject to Mirai attacks, in mid-August. In a blog post presenting the new scanner, Imperva said: "We've had a chance to dig into the leaked source code to understand it better. We've discovered that Mirai malware infects IoT devices and then uses them as a launch platform to perform DDoS attacks. 

Advertisement - Article continues below
Advertisement - Article continues below

"Mirai scans IP addresses across the internet to find unsecured devices and is programmed to guess their login credentials. It's also predatory--it can even remove and replace malware previously installed on a device. Mirai is particularly fond of IP cameras, routers and DVRs."

The scanner works by clicking on "Scan My Network Now", which allows it to discover the user's public IP address (i.e. the address assigned to the device or cable modem by the user's ISP).

The device often works as a router and Wi-Fi access point, by connecting other devices on one's network to the Internet. By checking the user's gateway from outside his network, the Mirai Scanner can see whether any remote access ports are vulnerable to Mirai attacks.

The Mirai scanner is only able to scan public IP addresses. The beta download can be found here.

03/10/2016: Hackers release source code for Mirai botnet A week after carrying out a record-breaking DDoS attack on security researcher Brian Krebs' website, one of the creators of the Mirai botnet malware has released the source code for the IoT-powered behemoth.

The source code was released on Hackforums by a user going by the name of Anna-senpai accompanied by the following message: "When I first go in DDoS industry, I wasn't planning on staying in it long. I made my money, there're lots of eyes looking at IOT now, so it's time to GTFO. However, I know every skid and their mama, it's their wet dream to have something besides qbot.

Advertisement - Article continues below

"So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after Kreb (sic) DDoS, ISPs been slowly shutting downs and cleaning up their act. Today, max pull is about 300k bots, and dropping."

In a blog post on this latest twist in the tale, Brian Krebs wrote: "It's an open question why anna-senpai released the source code for Mirai, but it's unlikely to have been an altruistic gesture: miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the code's original authors aren't the only ones found possessing it if and when the authorities come knocking with search warrants.

"My guess is that ... there will soon be many internet users complaining to their ISPs about slow internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth."

Thomas Pore, director of IT and services at Plixer, shared Krebs' sentiment, saying: "This is an interesting twist and likely proliferated as a means to draw law enforcement attention elsewhere. The code is a gift to cyber criminals looking to enter [the] popular market of DDoS as a Service, and it will be interesting to see who takes control over vulnerable IoT devices, because it's clear the author of this code is trying to get out."

23/09/2016: Security blog Krebs stays online despite massive DDoS attack

Advertisement - Article continues below

Security blog KrebsOnSecurity has been subject to a massive DDoS attack, which Akamai has revealed is the biggest it has seen.

Advertisement - Article continues below

Although KrebsOnSecurity is frequently attacked using such methods, this particular assault measured between 620Gbps and 635Gps. The second largest measured by Akamai was 336Gbps.

Another reason this recent DDoS strike caught Akamai's eye is because it was launched almost exclusively by a very large botnet of hacked devices. Amazingly, the website managed to stay online, despite being bombarded by bots.

"The largest DDoS attacks on record tend to be the result of a tried-and-true method known as a DNS reflection attack. In such assaults, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge traffic floods," site founder and investigative journalist Brian Krebs explained.

"But according to Akamai, none of the attack methods employed in Tuesday night's assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods," he continued.

This is with the exception of traffic that appeared to originate from generic routing encapsulation (GRE) data packets, which are commonly used to build a direct, point-to-point connection between network nodes.

"Someone has a botnet with capabilities we haven't seen before," Akamai's senior security advocate, Martin McKeay said. "We looked at the traffic coming from the attacking systems, and they weren't just from one region of the world or from a small subset of networks they were everywhere."

Advertisement - Article continues below

"Seeing that much attack coming from GRE is really unusual. We've only started seeing that recently, but seeing it at this volume is very new."

Krebs concluded that the attack was probably launched in response to posts he had written regarding the takedown of the DDoS-for-hire service vDOS.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020