author photo
By Scott Schober
Mon | Oct 31, 2016 | 12:00 AM PDT

When Greeks left a giant horse bestowed upon the Trojans but secretly filled with Greek soldiers, they couldn’t have imagined their plan being re-enacted some 3,000+ years later. On October 21, 2016, something along the same lines occurred, this time effecting hundreds of thousands of unsecured IoT devices used to facilitate massive DDoS (Distributed Denial of Service) attacks all over the internet. So how does a widespread internet outage harken back to a 3,000-year-old mythology?

What’s Behind This Attack?

Mirai is the name given to malicious code that infected thousands of IoT (Internet of Things) devices around the world. IoT devices are generally “dumb” devices that collect and relay data across the internet to other devices. So while they are not nearly as powerful as our smartphones or computers, they do wield tremendous power when all aligned for one specific task. But it doesn’t stop there. These infected devices were (and many still are) secretly under Mirai’s control and awaiting orders to strike in the form of a DDoS attack. CCTV cameras, DVRs, routers, and various sensors comprise this army of zombie devices. So while they’re not particularly powerful on their own, they are still connected to the largest network known to humankind, the internet.

Just like those hidden soldiers in the Trojan horse, when those orders are given, they break their secrecy and attack. Mirai attacks by ordering all devices under its control to make multiple IP access requests to targeted servers. Overwhelmed by all these simultaneous requests, these servers are forced to ignore legitimate traffic and eventually shut down altogether. This time, the domain name service Dyn confirmed they were hit by an overwhelming amount of IP requests in what they describe as a “sophisticated attack.” This attack took down Twitter, Netflix, and The New York Times, to name a few.

In the original Trojan horse telling, only a few trusted soldiers were hiding inside the giant horse. But when the time came, they opened the gates of Troy to let in the entire Greek army. Hundreds of millions of IoT devices served in Mirai’s botnet army. But who was giving the orders?

Who’s Behind This Attack?

You may recall that this wasn’t the first attack of this kind. Back on September 20th, cybersecurity expert and reporter Brian Krebs was specifically targeted by the same attack. His site went down and his host, Akamai, forced him to leave their domain for fear the rest of their networks might be taken down too. The motives behind this latest attack are still unknown, and the puppet master behind millions of DDoS bots is still a mystery, but some clues have surfaced regarding the Brian Krebs DDoS attack.

After source code from this first Mirai attack was leaked, the Imperva Incapsula security team discovered some interesting details, including a high degree of territoriality. Namely, this attack included malware holding several scripts designed to eradicate other worms and Trojans, as well as prohibiting remote connection attempts of the hijacked device. This malware wanted these IoT devices all for itself.

In addition, Russian phrases—such as “я люблю куриные наггетсы,” which translates to “I love chicken nuggets”—were found embedded in the code. While these might seem nonsensical, they do add further insight into its origins. Further details included in the Imperva Incapsula report paint a picture of a skilled yet inexperienced hacker behind the malware code and probably the attacks too. Both Mirai attacks bear more than passing similarities. So what now?

Repairs and Prevention

Not to mix metaphors, but isn’t this Trojan horse already out of the barn? What can we really do to stop these attacks and prevent future ones? For the most part, the botnet of infected IoT devices are still out there. They were ignored by most of their owners before this attack and will continue to be ignored, not updated, and not secured by most after the dust has settled. One ray of hope that has surfaced is XiongMai Technologies, the Chinese company responsible for many of these insecure IoT devices, issuing a statement saying it would be recalling millions of devices. But millions of more devices in the wild still contain vulnerabilities to malware like Mirai and others yet to be released. So here are a few simple steps to make sure you are not part of the problem and stay safe as well.

  1. Unplug/disable all IoT devices you are not using. Round ‘em up and shut ‘em down.
  2. If you need to keep the device powered, make sure it has a long and unique password and does not use any default passwords. And while you’re at it, create a unique password for every device in question.
  3. Avoid purchasing future IoT devices from shady companies that do not have a track record of updating their firmware with security patches. If you’ve never heard of the company, that $20 you’re saving isn’t worth it.

The Mirai code has been leaked, making it essentially open source to any ambitious hacker. This, coupled with the fact that IoT devices still do not adhere to a single security standard, makes for a perfect storm of consumer vulnerability and confusion. IoT offerings will only continue to grow, so it is up to all of us to ensure that our devices are not participating in massive hacks upon the internet or ourselves. Without vigilance, future DDoS attacks in the form of Trojans will make this past week’s outage feel like a pony ride.