« zombies » connected objects

September was marked by distributed denial of service (DDoS) attacks of an unequalled scale. A record was reached on September 20th with a 1Tbps DDoS attack against the French host OVH, followed on September 21th of a 620 Gb/s attack against the website of the journalist and IT security expert Brian Krebs, krebsonsecurity.com.

The common point between both attacks, the use of connected objects network to Internet (IoT: Internet of Things) such as web IP cameras or digital video recorders (DVR). Although DDoS attacks are common against most hosts, the use of connected objects to Internet to conduct these attacks mark a step in the botnets evolution.

To perform these attacks, hackers have been used a malware dubbed Mirai to infect connected Linux-based system objects that are often weakly secured (default password use, low or no password). The ICS-CERT has sent an alarm signal regarding the Sierra Wireless products affected by Mirai.

In order to achieve its objective, the malware constantly scans Internet looking for poorly protected IoT systems. Once those objects infected, the hacker can then create a connected objects botnet network and use them to coordinate attacks via its command and control servers (C&C). Even if Mirai has often been highlighted by Medias in these attacks, the Bashlite malware whose functions are similar to Mirai also participated to these attacks. The latter has already infected nearly a million of devices in particular to Brazil, Colombia and Taiwan.

According to the MalwareMustDie! blog, Mirai would probably be an evolution of Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor and Torlus malwares. Indeed, according to the telecommunications and Internet service provider Level 3 company, the Bashlite source code was leaked in 2015 and a dozen variants have emerged in 2016. The Mirai source code was issued early on October 2016.

More recently, Friday, October 21, several waves of DDOS attack via a « DNS flood » (attack of a DNS server by sending lots of requests), against the US name resolution service provider Dyn have disrupted access to several major websites during several hours such as AWS (Amazon Web Services), Twitter, Spotify, Airbnb, PayPal, eBay, CNN, the New York times... by attacking Dyn, hackers have succeed to disrupt a wider range of targets.

We note through this attack that the management and centralization of DNS cause real security problems and highlights some Internet weakness. It is easy to imagine that hackers could target majors Internet DNS servers to shutting down thousands of websites at once.

The DNS service is particularly targeted by hackers due to the simplicity to forge powerful attacks. This new « attack mode » using connected objects is clearly bring to grow due to the increased of connected devices and their low security level. Cybercrime also benefits from the development of these new technologies, with the sale of an IoT botnet network by hackers on underground forums (100,000 bots for 7.500$).