Mapping Mirai Botnet

mirai A malicious botnet made out of Mirai malware has disrupted internet traffic to popular websites like twitter, github, paypal, etc in the United States. According to popular network security companies the botnet was specially crafted to attack internet-connected cameras and DVRs. The Chinese company “Hangzhou Xiongmai Technology” (network camera manufacturers) has admitted that their devices were behind Fridays DDoS attack and they are recalling 3.8 million affected devices for fixing them. DNS service provider company Dyn has also confirmed that they observed millions of discrete IP addresses associated with the Mirai botnet. Most of the service providers affected by the botnet were able to easily recover from the attack but botnets like these can attack again in coming future. Last month the same botnet took Brian Kerb’s website down through delivering 665 Gbps of traffic.

How botnet works: The botnet is designed to brute force telnet service on internet-connected cameras installed with Dahua firmware or a generic management interface called “NETSurveillance” with 62 different combinations of usernames and passwords (admin:admin, admin:12345, etc.). Once botnet is able to successfully login into the camera login portals the services like telnet, ssh and HTTP are blocked and then device is seeded with malicious program that turns it into an enslaved bot. These bots will now report to the command and control centre from where DDoS attacks can be launched to make websites unresponsive. This attacks would have be avoided if the camera login panels or the real time streaming protocol service is restricted for remote access.

Source code released online : The author behind the Mirai malware has released the code online for research and development purpose stating “I have earn my share of money and now I want to get out of this business” Follow the link to download source code :
What to do : The Chinese company has advised its customers to change default passwords and update the firmware of the device and keep the devices disconnected until patched. Few researchers are also augmenting on the subject why a devices like network camera needs remote access from internet and up to a certain level I am also in favor of this response. The companies making IoT devices should enforce the user during its initial configuration to change the default password and remote access to such sensitive and weak IoT devices should not be enabled.

How you can access unprotected network cameras :
1. Try searching on Google for “inurl:index.shtml” and follow the link with IP address in the url. If lucky enough you will be able to see live view of an internet connected camera live streaming from some other continent.


2. Multiple websites are available on the internet that can be used to look for devices connected to the internet with a specific configuration. Below is the screenshot for your reference where I tried searching for specific network camera on the internet.
And clicking to any of the above listed options will take you to the login panel straight away. I think now you can also realized how easy it can be to attack a specific set of devices connected to the internet.
cam1Conclusion: It’s very probable to see such DDoS attacks in near future targeting vulnerable IoT device. The manufacturers of these devices should consider few basic security practices before shipping the products.