Mirai Code Still Runs on Many IoT Devices

Mirai will go down in history as the first botnet of internet-of-things devices powerful enough to shake the web. A year later, thousands of gadgets are still infected with code that is likely from the original versions of the malware program and tens of thousands more appear to be infected by other malware of the same kind. These devices may remain compromised for years.

A common weakness exploited in IoT systems is the presence of a telnet connection that allows access to the device using default credentials, and this is how Mirai recruited its army of bots. Mirai’s demonstration of power and leaking of its code last year boosted botnet malware activity, with multiple variants and new strains emerging.

Johannes Ullrich, dean of research at the SANS Technology Institute, says that current telemetry on telnet scanning shows at least 100,000 sources daily. Many of them account for new malware families or newer versions of Mirai controlled by different groups in the distributed denial-of-service business. Ullrich estimates that systems still infected with the original code include up to 10,000 active hosts.

“Port 2323 only sees around 5-10,000 sources per day. These are likely remnants of the original Mirai versions. Later versions did not use port 2323 as much as earlier versions,” explains the researcher in a blog post.

While monitoring telnet scanning activity on the web does not offer an indication of the malicious code in command of the device, each malware program comes with some particularities that researchers use to make an estimate. The port used for scanning could be the mark of a certain version of malware or an explicit period of time.

Based on his observations, Ullrich says the Mirai-infected IoT is likely to persist a few more years. An argument for this prognosis is that the malware code has too little impact on the network to create the pressure of patching. In many cases, there is no patch for the affected device or the user cannot change the default password.

One solution that protects all IoT gadgets in a home is a security product able to filter all traffic in and out of the home network and blocks malicious connections. Bitdefender BOX works this way and relies on a large net of sensors spread across the world to collect and inventory bad online locations that should be avoided.

The alternatives would be to choose products from security-conscious vendors, but these are hard to spot and come at a higher price. As a rule of thumb, though, if a device comes with an update mechanism, it is less likely that it harbours easy-to-exploit vulnerabilities.

Image credit: creative commons