The malware that powered the “Botnet of Things” behind one of the largest cyberattacks ever isn’t even that great, and that’s exactly why we should be worried.
Over the last few weeks, unknown hackers have launched some of the largest cyberattacks the internet has ever seen. These attacks weren't notable just by their unprecedented size and power, but also because they were powered by a large zombie army of hacked cameras and other devices that fit into the category of Internet of Things, or IoT.
On Friday, the hacker who claims to have created the malware that was powering this massive "Botnet Of Things" published its source code, which appears to be legitimate.
"It looks like this release is the real deal," according to Marshal Webb, the chief technology officer of BackConnect, an anti-DDoS firm, who has been collecting samples of the malware in the last few weeks.
However legitimate, the malicious code isn't actually that sophisticated, according to security researchers who have been studying it.
"Whoever originally wrote it clearly put some thought into it. Like, it's better than most of the shit out there hitting IoT," Darren Martyn, a security researcher who has been analyzing the malware told Motherboard in an online chat. "[But] it's still fairly amateurish."
The malware, known as Mirai, was dumped on Hackforums by its alleged author and later published by others on GitHub. Mirai is designed to scan the internet for vulnerable internet-connected devices that use the telnet protocol and have weak default logins and passwords such as "admin" and "123456", "root" and "password", and even "mother" and "fucker," which are credentials used by another botnet made of hacked routers.
Once the malware finds one of these devices, which are usually surveillance cameras, DVRs or routers, it infects them and self-propagates. This gives the malware operators full control over the hacked devices and allows them to launch DDoS attacks, such as the ones that hit the website of noted journalist Brian Krebs and hosting provider OVH, using various sources of traffic like UDP, DNS, HTTP floods, as well as GRE IP and GRE Ethernet floods.
The malware is clearly designed to be used as a DDoS-for-hire service, as indicated by the code strings that say "Sharing access IS prohibited! [...] Do NOT share your credentials!"
The code is full of inside jokes and funny tidbits, such as several mentions of the world "memes," and even a YouTube link that turns out to point to Rick Astley video "Never Gonna Give You Up"—the once-ubiquitous internet meme known as "Rickrolling." All these are likely a way for the author or authors to poke fun at whoever is looking at the code, including security researchers and law enforcement authorities.
"It's better than most of the shit out there hitting IoT, [but] it's still fairly amateurish."
Some researchers noted that the code as it is needs some tweaking before being launched. As the security researcher MalwareTech put it in a chat, the DDoS command "will just print a bunch of hacker sounding bullshit to the console and not actually do anything"—perhaps another inside joke.
Martyn said that whoever wants to use the malware needs to change some configurations and do some setting up, but "anyone with a sense of clue could set it up in around 30 minutes."
Interestingly, some comments in parts of the malware code are in are in cyrillic script, hinting that one of the authors or developers is from Eastern Europe.
Despite being anything but Stuxnet or any other sophisticated malware, it still works, and now that is available for all to use, it is actively spreading.
If mediocre malware can power some of the largest DDoS attacks ever, and considering the sad state of security of the Internet of Things in general, we should probably brace for more cyberattacks powered by our easy-to-hack "smart" Internet of Things, as many, including ourselves, had predicted months ago.
"I am just surprised at how such a trivial attack code could be responsible for such a large DDoS. It really says a lot more about the state of IoT security than the specifics of the malware," a security researcher that goes by the name Hacker Fantastic told Motherboard. "If people still aren't changing default passwords and disabling telnet on Internet connected equipment in 2016 then we are heading to a future with more incidents like this happening."
Correction: a previous version of this story stated that the username-password combination "mother" and "fucker" was likely a joke by the malware authors. In reality, those credentials are used by a worm that infects routers and sets those credentials as passwords and usernames with the goal of creating a botnet.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.