After weeks of turf war, two cybercriminals seem to have found a new way to take control and expand the the infamous Mirai botnet.
The massive cyberattacks that in the last few weeks have crippled several popular services like Twitter and Spotify, the website of a noted security journalist, and many more, may be about to get worse.
Two hackers appear to have created a new powerful zombie army of hacked Internet of Things devices with a modified version of the infamous malware Mirai. The cybercriminals are offering the powerful botnet to anyone who's willing to pay to launch crippling distributed denial of service (DDoS) cyberattacks.
Last month, unknown attackers intermittently knocked offline several popular websites like Twitter, Spotify and many others using Mirai, a now-widespread type of malware created to automatically scan the internet for easy-to-hack devices and turn them into bots that can launch DDoS attacks. Now, two cybercriminals claim to have improved Mirai to infect new devices—mostly routers. This new variant gives them the ability to potentially harvest hundreds of thousands, perhaps millions, of new bots, according to security researchers.
One of the two hackers behind this new Mirai variant said they have control over one million hacked devices.
"The original Mirai was easy to take, like candy from this kids," the hacker, who calls himself BestBuy, told Motherboard in an online chat, referring to other competing hackers, who've been fighting in an online turf war to control vulnerable devices in the last few weeks.
The security firm Flashpoint, who's been tracking Mirai since last summer, wrote in a blog post on Tuesday that "the new Mirai variant is likely an attempt by one of the existing Mirai botmasters to expand the number of infected devices in their botnet."
"The original Mirai was easy to take, like candy from this kids."
An independent security researcher known as MalwareTech, who's also been monitoring Mirai attacks for weeks, said that the two hackers are now in control of 75 percent (roughly 400,000) of all Mirai devices on the internet. Dale Drew, the chief security officer at Level 3 Communications, a large internet infrastructure provider, said in an email that the Mirai bot count (the number of infected devices that can be used to launch attacks) is as high as 500,000 as of this week, and added that "it's possible" that someone could rent the "full power of the bot."
BestBuy also claimed responsibility for an outage that affected almost one million customers of the German internet service provider Deutsche Telekom over the weekend. The telecommunications company blamed the outage on a failed attempt to hijack routers and enlist them in the Mirai botnet.
"I would like to say sorry to [Deutsche Telekom] customers - it was not our intention," BestBuy said.
BestBuy and their partner, who goes by the name Popopret, started advertising access to their new Mirai botnet last week, sending spam messages via the online chat protocol XMPP/Jabber, as first reported by the security blog BleepingComputer. In the ad, the hackers offered to rent the "biggest Mirai botnet," made
BestBuy said that they are offering customers different prices depending on their needs. For as little as $2,000, the hacker said, a customer can rent 20,000 to 25,000 nodes to launch intermittent one-hour long attacks over the span of two weeks, with 15 minutes of "cooldown" time between attacks. For $15,000 or $20,000, customers can get 600,000 bots to launch 2-hour-long attacks with 30 or 15 minutes of "cooldown" time. This costlier package gives customers 700 gbps of traffic or more, according to the hacker.
It's unclear how many nodes BestBuy and Popopret really control, as of now, we have no way of knowing exactly how many devices these hackers have commanded, let alone how many are the ones that were originally infected by Mirai. And it's obviously in their best interest to inflate those numbers. The hackers also declined to provide specifics about how they're infecting new targets, only saying that they're using their own "bigger" botnet they to get to vulnerable devices before other competing hackers.
"Having bigger [botnet] means when device is restarted - we will get it first and lock it," BestBuy said. "Why not make Mirai hunt Mirai?" [...] "Make it kill the original."
"Business is business but there is limit to everything. Some things in the internet you should not hit."
It's possible that the two have found a way to reach an almost-monopoly over other Mirai botnets by scanning for new targets using a recently disclosed flaw, and by being faster at infecting and re-infecting targets, according to security researchers. (Usually devices infected by Mirai can remove the malware simply by rebooting, but they can then be reinfected by Mirai or other malware again).
"Basically that would mean they have more resources than the smaller players, more scan servers, better [command and control] setup," Darren Martyn, a security researcher who's also analyzed Mirai told Motherboard. "The simplest way is just being faster than everyone else [...] when a device becomes uninfected, it's a 'race.'"
The two hackers for now seems to be winning this race, which might be bad news for the internet. BestBuy, however, claim the two have ethical limits, blacklisting certain IPs to prevent their customers from hitting "critical infrastructure of specific companies."
"Business is business but there is limit to everything," BestBuy said. "Some things in the internet you should not hit."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.