Tuesday, November 12, 2024
HomeDDOSYou, Too, Can Rent the Mirai Botnet

You, Too, Can Rent the Mirai Botnet

Published on

Malware protection

Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest.

For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.

Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.

- Advertisement - SIEM as a Service

400K botnet spawned from original Mirai source code

After the OVH and Krebs DDoS attacks, the creator of this malware open-sourced Mirai, so other crooks could deploy their own botnets and cover some of the malware creator’s tracks.

According to a Flashpoint report, this is exactly what happened, with multiple Mirai botnets popping up all over the web, as small-time crooks tried to set up their personal DDoS cannons.

Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.

The two say that most of the Mirai botnets they follow are relatively small in size, but there is one much much bigger than most.

“You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half,” MalwareTech told Bleeping Computer. “They have more bots than all the other Mirai botnets put together.”

400K Mirai botnet available for renting

In a spam campaign carried out via XMPP/Jabber started yesterday, two hackers have begun advertising their own DDoS-for-hire service, built on the Mirai malware.

The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn’t 100% verify it’s the same botnet observed by 2sec4u and MalwareTech (more on this later).

A redacted version of the spam message is available below, along with the ad’s text.

murai

Botnet developed by reputable hackers

The two hackers behind this botnet are BestBuy and Popopret, the same two guys behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn.

The two are also part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers, so it’s safe to say these are not your regular script kiddies.

Bleeping Computer reached out to both hackers via Jabber. Both Popopret and BestBuy had the time for a conversation but declined to answer some of our questions, not to expose sensitive information about their operation and their identities.

Botnet isn’t cheap

According to the botnet’s ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.

“Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.

Customers don’t get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.

“DDoS cooldown” is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.

Popopret provided an example: “price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks.” As you can see, this is no cheap service.

Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet’s backend, where he can connect via Telnet and launch his attacks.

400K botnet has evolved, added new features

Compared to the original Mirai source code that was leaked online at the start of October, the botnet Popopret and BestBuy are advertising has undergone a serious facelift.

The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.

The 200K limit is because there are about only 200,000 Internet-connected devices that have open Telnet ports and use one of the 60 username & password combinations.

Popopret and BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device.

2sec4u says he suspected new Mirai malware variants might use exploits and zero-days, but this is currently unconfirmed since nobody reverse-engineered recent versions of the Mirai malware binary to confirm Popopret’s statements.

Also Read :

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

The United States Department of Justice has unsealed an indictment against Anonymous Sudan, a...

Russia-Linked Hackers Attacking Governmental And Political Organizations

Two pro-Russian threat actors launched a distributed denial-of-service (DDoS) attack campaign against Japanese organizations...

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks...