Level 3 Communications has reported that since the release of the Mirai source code, the total number of IoT devices infected with the Mirai malware has reached 493,000, over double from 213,000 bots. Since the source code for Mirai was released to the public on Oct. 1, adversaries have been developing new variants of the malware. Over the three-week period, the total number of Mirai bots has spiked and infecting Internet of Things (IoT) devices.
The public availability of Mirai also gave researchers an opportunity to study its behaviors. So far, Mirai is known to continually scan the Internet looking for connected devices and exploit them with brute-force attacks trying to access the devices with known default or weak credentials. Using machine learning detection software, Level 3 Research Labs so far identified four additional command-and-control (C&C) servers associated with new network C2 IPs coming online every other day as part of Mirai activity coming online this month.
The majority of the Mirai source code was identified in 80% of DVRs, to which Mirai malware can identify and infect a wide range of IoT devices including Linux servers, routers, CCTVs, IP cameras and Sierra Wireless’ gateways. Level 3 has also revealed that at least a quarter of the infected IoT devices are present in the US after which comes Brazil with 23% and then comes Colombia with 8% of total identified infected devices. Level 3 also noticed that the attackers behind Gafgyt and Bashlite, malware families also known for attacking IoT devices, attacked the Mirai command infrastructure several times with massive gigabit-per-second DDoS attacks around Sept. 18.
“With the recent and frequent introduction of new Mirai variants, we expect continued DDoS activity from Mirai botnets. In some cases, we see the new variants running all of their infrastructures on one or two hosts, as opposed to the original Mirai variant which had many different hosts and frequently changed IPs to avoid detection or attack,” says Level 3.