Security researchers believe they have discovered a new version of the infamous IoT-powered Mirai botnet which was observed carrying out a mammoth 54-hour DDoS attack on a US university last month.
The attack was notable not only for its duration but also because it came at the application-layer rather than previous network-layer Mirai campaigns, according to Imperva Incapsula security researcher, Dima Bekerman.
“The average traffic flow came in at over 30,000 RPS and peaked at around 37,000 RPS—the most we’ve seen out of any Mirai botnet. In total, the attack generated over 2.8 billion requests,” he explained.
“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet.”
It appears as if the usual suspects of CCTV cameras, DVRs and routers were compromised to power the DDoS attacks.
“While we don’t know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities,” Bekerman continued.
“We also noticed that the DDoS bots used in the attack were hiding behind different user-agents than the five hardcoded in the default Mirai version. This, and the size of the attack itself, led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks.”
That 54-hour duration puts this attack “in a league of its own”, according to Bekerman, with most app-layer blasts lasting no longer than six hours.
The attack itself was launched from over 9700 IP addresses around the world, with most devices located in the US (18%), Israel (11%) and Taiwan (11%).
This isn’t the first new variant of Mirai spotted by eagle-eyed researchers, with cyber-criminals apparently looking to adapt the malware to increase its range.
Last December over 100,000 TalkTalk and Post Office broadband customers were taken offline after their routers were targeted by a Mirai variant exploiting a vulnerability in the TR-069 remote management protocol.
Then earlier this year researchers discovered a previously known Windows botnet being used to spread Mirai to Linux hosts.