100K routers are ready, willing and able with new Mirai strain
A new strain of the Mirai IoT malware has recruited about 100,000 home and office routers, reports Ars Technica. The original Mirai source code came out in October of last year, with each subsequent update containing "amateur mistakes" that prevented mass devastation like the original caused.
The current strain of Mirai takes up a trait first used by October's Reaper. The current strain and Reaper, unlike other variants, do not use default passwords and instead propagate "by exploiting remote code-execution vulnerabilities," according to the report.
The new strain is said to take advantage of an existing "zero-day vulnerability" in two lines of popular routers despite password protection. About 90% of the compromised routers are one of two Huawei router models. Thus far, the only known actions of the new strain are that it is searching the internet for vulnerable devices to infect and then does so. However, the addition of every new device could give way for a potentially disastrous DDoS attack or extortion.
About 24 billion IoT devices are expected to be in networks by 2020. The increase in devices also boosts the probability of an attack. An entire network of connected devices is the perfect playground for hackers.
Botnets form when connected devices have been compromised. The result is an army-like network of infected devices, which, once instructed, can launch a mass attack. Because IoT devices are typically built without optimal security due to "societal" demands, hackers do not have much difficulty accessing devices.
As of right now, the infected routers are just ready, willing and able for an attack. The potential for devastating activity will increase as the number of connected devices do the same.
The cost of such attacks is already remarkably low for hackers. A 300-second attack costs a hacker about $5 and a 24-hour attack costs about $400. The cost is low compared to the cost companies stand to lose after a DDoS attack strikes. Some companies lose up to $100,000 per hour of an attack.
- Ars Technica 100,000-strong botnet built on router 0-day could strike at any time
- MIT Technology Review A New Big, Bad Botnet of Things Is on the Prowl
Follow Samantha Ann Schwartz on Twitter