On September 20th, the widely read security blog, Krebs On Security, was targeted by a massive DDoS attack that was powered by the Mirai botnet. The same malware was deemed responsible for the Dyn attack on October 21st by Flashpoint.

The Mirai malware continuously scans the Internet for vulnerable IoT devices such as home routers, network-enabled cameras, and digital video recorders, which, once found, infect the host and turn it into a botnet.

 

Mirai uses a short list of common default usernames and passwords to try and break into vulnerable devices. This works due to the fact that many devices are using the default passwords and may not even be secured at all. The author of the malware claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on the Krebs blog.

Since there are so many devices out there that are exposed to this malware – we recommend using the housekeeper.reposify.com tool to check if you have any exposed devices that might become exposed to this attack in the future. (Please note, this check will not be as useful if you are using a broadband connection.)

If you find out that you are infected, there are five simple steps that you can take to clean the infection and make sure that you will not be part of the next attack (well, at least not one that is orchestrated by Mirai).

  1. DON’T PANIC
  2. Disconnect your device from the internet
  3. Reboot the device (it’s a memory infection! Once you reboot- poof! The witch is gone!)
  4. Change the device password – make sure it is a strong one – hints on how to choose a strong password can be found on Kreb’s blog
  5. Have a beer!

Note - IoT vendors are releasing advisories about their products. Contact your device vendor if you do not see them listed below.

An Official US CERT advisory is available here - Alert (TA16-288A) Heightened DDoS Threat Posed by Mirai and Other Botnets

 

ThreatSTOP customers are protected from having their devices participate in DDoS attacks that are carried out by Mirai if they have TS Critical and TS Critical Domains targets configured in their policies.