Are You Ready for the Wicked Mirai Variant?

Are You Ready for the Wicked Mirai Variant?

Companies Should Prepare Now to Avoid It

It may be wrong to judge a book by its cover, but what about judging a botnet by its name? If you have not yet heard of Wicked, a new variant of the Mirai IoT botnet, it’s time to take note. Wicked is just as destructive as it sounds, featuring both old and new exploits. The dream target for this particular Mirai spinoff begins with a problem that already exists: Wicked can easily take hold of devices like vulnerable home routers, or closed-circuit cameras with a remote code execution flaw. But the danger is not exclusive to IoT devices; Wicked also leverages vulnerable web servers. These distributed denial-of-service (DDoS) attacks can be downright devastating, involving multiple compromised systems that work in harmony to shut a service down.

More on Mirai

It has been nearly two years since the Mirai botnet was first spotted, fueling some of the largest DDoS attacks during its time. Case in point: Mirai was a big deal; it infected thousands of devices, cost its victims loads of money, and even inspired Google to take action with Project Shield. It did not take long before the source code was made public in October 2016. After becoming so readily available, it was easy for other hackers to play with and enhance the code, creating new variations including Masuta, Satori, and Okiru, to name a few. And now, Wicked.

Reports of this latest IoT Mirai variant demonstrate how proficient hackers are at taking an initial concept and evolving it to keep ahead of the defenders. With the initial password brute-force compromises of Mirai itself sure to be closed-down pretty rapidly, hackers quickly turned to the use of more subtle and sophisticated vulnerabilities to compromise similar devices and use them for their nefarious activities.

This latest variant, known as Wicked, uses two recently reported GPON router vulnerabilities, to bypass user authentication altogether and then run arbitrary commands, via remote code execution, to take complete control of the device. The vulnerable devices are reported to be older models which are way past their end of support dates. With the number of devices in the hundreds of thousands and without a patch forthcoming from the router’s vendor, one approach is to disable or block access to the web server in the devices in question.

How to Defend Against Mirai’s Wicked and Other DDoS Attacks

While patching routers and other IoT devices can provide a fix, it is very much in the hands of the consumers who are using them. Unfortunately, as it is not the consumers themselves who are on the end of the botnet attacks which result—they are typically unaware there is an issue which needs addressing. This means they are unlikely to do something about it, without intervention from their ISP or device vendor.

For the unfortunate targets of the resulting botnet attacks, being proactive is, of course, the first step. But this can be a challenge when IT security teams may not always know what to look for, especially when hackers are evolving their techniques at such a rapid pace. By the time IT teams are aware of a problem and can take action, it can be too late to prevent serious down-time and damage. One way to stop these attacks cold and prevent all variations of Mirai and other DDoS attacks is to implement the latest generation of real-time, automatic, DDoS protection solutions.

These latest generation solutions can instantly detect DDoS attacks—long before an IT team can—and shut them down. And, with hackers dynamically changing the threat landscape, ensuring continuous up-time means it is time to match up these machine learning solutions against the evolving DDoS attacks.

About the Author

Sean Newman is Director Product Management for Corero Network Security.  Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, which he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.