Ankit Anubhav, a principal researcher at NewSky, explained how to exploit a trivial bug in the code of the Mirai bot, which is present in many of its variants, to crash it.
The expert pointed out that a Mirai C2 server crashes when someone connects it using as username a sequence of 1025+ “a” characters.
Analyzing a part of the Mirai source code available on Github the experts noticed that the username is passed to the
“Since a majority of IoT botnets even in 2019 are based of Mirai, this vulnerability has been passed out in many of the variants and is already used in full force among Blackhats. ” explained Ankit Anubhav.
Some threat actors in the wild are aware of this bug in Mirai code and used it to crash the C2 servers of the rivals,
“When we asked Scarface, an established IoT threat actor about it, he said “Yes,I have often used this to annoy script kiddies who sell botnet spots. The C2 stays down until the botnet owner realizes that the C2 is down and opens it again. I do think it is very relevant because if a script were to be made to check when the C2 is up and crash it continuously, it will make all Mirai based botnets pretty much useless.”
The expert concluded discouraging the practice of crashing all known C2 servers in a loop because it is illegal, instead, it suggests to report them to the police, CERTs and ISPs.
“A lot of enthusiastic white hats want to make the world of CyberSecurity safer. Some may think its useful to create a daemon service which keeps on crashing all known C2 servers in a loop. However, such practice of crashing all these Mirai type C2 servers may not be permitted according to local laws, even if one is disrupting malicious servers.” concludes
Ankit Anubhav. “Hence the best way to stop a server is not to take matter in your own hands, but to report the IP to the hosting provider, CERT or law enforcement, which many white hats are already doing rigorously.”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.