Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone's behest.
For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.
Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.
After the OVH and Krebs DDoS attacks, the creator of this malware open-sourced Mirai, so other crooks could deploy their own botnets and cover some of the malware creator's tracks.
According to a Flashpoint report, this is exactly what happened, with multiple Mirai botnets popping up all over the web, as small-time crooks tried to set up their personal DDoS cannons.
Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.
The two say that most of the Mirai botnets they follow are relatively small in size, but there is one much much bigger than most.
"You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half," MalwareTech told Bleeping Computer. "They have more bots than all the other Mirai botnets put together."
In a spam campaign carried out via XMPP/Jabber started yesterday, two hackers have begun advertising their own DDoS-for-hire service, built on the Mirai malware.
The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn't 100% verify it's the same botnet observed by 2sec4u and MalwareTech (more on this later).
A redacted version of the spam message is available below, along with the ad's text.
The two hackers behind this botnet are BestBuy and Popopret, the same two guys behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn.
The two are also part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers, so it's safe to say these are not your regular script kiddies.
Bleeping Computer reached out to both hackers via Jabber. Both Popopret and BestBuy had the time for a conversation but declined to answer some of our questions, not to expose sensitive information about their operation and their identities.
According to the botnet's ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.
"Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount)," Popopret told Bleeping Computer.
Customers don't get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.
"DDoS cooldown" is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.
Popopret provided an example: "price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks." As you can see, this is no cheap service.
Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet's backend, where he can connect via Telnet and launch his attacks.
Compared to the original Mirai source code that was leaked online at the start of October, the botnet Popopret and BestBuy are advertising has undergone a serious facelift.
The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.
The 200K limit is because there are about only 200,000 Internet-connected devices that have open Telnet ports and use one of the 60 username & password combinations.
Popopret and BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device. 2sec4u says he suspected new Mirai malware variants might use exploits and zero-days, but this is currently unconfirmed since nobody reverse-engineered recent versions of the Mirai malware binary to confirm Popopret's statements.
Propoet also advertised another new feature, which is the ability to bypass some DDoS mitigation systems by spoofing (faking) the bot's IP address. Previous versions of the Mirai malware didn't include this feature.
2sec4u confirmed in a private conversation that some of the newly-spawned Mirai botnets can carry out DDoS attacks by spoofing IP addresses.
The same feature was seen by MalwareTech, who tweeted about it three days ago. In a private conversation, MalwareTech confirmed that the big Mirai botnet they were tracking was capable of bypassing DDoS mitigation systems.
On Twitter, the @MiraiAttacks account tracks this huge botnet as "Botnet #14." This is the same botnet that was used in an attempt to bring down one of Liberia's Internet service providers.
In private conversations with both Popopret and BestBuy, the hackers respectfully declined to provide evidence of their botnet's capabilities. Bleeping Computer asked the two hackers to run a demo DDoS attack on a test server or at least a screenshot of their backend.
The two also declined to take credit for any DDoS attack that might tie their botnet's infrastructure to previous attacks. When asked if their botnet was used in any high-profile attacks, Popopret said: "we do not monitor our clients."
Popopret was very aware that 2sec4u and MalwareTech were tracking his botnet. Despite the two hackers refusing to carry out a test DDoS attack, their reputation, their reluctance to expose their infrastruture in any way, clues in their XMPP ad, and the observations of security researchers, point to the fact that Popopret and BestBuy are most likely the operators of the largest Mirai botnet known today.
Popopret also provided an interesting tidbit of information, revealing that he and BestBuy had access to the Mirai source code, long before it went public, showing some possible connections to Mirai's creator, a hacker that goes by the nickname of Anna-senpai.
While the two appear to be in charge of the most developed Mirai botnet after the original died down, other botnets have evolved with their own set of features as well, albeit not as complex as Botnet #14. For example, Incapsula detected a Mirai botnet capable of launching DDoS attacks via STOMP, a messaging protocol generally used by servers.