Mirai Botnet
Photo credit: Dyn

A hacker us renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone's behest.

For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.

Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.

400K botnet spawned from original Mirai source code

After the OVH and Krebs DDoS attacks, the creator of this malware open-sourced Mirai, so other crooks could deploy their own botnets and cover some of the malware creator's tracks.

According to a Flashpoint report, this is exactly what happened, with multiple Mirai botnets popping up all over the web, as small-time crooks tried to set up their personal DDoS cannons.

Two security researchers that go online only by their nicknames, 2sec4u and MalwareTech, have been tracking some of these Mirai-based botnets via the @MiraiAttacks Twitter account and the MalwareTech Botnet Tracker.

The two say that most of the Mirai botnets they follow are relatively small in size, but there is one much much bigger than most.

"You can see when they [massive botnet operators] launch DDoS attacks because the graph on my tracker drops by more than half," MalwareTech told Bleeping Computer. "They have more bots than all the other Mirai botnets put together."

400K Mirai botnet available for renting

In a spam campaign carried out via XMPP/Jabber started yesterday, a hacker has begun advertising their own DDoS-for-hire service, built on the Mirai malware.

The two claim to be in the control of a Mirai botnet of 400,000 devices, albeit we couldn't 100% verify it's the same botnet observed by 2sec4u and MalwareTech (more on this later).

A redacted version of the spam message is available below, along with the ad's text.

Mirai botnet ad

Rent from Biggest Mirai Botnet (400k+ devices)
We use 0day exploits to get devices - not only telnet and ssh scanner.
Anti ddos mitigation techniques for tcp/udp.
Limited spots - Minimum 2 week spot.
Flexible plans and limits.
Free short test attacks, if we have time to show.

Botnet developed by reputable hacker

The hacker behind this botnet is BestBuy, also known as Popopret, the same hacker behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn. BestBuy is part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers.

Bleeping Computer reached out to BestBuy via Jabber, but the hacker declined to answer some of our questions, not to expose sensitive information about their operation and their identities.

Botnet isn't cheap

According to the botnet's ad and what BestBuy told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.

"Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount)," BestBuy told Bleeping Computer.

Customers don't get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.

"DDoS cooldown" is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.

BestBuy provided an example: "price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks." As you can see, this is no cheap service.

Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet's backend, where he can connect via Telnet and launch his attacks.

400K botnet has evolved, added new features

Compared to the original Mirai source code that was leaked online at the start of October, the botnet BestBuy is advertising has undergone a serious facelift.

The original Mirai botnet was limited to only 200,000 bots. As security researcher 2sec4u told Bleeping Computer, this was because the Mirai malware only came with support for launching brute-force attacks via Telnet, and with a hardcoded list of 60 username & password combinations.

The 200K limit is because there are about only 200,000 Internet-connected devices that have open Telnet ports and use one of the 60 username & password combinations.

BestBuy expanded the Mirai source by adding the option to carry out brute-force attacks via SSH, but also added support for the malware to exploit a zero-day vulnerability in an unnamed device. 2sec4u says he suspected new Mirai malware variants might use exploits and zero-days, but this is currently unconfirmed since nobody reverse-engineered recent versions of the Mirai malware binary to confirm Popopret's statements.

The 400K botnet might be "Botnet #14"

BestBuy also advertised another new feature, which is the ability to bypass some DDoS mitigation systems by spoofing (faking) the bot's IP address. Previous versions of the Mirai malware didn't include this feature.

2sec4u confirmed in a private conversation that some of the newly-spawned Mirai botnets can carry out DDoS attacks by spoofing IP addresses.

The same feature was seen by MalwareTech, who tweeted about it three days ago. In a private conversation, MalwareTech confirmed that the big Mirai botnet they were tracking was capable of bypassing DDoS mitigation systems.

On Twitter, the @MiraiAttacks account tracks this huge botnet as "Botnet #14." This is the same botnet that was used in an attempt to bring down one of Liberia's Internet service providers.

Hacker refuse live test, attribution gets tricky

In private conversations with BestBuy, the hacker respectfully declined to provide evidence of their botnet's capabilities. Bleeping Computer asked the hacker to run a demo DDoS attack on a test server or at least a screenshot of their backend.

The two also declined to take credit for any DDoS attack that might tie their botnet's infrastructure to previous attacks. When asked if their botnet was used in any high-profile attacks, Popopret said: "we do not monitor our clients."

Popopret was very aware that 2sec4u and MalwareTech were tracking his botnet. Despite the hacker refusing to carry out a test DDoS attack, their reputation, their reluctance to expose their infrastruture in any way, clues in their XMPP ad, and the observations of security researchers, point to the fact that BestBuy is most likely the operator of the largest Mirai botnet known today.

BestBuy also provided an interesting tidbit of information, revealing that he had access to the Mirai source code, long before it went public, showing some possible connections to Mirai's creator, a hacker that goes by the nickname of Anna-senpai.

While the two appear to be in charge of the most developed Mirai botnet after the original died down, other botnets have evolved with their own set of features as well, albeit not as complex as Botnet #14. For example, Incapsula detected a Mirai botnet capable of launching DDoS attacks via STOMP, a messaging protocol generally used by servers.