The Metamorphosis of Mirai – Michael Patterson, Plixer International

By Mike Patterson, CEO of Plixer International

The Institute of Critical Infrastructure Technology has issued a report that contends that the Mirai malware has given even unsophisticated hackers a quantum leap in capabilities to launch cyber attacks.

A lot of malware compromising systems today are an amalgamation of pieces of pre-existing contagions like Mirai.

It has become easy for cyber criminals to purchase software that will take advantage of specific exploits and then complement it with another cyber weapon. They can even purchase technical support to achieve their objective.

Once the software is compiled, its signature is unique and can be virtually undetectable by signature matching cyber defense systems. We can expect larger variations of DDoS in 2017 with an array of different objectives.


Mirai malware
Millions of IoT devices that have been deployed with default credentials, programmed backdoor accounts, open access ports etc and are wide open to be taken over by the Mirai malware

Mobile phones are now being used to mount DDoS attacks against 911 systems by flooding centers with incoming phone calls.

An arms race is under way for power to disrupt the Internet and take down services and websites.

The source code for Mirai is one way to do that and it is being evolved to do even more damage.

The scary part is that it also provides the bridge for those criminals that are not tech savvy to inflict a great deal of damage by creating weapons with IoT devices.

Millions of IoT devices that have been deployed with default credentials, programmed backdoor accounts, open access ports etc and are wide open to be taken over by the Mirai malware.IoT Devices

With the source code in hand, cyber criminals are racing to identify all available vulnerable devices to build massive botnets that could be used to collect confidential information or launch huge attacks to disrupt services or take down websites.

Similar to bot infections, new variants of Mirai will likely be out to engage in multiple missions with DDoS being only one of the objectives.

Combining Mirai with other pieces of software could include functionality such as key loggers, hosting websites selling contraband or perform more surreptitious missions such as routine reconnaissance that uploads information about the network it is hosted on.

In an effort to stay under the radar of threat detection systems, many forms of malware are written to operate in a low and slow fashion without scanning the network.

These infections first observe the behaviors of their host, make note of the network resources they connect to as well as the protocols they use to transfer data.  Only then, after learning what is normal for the infected host do they start connecting to the same systems, scanning directories, installing infections and then moving on to the next system.

This methodical spreading tactic allows the bad actor to set up entire camps of infected machines.  Once valuable data is identified, files can be moved slowly, in some cases over several days all while trying to avoid detection.

User element behavior analytics is emerging as a way to use statistical analysis or machine learning to find anomalies that humans are unlikely to uncover.

This strategy watches for specific events in several ways using thresholds, baselines, correlation and pattern matching.  Triggers can occur for behaviors that to the human eye have a high probability of being a false positive.

However, by weighing the individual security events from multiple systems and totaling their value over time, probability indexes can be compiled with the goal of identifying extremely stealthy forms of malware that could contain Mirai.

NetFlow and IPFIX have become staple information sources for this type of detection.

(Hear from the Author directly, in this initial training series, to learn more. Courtesy of plixerweb and YouTube)

Although flow technologies are most often used for forensic investigative work, the security industry is coming to the realization that they are also excellent for unearthing slow moving – furtive infections as well as for mitigating real-time attacks such as DDoS that are powered by Mirai.

About the Author

Mike Patterson, CEO of Plixer International
Mike Patterson, CEO, Plixer

Michael Patterson, is the CEO of Plixer International.

Michael worked in technical support and product training at Cabletron Systems while he finished his Masters in Computer Information Systems from Southern New Hampshire University.

He joined Professional Services for a year before he left the ‘Tron’ in 1998 to start Somix which eventually became Plixer.