14 DAY TRIAL // The author of the Mirai DDoS trojan, which was used to attack Brian Krebs' website these past weeks, has published the source code of his malware following intense pressure from security researchers.
Mirai is a DDoS trojan that targets Linux systems, and more precisely architectures deployed with IoT devices.
The trojan appeared at the start of September 2016, and according to a security researcher named MalwareMustDie!, Mirai is an improved version of another DDoS trojan known under different names such as Bashlite, GayFgt, LizKebab, Torlus, Bash0day, and Bashdoor.
Mirai source code released on Hack Forums
Mirai's author, a coder that goes by the name of Anna-senpai, released on Saturday the trojan's source code on the notorious Hack Forums portal.
According to the crook, he made the decision to release Mirai's source because of the recent DDoS attacks against the website of Brian Krebs, an infosec journalist.
At the start of the month, Krebs exposed a DDoS-for-Hire service, which concluded with the arrest of the two Israelis suspected of running the service. Soon after, DDoS attacks started hitting Krebs' website, first small, and then larger and larger.
Mirai and Bashlite botnets used for the Krebs DDoS attacks
According to Krebs and people knowledgeable of the attacks, the massive DDoS came from IoT devices infected mostly with the Mirai DDoS trojan, but also with the older Bashlite malware.
The botnet, which consisted of over 145,000 infected IoT devices according to researchers' estimates, was most likely rented to different bad actors, who used it for attacking Krebs' website.
"When I first go [sic] in DDoS industry, I wasn't planning on staying in it long," Anna-senpai explains his reasons for releasing the Mirai source code. "I made my money, there's lots of eyes looking at IOT now, so it's time to GTFO."
"So today, I have an amazing release for you," he also adds. "With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping."
Mirai source code release is a smart move
The Krebs DDoS attacks have garnered a lot of media attention, mainly because they broke the previous DDoS record, and Akamai was forced to throw the towel and told Krebs they'd have to kick him off their DDoS mitigation platform due to the huge traffic.
To be fair, Akamai was providing Krebs with free DDoS mitigation services, and it was a business decision to safeguard the company's paying customers. After three days offline, Krebs' website found a new home with Google's Project Shield, an initiative that provides free DDoS mitigation for independent journalists.
Since then, security researchers have been scrutinizing the IoT landscape in search for the massive botnet that managed to launch this 620 Gbps attack.
Regarding Anna-senpai's decision to release the Mirai source code, Krebs has a theory.
"Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home," Krebs wrote over the weekend. "Publishing the code online for all to see and download ensures that the code's original authors aren't the only ones found possessing it if and when the authorities come knocking with search warrants."
And then there are these two tweets:
WARNING: Bogus #Mirai "source code" was shared with many hacker trap like #iplogger, modified codes, etc. Be careful! From: @malwaremustdie pic.twitter.com/WvatqvjdsW — Odisseus (@_odisseus) October 1, 2016
Nice thing about the Miria code being public is it mean less devices for any single person to control...kinda like socialism for botnets. — MalwareTech (@MalwareTechBlog) October 2, 2016
The Mirai source code appears to be legitimate, but has been modified to mess with scriptkiddies who just compile and run. — MalwareTech (@MalwareTechBlog) October 3, 2016