Port Scanner Service Can Tell You If Your Network Is Under Mirai Attack

I bet that many just heard the word Mirai after the DDoS attacks of October that denied users in some parts of America access to sits like Twitter, PayPal, Spotify and Netflix among others. Less than a month after that, the same malware was responsible for taking out the entire nation of Liberia’s internet service. The bad part is this, Mirai source code is all over the dark web and can be used against nations, organisations and even individuals. But there’s some good news. The first is that the attacks have now opened our eyes to the vulnerabilities in internet of things (IoT) devices. This is good because as a people, we were more concerned about bringing more people and devices online than the safety of those devices in the long term. Ericsson which probably started this by predicting years ago that there will be about 50 billion connected (even though research organisations like Gartner think the figure sounds more like 20 billion) devices by 2020 didn’t tell us much about the potential problems that number of connected devices could cause in future but those questions are being raised now and that’s good.

The other good part is that you can now know if your network is exposed to Mirai. In a post, Ionut Arghire of SecurityWeek said, “because Mirai’s success is fueled by the existence of IoT devices that aren’t properly secured, it could be easily countered by simply changing the default credentials on vulnerable devices and by closing the Telnet port the botnet uses for infection. That, however, is an operation that users and network admins need to perform, but they might not always be aware of such an issue impacting them…. to help users determine whether their network is exposed to Mirai or not, IoT Defense Inc., a startup company based in the Washington DC Metro area, launched a web scanner that does exactly that: it searches for opened TCP ports and informs users whether they are safe or not.”

The tool scans for ports that may be targeted by Mirai such as HTTP (port 80 by default), HTTPS, FTP, SSH, Telnet (23 and 2323), Microsoft Remote Desktop Protocol (RDP) among others. You see not all devices are actually secure and in fact, a study says about 40 percent of devices could be vulnerable in one way or another to attacks such as DDoS and they happen is an attacker is able to successfully gain access to an unprotected device. One they have such access, they can send malware into the network and an unsuspecting service provider will start receiving heavy and unwanted traffic that they can’t handle and once this happens, and their network shuts down as installed capacity is unable to accommodate incoming traffic.  For example, the Dyn attack that denied service to some users in the US was said to have been around 1.1 terabyte-per-second, the Liberian one was estimated to have been about 500 gigabits per second. That’s quite big for a nation that has just one fibre cable that serves its 4.3 million people.

It is these unprotected ports used by IoT devices (routers, IP cameras and DVRs like in the American case) that’s being exploited by attackers. What the port scanner by IoT Defense Inc does is that, it scans and reports back whether a port is safe or not.

The IoT Defense scanner was written using a combination of Python, Node JS and Jade frameworks and scans for nearly a dozen ports that botnets can exploit. Accessing and using the scanner is free and little instructions are needed, as it does all with a simple click of a button.

In smaller attack scenarios, rebooting affected devices could be an easy way out but many times in a DDoS attack, once your device is back up, the attack continues as botnets continue to scan such ports until when the attacker calls off such attacks. T. Roy, CEO, IoT Defense, told SecurityWeek that vendors “should add in-field auto-updates to their devices, should use per device unique passwords (something that router manufacturers have already started implementing), and should not open up unnecessary ports.”