Mirai Botnet Spawns Echobot Malware

Mirai botnet malware was first discovered in August 2016. It targeted routers and IoT (Internet of Things) devices, mainly Internet Protocol (IP) cameras.

Mirai spread across the Internet like wildfire. Each device it successfully infected became a slave to the huge Mirai botnet. With a botnet, cyber attackers can remotely control thousands upon thousands of computing devices (such as IoT cameras) to engage in coordinated cyberattacks. Botnets are often used for distributed denial of service attacks (DDoS), because they can easily overwhelm their networked targets with a massive amount of packets, overflowing memory buffers and shutting them down.

Imagine a stampede of thousands of crazy shoppers storming through the doors of a discount department store on Black Friday, trampling their victims. Now imagine if all of those crazy shoppers were the Borg from Star Trek: The Next Generation, controlled by a single hivemind. That's what a botnet-driven DDoS attack is like.

Why We Are (Quite Literally) Lost Without DNS

The Mirai botnet is perhaps most infamous for how it shut down the Dyn network of domain name servers (DNS) on October 21, 2016. Millions and millions of people and businesses relied upon those Dyn DNS servers in order to use the Internet in the ways they were accustomed to, whether or not they knew it. (Do you know which DNS servers you’re using right now?)

DNS is used by PCs, mobile devices, and other sorts of internet-connected computers to translate difficult-to-remember IP addresses into easy to remember domain names like (to give a completely random example) cylance.com. People could use IP addresses directly in web browsers, email clients, and other Internet applications if their DNS isn’t working.

But even those of us who are computer networking specialists probably couldn’t look up which IP addresses are associated with which domain names without using services like the whois.net website, and we likely don’t keep a record of what their IP addresses are.

So without working DNS, we’d be stuck. And because millions of people relied upon Dyn’s DNS servers, Dyn’s DDoS attack effectively kept them offline.

By 2016, IoT devices had already become a lot more common in people’s homes, businesses, and institutions. Nearly three years later, I wouldn’t be surprised if the number of IoT devices online has doubled since then. I just think of how many more Google Home and Amazon Echo devices I see in people’s homes, and how many more connected cars there are on the road. So the next Mirai could be a lot more destructive than the first one.

Taking a Closer Look at Echobot

Echobot is the latest Mirai for Summer 2019. I’m not being metaphorical here. Echobot is literally the same code as Mirai, just with new modules in order to exploit different vulnerabilities. Unit 42’s Ruchna Nigam reported:

“As part of ongoing research, we’ve recently discovered a new variant of Mirai that has eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and even smart home controllers.

Mirai initially made use of default credentials to gain access to devices. 2018 saw the emergence of campaigns involving variants incorporating several exploits within the same sample, allowing for the harvesting of several different kinds of IoT devices into the same botnet. Since then we have also observed Mirai malware authors experimenting with new exploits to gauge gains in bot count from the use of these exploits.”

IoT devices and routers could security-harden against the 2016 version of Mirai by making sure that they don’t use the default login credentials. But cyber attackers are constantly deploying new exploit modules into Echobot, so the best that we can do is to make sure that the software in these devices have their latest security patches.

Security researcher Larry Cashdollar explains:

“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they've added are older and have remained unpatched by the vendor.

It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten. All we can do is learn from our mistakes and do our best to prevent them from happening in the future.”

Unfortunately, many IoT devices and home routers are notoriously difficult to patch. As ZingBox’s Xu Zou wrote:

“The biggest and most obvious security challenge with Internet of Things devices such as connected medical devices is the inability to easily upgrade or patch them. The typical advice for avoiding cyber attacks continues to be, ‘install the latest patch.’

This was heard often in the wake of the WannaCry ransomware and the NotPetya wiperware. But how would a clinical engineer go about figuring out the underlying firmware and the patch version of an infusion pump, the operating system of a thermostat to determine whether a patch is needed, where to get the patch, or whether patching is even permitted by the manufacturers or regulators?”

The multifaceted nature and immense diversity of IoT devices make security patching much more difficult and challenging than patching more conventional computers like PCs and smartphones. Some of the vulnerabilities that Echobot has been exploiting date back as far as 2009. Deploying patches to many of these devices is a literal nightmare.

And the cyber attackers behind Echobot keep updating the malware with new exploit modules, randomly trying whichever ones they can find and keeping the most effective ones. For that reason, plus IoT devices being even more common than in 2016, Echobot has the potential to do a lot more harm worldwide than the original Mirai malware.