Security researchers have discovered a "missing link" in the Mirai botnet that may prompt a rethink in what makes up the zombie network.
The release of Mirai's source code in early October revealed that malware scans for telnet before attempting to hack into devices, using a brute-force attack featuring 61 different user/password combinations.
Security researchers including Brian Krebs have been able to match this list, with a few exceptions, against the default credentials of various IoT devices. One view, espoused by DDoS mitigation outfit Imperva Incapsula, was that CCTV cameras made up the bulk of the zombie horde with DVRs and routers playing a supporting role.
New research casts further doubt on this diagnosis, already questioned by US telco Level 3, which estimated four in five Mirai bots are DVRs with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.
UK-based security consultancy Pen Test Partners (PTP) discovered that a DVR device they recently bought was vulnerable to a previously unassigned credential pair on the Mirai hit list. "That means that the Mirai authors knew about the default credentials for this DVR, but no one else seemed to," PTP reasons.
Some of the attributed devices were CCTV cameras, which generally offer less functionality than DVR devices and therefore might make them a less flexible attack platform. Looking deeper, PTP uncovered evidence that the conventional wisdom that Mirai is mostly CCTV cameras might be wrong.
"On further digging, we found that all the cameras we looked at were running near-identical code to the DVRs and ran the 'dvrHelper' process, as did the DVRs we looked at," a blog post by PTP explains. "The reason the cameras were vulnerable is that they were running an uncustomised version of the DVR software, rather than being targeted specifically because they were cameras."
A similar rationale has led PTP to posit that neither RealTek routers nor Panasonic printers are being exploited by Mirai. "Whilst the default creds are the same, it's a coincidence," according to PTP. "We think it's more likely that the RealTek devices in question are from their DVR range, particularly as they are often rebadged and rebranded.
"Mirai is more to do with DVRs than CCTV cameras. Some have claimed that they've seen Mirai traffic from devices that weren't DVRs or cameras. We've been running a Mirai honeypot for some time. Whilst we've seen scans from routers and other devices attempting these same default credentials, none of them have then tried to exploit our honeypot in the same way as Mirai.
"We think it's more likely that there is code out there that is similar to Mirai doing this, but it's not Mirai."
“That L3 report links back to Brian Krebs list of attributed devices, which we think we where the confusion about routers, printers & VoIP phones has arisen from,” Pen Test Partner’s Ken Munro told El Reg Reg. “We aren't saying that Mirai isn't about CCTV - it's more of a coincidence that it affects cameras. It's the unnecessary DVR functionality in these cameras which is the root of the problem.”
Dima Bekerman, Imperva security researcher for the Incapsula product line, commented: “We can’t be 100% sure of what type of devices where most prevalent in the latest Mirai DDoS attacks. It is difficult to distinguish between a DVR and a CCTV device at a technical level.
"This is because the firmware used by manufactures for DVD boxes and for camera plus DVR in a single box are similar and have the same fingerprint. For example, your baby camera may combine with your DVR to store recorded video. Or your home security system may include many cameras all tied to one DVR connected to the web and vulnerable to Mirai.
"Mirai uses the default credentials in the operating system to penetrate the device and recruit it into the BotNet. It does this without regard for the intended task of the system be it to capture the image (camera), store the recorded video (DVR), control the system (Web interface controller).” ®