Stopping the New Wave of IoT Botnets

By October 26, 2016 May 31st, 2019 No Comments

It was inevitable, but we’re finally seeing what we all knew was going to happen. With the recent attack on Brian Krebs’ blog [1], as well as the effective takedown of half of the internet last Friday [2], "Internet of Things" (IoT) devices, and really, the lack of security in these devices, has finally made it into the mainstream.

One of the largest "Internet of Things" botnets, Mirai, is believed to be responsible for the record DDoS attack against Kreb’s blog [3] and the DDoS attack against Dyn’s Managed DNS infrastructure [4].

Last week, researchers from Level3 and Flashpoint published the list of Mirai servers [5]. In the blog, the researchers listed Mirai servers including command and control (C2), reporting, and malware distribution servers. Using our patent-pending technology, we use data on the infrastructure of the internet and Machine Learning to predict threats before they materialize as part of an actual attack. We checked the server IPs against our predictions.

Of the 56 C2 servers, we predicted 12 IPs to be involved in some type of attack. Our predictions took place in the end of 2015 and the middle of 2016. Figure 1 shows an example of one of these predictions.

Of the 23 reporting servers, we predicted 8 IPs. Figure 2 shows one example of these predictions that was made in September 2016.

Lastly, we predicted both of the malware distribution servers, and in Figure 3 we show one example of these predictions that was made in May 2016.

To summarize, of the 91 infrastructure IPs reported as part of this attack, Seclytics analytics predicted 22 of these IPs before they were used as part of this attack. As we’ve seen in sophisticated attacks such as this one, it’s not uncommon to see predictions taking months before they become active.