On the Economics, Propagation, and Mitigation of Mirai
By Kirk Soluk and Roland Dobbins
In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. This new variant exploits vulnerable implementations of the TR-064/TR-069 protocol used by ISPs to remotely manage their customer’s broadband routers . While this Mirai variant has been written about extensively, important nuances are frequently overlooked or sensationalized. In addition to diverging propagation methods, threat actors continue to leverage DDoS botnets as a source of revenue. With this evolving threat now focused on broadband access devices, providers responsible for the security and performance of their networks need specific mitigation advice to keep Mirai from overtaking their customer premise equipment (e.g. broadband routers) and/or causing network outages in the process.
Several media outlets have reported that a botnet based on the TR-064/TR-069 Mirai variant is being used to provide DDoS as a Service. These so-called Booter/Stresser or DDoS-for-hire services allow anyone willing to pay the price the ability to mount a DDoS attack against targets of their choice. Of course the fact that a botnet, Mirai-based or otherwise, is being used to make money should not come as a shock to anyone. Indeed, that is the whole purpose of this botnet. The economic model roughly mimics that of a mobile virtual network operator or MVNO. Per Wikipedia :
A mobile virtual network operator (MVNO), or mobile other licensed operator (MOLO), is a wireless communications services provider that does not own the wireless network infrastructure over which the MVNO provides services to its customers. An MVNO enters into a business agreement with a mobile network operator to obtain bulk access to network services at wholesale rates, then sets retail prices independently. An MVNO may use its own customer service, billing support systems, marketing, and sales personnel, or it could employ the services of a mobile virtual network enabler (MVNE).
Using this analogy, the threat actors building and maintaining this Mirai botnet are the mobile network operators – they own the botnet infrastructure and provide other threat actors (the MVNOs in this analogy) with managed access to it. The 2nd-tier threat actors (MVNOs in this analogy), in turn, provide the DDoS-for-Hire service to end customers, setting their own rate structures and marketing it however they choose. In some cases they may refer to Mirai, in other cases they simply peddle what appears to be their own botnet. The Mirai source code  has built-in support for such a model with a MySQL account database, API, and CLI level access to the botnet.
The propagation mechanism used by this most recent Mirai variant differs from the propagation mechanism used in the originally-leaked Mirai source code. The originally-leaked Mirai code performs Telnet-based brute forcing to compromise poorly designed and configured IoT devices. The pre-defined list of default usernames and passwords largely resulted in the compromise of web cams and DVR’s. In contrast, the new variant of Mirai exploits vulnerable implementations of the TR-064/TR-069 protocol used by ISPs to remotely manage their customer premise equipment (primarily home routers) . The vulnerable implementation of the protocol (also known as the CPE WAN Management Protocol – CWMP) allows arbitrary code to be executed on affected routers by passing that code as a configuration parameter delivered in a SOAP message over HTTP to port 7547. A detailed explanation of this exploit is provided by ISC . The arbitrary code execution allows the Mirai payload to be downloaded and installed onto the router, incorporating it into the Mirai Botnet. Once the IoT device is part of the botnet it is available to launch DDoS attacks upon command and begins scanning for other devices to compromise.
Clarification Behind Recent Outages
Because Mirai is well-known as the botnet behind several high-profile DDoS attacks with targets including the “Krebs on Security” blog, the French hosting provider OVH, Managed DNS provider Dyn, and a mobile operator in Liberia, many have incorrectly assumed that Mirai-based DDoS attacks were also responsible for recent outages at two major European broadband providers and the German Federal Office for Information Security (BSI) . To clarify, these recent outages were not the result of a DDoS attack. Instead, the outages were the result of the aggressive horizontal scanning and attempts to compromise home routers using the propagation mechanism described in the previous section.
For mitigating Mirai-based DDoS attacks, Arbor customers should refer to the ASERT Threat Advisory entitled Mirai IoT Botnet Description and DDoS Attack Mitigation available via Arbor ATAC or your local consulting engineer. Non-customers should refer to the ASERT blog with the same title . Broadband access ISPs should proactively scan their customer access networks to locate compromised and/or vulnerable nodes, and should take action to notify the users in question that their devices are vulnerable. In cases where the ISPs themselves have provided the vulnerable CPE devices, they should take immediate steps to replace those devices, as heavy scanning activity on the part of the attackers will result in devices becoming immediately re-compromised once they’ve rebooted. ISPs operating DSL broadband networks should implement Best Current Practices (BCPs) in order to ensure that only the dedicated network management systems of the ISPs themselves can access the remote network management facilities on these CPE devices. Operators of cable modem networks should do the same with the DOCSIS network management systems used to remotely manage CPE devices on their networks. Additionally, broadband access ISPs should utilize network infrastructure self-protection mechanisms built into their network devices to rate-limit ARP and other relevant control-plane traffic which may be generated by compromised devices scanning in order to subsume other vulnerable CPE devices into the botnet. This will ensure that heavy scanning activity by compromised CPE devices cannot disrupt large swathes of their user populations by limiting the collateral impact of such scanning.
Mirai is a platform that supports ongoing DDoS-for-hire operations allowing attackers to launch DDoS attacks against the target(s) of their choice in exchange for monetary compensation. Given the vast quantity of insecure IoT devices currently available and growing every day, Mirai-based botnets represent a force to be reckoned with for the foreseeable future. Mirai is causing outages simply by attempting to subsume these devices. We have provided mitigation advice for broadband operators attempting to keep Mirai from overtaking their customer premise equipment or otherwise causing outages in the process. For mitigating Mirai-based DDoS attacks, ASERT initially released a threat advisory on Mirai for Arbor customers on 25 OCT 2016. That advisory includes comprehensive and detailed mitigation advice and is updated with new information as it becomes available.
 http://www.wired.co.uk/article/deutsche-telekom-cyber-attack-mirai  https://www.arbornetworks.com/blog/asert/mirai-iot-botnet-description-ddos-attack-mitigation/