Cybersecurity researcher Jacob Masse has discovered a noteworthy vulnerability in the Mirai botnet, potentially giving law enforcement and security teams a new weapon in the fight against cybercrime.
The flaw discovered in Mirai's Command and Control (CNC) servers has the potential to cause a remote Denial of Service (DoS) attack on the botnet.
This attack would effectively disable the botnet, preventing it from executing any further operations.
Jacob Masse's investigation centered on the CNC server, which lies at the core of any botnet. This is the place where attackers have control over the zombies computers that have been infected and can be commanded to carry out attacks.
Masse discovered a flaw in the way Mirai's CNC servers handle incoming connections by analyzing the source code, reverse engineering, and conducting experiments.
This flaw occurs during the pre-authentication phase, which happens before the user completes the login process.
Basically, an attacker can crash the server by overloading its resources with multiple connection attempts after submitting a username.
The vulnerability in Mirai CNC’s architecture stems from poor management of multiple connection requests. In simple terms, the server struggles to handle multiple connections at the same time.
It is possible for a remote attacker to flood the server with authentication requests, such as repeatedly sending a username like “root”, without requiring any special access or authentication.
This tactic leads to the exhaustion of the server’s resources, eventually causing it to crash and go offline. This effectively disconnects the botnet from its command center, disrupting its operations and neutralizing its threat.
Masse successfully demonstrated this vulnerability using a small server with minimal resources, a 1-core CPU and 1GB of RAM.
He showed that his proof-of-concept (PoC) script could take a Mirai CNC server offline, proving that even a small-scale attacker could cripple a botnet using this flaw.
Masse successfully ran the script, resulting in the botnet CNC crashing. Once the exploit was no longer in use, the CNC server went offline, and his system returned to its usual performance levels.
This flaw has the potential to seriously affect botnet operations and cybersecurity defense. If this vulnerability is exploited, it has the potential to disable the command and control functions of Mirai botnets.
This would effectively halt their ability to launch attacks, thereby safeguarding numerous systems from Distributed Denial of Service (DDoS) attacks.
It also has the potential to greatly assist law enforcement agencies in their mission to dismantle botnets.