Two hackers are selling DDoS attacks from 400,000 IoT devices infected with the Mirai worm

The Mirai worm — first seen attacking security journalist Brian Krebs with 620gbps floods, then taking down Level 3, Dyn and other hardened, well-provisioned internet giants, then spreading to every developed nation on Earth (and being used to take down some of those less-developed nations) despite being revealed as clumsy and amateurish (a situation remedied shortly after by hybridizing it with another IoT worm) — is now bigger than ever, and you can rent time on it to punish journalists, knock countries offline, or take down chunks of the core internet.

Two criminals, Bestbuy and Popopret — previously implicated in mass-scale corporate espionage — are spamming the XMPP/Jabber instant messaging protocol with offers to rent out a 400,000-strong botnet of Mirai-infected devices, and the ad promises that their botnet is a significant improvement on the earlier Mirai infections, equipped with IP-address spoofing features that make it harder for the botnet's victims to block the incoming traffic.

The criminals have declined to demonstrate their botnet, but it's at least plausible that such a botnet has been assembled, given that IoT devices as a class are very poorly designed and protected, and that the Mirai malware had lots of room for improvement.

According to the botnet's ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.

"Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount)," Popopret told Bleeping Computer.

Customers don't get discounts if they buy larger quantities of bots, but they do get a discount if they use longer DDoS cooldown periods.

"DDoS cooldown" is a term that refers to the time between consecutive DDoS attacks. DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.

Popopret provided an example: "price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks." As you can see, this is no cheap service.

Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet's backend, where he can connect via Telnet and launch his attacks.

You Can Now Rent a Mirai Botnet of 400,000 Bots

[Catalin Cimpanu/Bleeping Computer]


(via /.)