This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense
News Stay informed about the latest enterprise technology news and product updates.

Nematode worm could dismantle Mirai IoT botnet

A new nematode worm proof of concept could help the internet avoid the next massive Mirai IoT botnet DDoS attack, but experts are unsure of the legality of the option.

The Mirai IoT botnet wreaked havoc on the internet, with DDoS attacks reportedly surging past 1 Tbps at times. A researcher has proposed a way to avoid another Mirai attack, but experts questioned the effectiveness and the legality of the method.

Leo Linsky, a software engineer with network monitoring firm PacketSled Inc., based in Del Mar, Calif., created a proof of concept for a worm that could be used to secure internet-of-things devices targeted by an IoT botnet created with the open source Mirai code because they use easy-to-crack administrator login credentials.

Linsky posted his so-called nematode worm on GitHub -- since removed -- and noted his code was only for research purposes. The name nematode worm to describe a controllable computer worm was found in a proposal by David Aitel, former research scientist for the National Security Agency and current CEO of Immunity Inc., based in Miami, who said he chose the name because nematodes are "a phylum of primitive wormlike organisms often used to get rid of other pests."

"The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random. Such a tool could theoretically be used to reduce the attack surface," Linsky wrote on GitHub. "This is meant to only be tested in closed research environments. Use of this software is at your own risk."

Many around the web criticized Linsky's proof of concept as being vigilanteware, because it would be illegal to run nematode without consent from targeted users, despite having the intention of making devices hardened against IoT botnets like that which took down Dyn DNS servers in a massive distributed denial-of-service (DDoS) attack.

Bobby Kuzma, system engineer for Core Security Corp., in Roswell, Ga., said the problem is "one of legality, responsibility and containment."

"If you don't own it, and you aren't invited to touch it, you're committing a criminal act by accessing a device or altering it, even if the access or alteration proves to be beneficial," Kuzma told SearchSecurity via email. "If your nematode creates a worse problem, or introduces further exploitable vulnerabilities -- like if the nematode itself is exploitable -- where does the liability lie?"

Kuzma added that even introducing the worm into your own environment could be risky.

"How do you guarantee that it will not spread outside your environment?" Kuzma asked. "Stuxnet became known because it spread beyond Natanz, despite careful controls and a real incentive to keep it from spreading further."

Aitel proposed network administrators set up a type of whitelist or "nematoken" as a form of consent to show they approved of nematode worms accessing their systems in order to do their good works.

Jeremiah Grossman, chief of security strategy at SentinelOne Inc., based in Palo Alto, Calif., told SearchSecurity that even with consent, using a nematode worm could still be illegal.

"The idea has gained zero traction. Not because the ideas is a bad one, but mostly due to difficulties with attribution, authority and legal issues -- the latter being the most difficult to contend with," Grossman said. "Remotely hacking a device you don't own, without consent, is a federal crime -- so no one wants to try it. Such activity would require government intervention."

Kuzma noted that such whitelisting would be very difficult to implement.

"The problem is that there are so many organizations that have overlapping IP spaces that even the whitelisting isn't an absolute guarantee," Kuzma said. "Couple this with the potential for human error or malicious action corrupting the nematode, [and] this is an action that should not be taken lightly."

Philip Lieberman, president and CEO of Lieberman Software Corp., based in Los Angeles, said even if it could work, it wouldn't help protect consumer devices from being hijacked for an IoT botnet.

"I am not sure I understand how a whitelist or agreement to be infected or disinfected would work for the typically nontechnical user who buys a camera, and then unknowingly is running a weapon against others," Lieberman told SearchSecurity. "There is no known universal whitelist that exists or effectively works presently that the owner of the infected device agrees to join."

However, despite the risks, Grossman advocated for at least testing nematode worm-style vigilanteware.

"Like any remote command and control system, security controls must be well-thought-out and implemented properly. It would also be vital to establish policy control about who gets access and for precisely what purpose," Grossman said. "This is something that should be experimented with, but carefully, so to see if the benefits outweigh the costs."

Mirai malware vulnerability

In addition to Linsky's nematode worm, Scott Tenaglia, a security researcher for Invincea Labs, based in Arlington, Va., said the next Mirai IoT botnet could be taken down by a vulnerability in the Mirai code itself.

Tenaglia detailed a stack-buffer-overflow vulnerability, which he claimed could be used to stop a Mirai DDoS attack. However, Tenaglia claimed Invincea was "not advocating counterattack, but merely showing the possibility of using an active defense strategy to combat a new form of an old threat."

"This simple 'exploit' is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to defend against a Mirai-based HTTP flood attack in real time," Tenaglia wrote in a blog post. "When exploited, it will cause a segmentation fault to occur, crash the process and, therefore, terminate the attack from that bot. The vulnerable code has to do with how Mirai processes the HTTP location header that may be part of the HTTP response sent from an HTTP flood request."

Tenaglia noted his exploit wouldn't remove the Mirai bot from the IoT device; it will only halt the attack originating from that particular device. And worse, because his exploit is an HTTP flood attack, "it would not help mitigate the recent DNS-based DDoS attack that rendered many websites inaccessible."

Grossman said, "For strike-back or nematode worms purposes, finding and exploiting vulnerabilities in malware like Mirai is what's necessary to make the whole idea work."

Grossman added, "I'd fully expect several similar vulnerabilities to be present in the Mirai code. My expectation is that infosec's ability to find and exploit vulnerabilities in software, including malware, far exceeds the ability to code against them in the cybercrime realm."

Next Steps

Learn why experts don't believe the Dyn DDoS attack was the work of nation-state threat actors.

Find out how many devices were in the IoT botnet that took down Dyn.

Get info on vigilante white hat hackers that infected 300,000 devices.

Dig Deeper on DDoS attack detection and prevention