You Can Now Rent A Mirai Botnet Of 400,000 Bots

An anonymous reader writes: Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone's behest. The hackers have quite a reputation on the hacking underground and have previously been linked to the GovRAT malware, which was used to steal data from several US companies. Renting around 50,000 bots costs between $3,000-$4,000 for 2 weeks, meaning renting the whole thing costs between $20,000-$30,000.

After the Mirai source code leaked, there are countless smaller Mirai botnets around, but this one is [believed to be the one] accounting for more than half of all infected IoT devices...that supposedly shut down Internet access in Liberia. The original Mirai botnet was limited to only 200,000 bots because there were only 200,000 IoT devices connected online that had their Telnet ports open. The botnet that's up for rent now has received improvements and can also spread to IoT devices via SSH, hence the 400,000 bots total.
Interestingly, the article claims the botnet's creators had access \to the Mirai source code "long before it went public."

Or you can get a botnet for free...

[Anonymous Coward]

By getting an article posted on slashdot and having the site you want DDoS'd linked in the summary :)

Re: Or you can get a botnet for free...

[Anonymous Coward]

5 visitors from Skashdot isn't going to ddos anyone.

Re:

[Anonymous Coward]

Maybe 10 years ago...

15k a week?

[rsilvergun]

Jesus, I'm in the wrong line of work.

Re:

[fahrbot-bot]

Jesus, I'm in the wrong line of work.

Hopefully someone will find them, drag them into the woods and put 2 in the back of their heads.

[ He said with all the charity he could muster for people like that. ]

Re:

[turbidostato]

Isn't capitalism a wonderful thing?

Re:

[_Sharp'r_]

So for $30K, you can patch 400K bot systems to never participate in another botnet? That's less than some companies pay in DDOS protection every month..... just an idea, guys.

Re:

[Dutch Gun]

I'm pretty sure they don't give you direct control over the botnet. I'd suspect you can only direct who to attack, attack timing/duration, and how many bots.

Maybe there's something you could do once you know all the IPs (for instance, you could direct them at a honeypot target), but a lot of malware closes the door behind itself once a device is compromised. I'm not sure how Mirai works, but I wouldn't be surprised if it behaved in a similar fashion.

Tomorrow will be interesting...

[aaarrrgggh]

Cyber Monday could be interesting.

But seriously... other than causing chaos, does anything get accomplished with a DDoS that it provides some kind of value? I get the idea of a multi-pronged attack, but is there that much to gain?

Re:

[CaptainDork]

This.

DDoS is vandalism.

It pisses someone off; costs them; and the little botnet kiddies giggle.

Re:

[BlueStrat]

This.

DDoS is vandalism.

It pisses someone off; costs them; and the little botnet kiddies giggle.

It's also an asymmetric-warfare weapon of domestic and foreign dissidents against oppressive, authoritarian governments, which is the real, actual concern of those governments. This is particularly true in the US, as the government continues to become ever more authoritarian, corrupt, deceitful, and controlling, both domestically and in foreign affairs.

Strat

Re:

[CaptainDork]

DDoS is an inconvenience.

It is not a problem.

The attack on Dyn was mitigated in a few hours and we move on.

Dyn should have been hardened to begin with.

You and I can bring down a single web page by ourselves but we don't.

Re:Tomorrow will be interesting...

[geekmux]

DDoS is an inconvenience.

It is not a problem.

The attack on Dyn was mitigated in a few hours and we move on.

Dyn should have been hardened to begin with...

Dyn should have been hardened? No, more like DNS as a whole should have been hardened fucking long ago.

It's still the Achilles heel of the internet.

Re:

[CaptainDork]

I agree.

Re:

[geekmux]

This.

DDoS is vandalism.

It pisses someone off; costs them; and the little botnet kiddies giggle.

Given the impact of attacking DNS, and the proliferation of State-sponsored hacking groups, I think we can stop with the giggling kiddies references now.

Not sure when we'll learn with DNS either. The security community has been preaching/bitching about the weaknesses of DNS for too damn long, and little has really been done to truly address the Achilles heel of the internet.

Re:

[CaptainDork]

Agrre,

IT, in general, has been bitching to management about best practices.

Risk/reward analysis, so far, is in favor of sloppy gate-keeping.

Re:

[geekmux]

Agrre,

IT, in general, has been bitching to management about best practices.

Risk/reward analysis, so far, is in favor of sloppy gate-keeping.

Agreed. A job mired in Security is often difficult to justify good solutions when armed with FUD as a sales tactic.

Sad we sometimes have to watch things implode in order for management to understand impact.

Very sad when the end result of poor security is harm to humans. I am not looking forward to our IoT-enabled autonomous future with the way we perceive InfoSec today.

Re:

[cdsparrow]

Potentially, if you had a wide enough reach and enough bots, you could take over a specific router somewhere and ddos lots of other points funneling traffic through your compromised pipe. On small scale this could be used to steal data, mitm attack, etc. The internet is fairly predictable at small scale where it will route packets around a road block you create.

Re:

[CODiNE]

It's good for masking actual intrusions. Distracting the IT guys from the data exhilaration going on.

It's also useful for stopping up bank transactions long enough for the undo window to expire on fraudulent transfers. Say you do some real estate fraud and trick someone into wiring $200k to the wrong account. Doesn't do you any good if they catch it and roll it back in a day. Do the transfer, DDoS the heck out of the bank... that's well worth $15k a week.

Script kiddies don't pay that kind of money to laugh

Re:

[CODiNE]

D'oh! Serves me right trying to use big words.

I hope these rental services are honeypots

[presidenteloco]

Throw a few of the would-be DDOSers in jail for a couple of years for the first offence. And ban them from the interwebs for 5 years after that on probation. You can be a sociopath but it will cost you. Might deter a few.

Re: jaywalking

[presidenteloco]

Yes. Exactly equivalent, if everytime you jaywalked, traffic ground to a halt and a million people couldn't get to where they were going for half a day.

Re:

[magarity]

does anything get accomplished with a DDoS that it provides some kind of value?

Rent the botnet and instruct all the clients to download and install all their missing OS patches, install some AV software, and finally to uninstall the botnet client.

Hunter Killer Teams

[JustAnotherOldGuy]

I would approve of Hunter Killer teams solving this problem.

Re:

[gtall]

I know it is difficult to believe but not every problem can be solved by killing someone.

Re:

[JustAnotherOldGuy]

I know it is difficult to believe but not every problem can be solved by killing someone.

That is difficult to believe.

For BOINC!

[product_bucket]

There must be some low/non CPU intensive BOINC projects out there that could really appreciate this sort of 'net. I suppose it's probably not worth the time to get different router/IoT ASICs to actually run custom applications, compared with just pointing them to an IP for laughs.

Re:

[drinkypoo]

Those systems don't tend to have a lot of RAM either, so they are only capable of performing truly trivial tasks, like spying on you or participating in a DDoS.

I wonder what the access level would be?

[RhettLivingston]

Could you rent the net and sneak in code to wipe the machines?

Re:

[campuscodi]

You obviously can only launch attacks. Don't think they'd give you access to bot updates.

How is this different..

[no1nose]

...than the fuel-celled car Toyota is releasing soon?

Math is hard.

[kuzb]

If it's between $3000 and $4000 for 2 weeks for 50,000 bots that means it's between $24,000 and $32,000 for all of them not $20,000 and $30,000. How do you guys fail at math that basic.

Re:

[wbr1]

Bulk discount maybe???

Why would the Russians rent out their botnets?

[guruevi]

So a state-level actor rents out a botnet commercially? <Watches as cognitive dissonance explodes heads>

Re:

[porksauce]

It's an interesting subject. If the botnet was created by some government actors, it would make sense to privatize it but still keep the keys so that you could: a) disavow if the operators are discovered, b) know who else is using it and for what, c) seize it if needed in an emergency. If it was created by private actors, a government would want to find them and get that kind of access to it, but certainly not destroy it or interfere with its operation.

Enough with the Bot Nets.

[Neuronwelder]

My only hope is that someone will make an analogue "watchdog" disconnection device to the Web when the computer is idle for a period of time. This won't solve the problem but it will cut drastically the amount of units at their disposal.