Researcher Discovers Kill-Switch for Mirai Botnet and Variants

Security researcher Jacob Masse has discovered a vulnerability that could effectively neutralize the notorious Mirai botnet and its variants. This discovery, which leverages a flaw in how Mirai's Command and Control (CNC) servers manage incoming connections, could enable law enforcement and security experts to shut down these botnets remotely.

Mirai, which first emerged in 2016, is infamous for its ability to transform IoT devices with weak security into powerful “zombies” within a botnet. These botnets can launch devastating distributed denial-of-service (DDoS) attacks by overwhelming targets with traffic from thousands of compromised devices. Mirai primarily targets consumer electronics like IP cameras and home routers by exploiting weak default credentials and known vulnerabilities, allowing it to proliferate rapidly and persistently.

Turning Mirai off

Jacob Masse's discovery centers around a vulnerability in the pre-authenticated phase of the CNC server's connection process. The CNC server, which acts as the central command hub for a botnet, is essential for coordinating the activities of the infected devices. Without an operational CNC server, the botnet becomes inert, unable to launch or sustain attacks.

Masse identified that the CNC servers fail to properly manage multiple simultaneous connections during the authentication process. Specifically, the vulnerability allows an attacker to overwhelm the server's session buffer by repeatedly sending authentication requests using simple usernames, like ‘root'. The server's inability to handle these concurrent connection attempts results in resource exhaustion, leading to a crash of the CNC server.

This vulnerability, which Masse has designated CVE-2024-45163, does not require authentication to exploit, making it a particularly potent tool for disrupting botnet operations. By flooding the CNC server with these requests, security professionals could remotely incapacitate a botnet, effectively rendering it useless. This method could be particularly useful in large-scale law enforcement operations aiming to dismantle botnets that threaten global infrastructure.

Masse demonstrated the vulnerability with a proof-of-concept script in a controlled environment, showing that even a server with minimal resources could be used to bring down a Mirai CNC server. The script, which Masse has shared publicly, underscores the vulnerability's potential as a practical tool for defending against Mirai and its derivatives.

Possible reactions

The implications of this discovery are far-reaching. For one, it provides a new method for neutralizing active botnets, which could significantly reduce the widespread threat posed by Mirai-related DDoS attacks. However, the threat actors behind Mirai swarms are not expected to remain inactive in front of these solutions.

Masse suggests that they could implement several remediation strategies, including:

• Limiting the number of concurrent connections from the same username or IP address could prevent the session buffer from being overwhelmed.
• Restricting the number of connection attempts allowed per user over a given time period could mitigate the risk of server crashes.
• Implementing short timeouts for inactive sessions during the pre-authentication phase could further protect the CNC server from exploitation.

It is important for cybersecurity stakeholders to anticipate those solutions proactively and develop bypasses that would keep the kill-switch effective for longer, rendering cybercrime operations impractical and undercutting their potential for profit.