Hackers accidentally create network-busting malware

Hackers accidentally create network-busting malware
© Greg Nash

LAS VEGAS — Newly detailed malware can knock networks offline with devastating efficiency, although the effected networks might not be the ones intended by the malware's creators.   

The malware was presented by the security firm Arbor Networks on Sunday at the cybersecurity conference Def Con. It appears to be designed to use internet-connected devices from one network to attack another. In practice, it would likely only knock out the network the devices were attached to off the internet.

But Steinthor Bjarnason, the Arbor Networks researcher who presented the discovery, noted that can be a destructive attack in its own right.  

"It's like inventing the wheel. You cannot control what other people are going to do with the wheel after you invent it," he told The Hill.


The malware is a variant of the Mirai botnet. Mirai infected internet-connected security cameras and coordinated them to repeatedly access the same server at the same time. The traffic would overwhelm the targeted server with requests and knock it offline. That type of attack is known as a distributed denial of service (DDoS). 

Mirai was only able to infect devices that circumvented network security measures such as routers and firewalls to allow users to access them through the internet. Bjarnason cited research showing that only around 1 in 20 devices was not protected by a firewall or router. 

That 1 in 20 was enough to create record-breaking DDoS attacks that tore down a critical internet switchboard service in October, briefly rendering The New York Times, Twitter and Netflix unreachable. 

The sample discovered by Arbor Networks merged code from Mirai with additional code that would install the Mirai code on connected devices behind a firewall if someone on the same network could be baited into opening the program. 

Unfortunately for the designer, firewalls are not created to allow the devices they protect to send out large floods of traffic. Essentially, it takes far less traffic for devices behind a firewall to crash the firewall than any outside system it targeted. The network hosting the infected device or devices would crash and the targeted system would likely not even notice. 

Viewed as an attack on the firewall, it would be a sneaky way to knock networks offline. Most corporate and home networks are not configured to track activity from connected devices and computers in a way that could identify that the attack was coming from a specific device. 

"The first time we saw it, we thought, 'Oh shit, a lot of networks will collapse,' " said Bjarnason.

"Then we waited for it to be used. It never was used. We're still asking why it hasn't been used."

Arbor discovered the sample in January. 

There could be a few reasons, Bjarnason said. Perhaps the malware was never intended to be released. But if the designer intended to use the malware to use connected devices to attack servers on other networks, it's possible the designers abandoned the project when it could not be used to attack outside networks. 

"The thing that stops people from using this type of attack [intentionally] is the lack of knowledge they can do it," said Bjarnason.