Former Mirai hackers have developed a new botnet, dubbed HinataBot, with the potential to cause far greater damage with far fewer resources required from its operators than its predecessor.
Mirai is one of the world's most notorious botnets. In circulation since the mid-2010s, it uses Internet of Things (IoT) devices like routers and cameras to hit targets with massive amounts of traffic to force distributed denial of service (DDoS). Some of its most notorious attacks were against French technology company OVH, the government of Liberia, and DNS provider Dyn, an attack that touched websites such as Twitter, Reddit, GitHub, CNN, and many more.
Now, in a report published March 16, researchers from Akamai noted that HinataBot has only been in development since mid-January. Despite that, according to initial tests, it packs in orders of magnitude more powerful than its predecessor, reaching more than 3 Tbit/s traffic flows.
Just How Powerful Is HinataBot?
In its heyday, the Mirai botnet managed to flood its victims with hundreds of gigabytes per second in traffic — up to 623 Gbit/s for the KrebsOnSecurity website, and nearly 1 Tbit/s against OVH. As OVH noted at the time, that huge wave of data was enabled by a network of around 145,000 connected computers, all sending requests to their systems simultaneously.
To gauge the relative strength of HinataBot the Akamai researchers ran 10-second test attacks. "If the botnet contained just 1,000 nodes," they found, "the resulting UDP flood would weigh in at around 336 Gbps per second." In other words, with less than 1% of the resources, HinataBot was already capable of producing traffic approaching Mirai's most vicious attacks.
When they considered what HinataBot could do with 10,000 nodes — roughly 6.9% of the size of peak Mirai — the resulting traffic topped out at more than 3.3 Tbit/s, many times stronger than any Mirai attack.
"These theorized capabilities obviously don't take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc.," Akamai researchers warned in the report, "but you get the picture. Let's hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale."
Why Hackers Are Choosing Golang
Much of the reason for HinataBot's improvements comes down to how it was written.
"Most malware has traditionally been written in C++ and C," explains Allen West, one of the principal researchers of the report. Mirai, for example, was written in C.
In more recent years, though, hackers have become more creative. "They're trying to take any new approach they can, and these new languages — such as Go, with its efficiencies and the way it stores strings — makes it more difficult for people to deal with."
"Go" — short for "Golang" — is the high-level programming language underpinning HinataBot. It's similar to C, but, in some ways, it's more powerful. With Golang, explains Chad Seaman, another author of the report, hackers "get better error handling, they get memory management, they get easy threaded worker pools, and a little bit more of a stable platform that provides some of the speed and performance you would associate with a C-level language, and C or C++ binaries, with a lot of things that they don't have to manage."
"It just lowers the bar on technical difficulty," he says, "while also raising the performance bar over, say, some of the other traditional languages."
For all of these reasons, Go has become a popular choice for malware authors. Botnets like kmsdbot, GoTrim, and GoBruteForcer are cases in point. "Go is becoming more performant and more mainstream and more common," Seaman says, and the malware that results is all the more powerful for it.
How Much Should Businesses Worry About HinataBot?
As scary as HinataBot may be, there may be a bright side.
HinataBot isn't simply more efficient than Mirai — it must be more efficient because it's working with less.
"The vulnerabilities through which it's spread are not new or novel," Seaman says. HinataBot leverages weaknesses and CVEs already known to the security community and utilized by other botnets. It's an environment quite different than that of which Mirai operated in circa 2016–'17, when IoT vulnerabilities were novel and security for the devices was not top of mind.
"I don't think we're going to see a case of another Mirai, unless they get creative in how they're distributing and their infection techniques,” Seaman says. "We're not going to see another 70,000 or 100,000-node, Mirai-like threat from the Hinata authors under their current tactics, techniques, and procedures."
A less optimistic observer might note that, being only a couple of months old now, there is plenty of time for HinataBot to improve upon its limited weaknesses. "It may just be an introductory phase, right?" Seaman points out. "They're grabbing at low hanging fruit so far, without needing to go out and do anything really novel yet."
Nobody can yet say how big this botnet will become, or in what ways it'll change over time. For now, we can only prepare for what we know — that this is a very powerful tool, operating over known channels and exploiting known vulnerabilities.
"There's nothing that they're doing within the traffic that's circumventing security controls we've already put in place," notes Larry Cashdollar, the third author of the report. "The exploits are old. There are no zero days. So, as it stands, the fundamental security principles for defending against this kind of threat" — strong password policies, dutiful patching, and so on — "are the same. They're still sufficient."