Meris, the largest botnet on the Internet, begins to falter: they find a bug that allows them to reduce their attacks
Meris is the fashion botnet, is unleashing some of the largest DDoS attacks in Internet history in recent weeks. Attacking mainly Russia, the United Kingdom, the United States and New Zealand, it has managed to knock out a multitude of online services. But begins to lose strengthSecurity researchers are beginning to find its weaknesses and mistakes that its creators have made.
A few days ago we saw in more detail what Meris is like, which currently is the largest botnet on the internet. It is a botnet that attacks through a large number of requests instead of large requests to the servers. This way of crashing services is not so common, but very effective if you have a considerable network of bots. Yandex recorded from Meris what so far is the largest DDoS to date, with a maximum of 21.8 million requests per second.
A DNS sinkhole for Meris
The Russian operator Rostelecom, which has seen Meris affect some of its customers, found a bug in Meris recently conducting a routine investigation of the botnet. Engineers discovered that some of the Meris-infected routers were pointing to an unregistered domain. They quickly registered the domain to gain control of the attacks arriving at that domain from Meris.
Essentially, what Rostelecom engineers have done is turn domain into a DNS sinkhole. To put it simply, some of the routers infected by Meris go to this domain in search of instructions to carry out the attack. However, being now owned by Rostelecom they can for those attacks and instead show a message to the victims stating that they are part of a botnet and what they can do to eliminate the malware. Something relatively similar happened with WnnaCrypt.
Although it is an advance, the routers that address this domain are barely about a fifth of the entire botnet. However, it has also helped researchers to detect new clues about how Meris originated. In the source code of the malware there are pieces of code that refer to Glupteba, a strain of malware that is often used to load and launch other malware. Redirects to the domain purchased by Rostelecom also confirmed that Meris was partly assembled using Gluptebpa.
Why is this relevant? Because he can help finish with Meris sooner already knowing in part what Glupteba is like and part of its weak points. It can also be an indication that the creators of Meris are the same as those of Glupteba. Be that as it may, there is still work ahead to mitigate this botnet. Much more than is made public.
Vía | The Record