In early October, a hacker named Anna-senpai published the source code of a malware created to automatically scour the internet for poorly secured and easy-to-hack connected devices that could be enlisted into an Internet of Things zombie army. That malware, known as Mirai, has fueled some of the worst cyberattacks the internet has ever seen, including one that took down Twitter, Reddit, Netflix and other popular sites as collateral damage last week.
Now, wannabe hackers are taking the code and modifying it to add new features—but apparently they don’t always know what they’re doing.
Security firm Arbor Networks noticed that several hackers “have been observed customizing and improving the attack capabilities of the original botnet code,” according to a blog post published on Thursday.
Read more: How Vigilante Hackers Could Stop the Internet of Things Botnet
Arbor’s researchers found that a Mirai variant in the wild has a “a remote-control backdoor” that listens for commands over port 103. That wasn’t present in the original source code, according to three independent security researchers who have studied the Mirai malware.
Normally, when Mirai infects a target, it disables the protocol that allows anyone to try to connect to the target. This new functions allows the criminals who infect a device to still be able to control it even if their command and control server is taken down. But according to some, it’s a useless, perhaps even counterproductive new feature.
“Sounds like a REALLY stupid ‘feature,’” Darren Martyn, a hacker who works for Xiphos Research, told Motherboard in an online chat, explaining that it might leave the door open for other hackers to take control of the device, or for others to disable the malware.
“If the backdoor is wide open, it makes killing them easier,” he added.
“If the backdoor is wide open, it makes killing them easier.”
Marshal Webb, the chief technology officer at BackConnect, an anti-DDoS firm, explained that thanks to this backdoor it should be easier for security researchers to track Mirai botnets and identify infected devices. Webb added that from the criminal’s perspective, this is a “terrible” and “horrible” idea, likely the fruit of amateur and “inexperienced” wannabe hackers.
“Now that all the kids on HackForums have the code,” Webb told me, referring to the hacking forum where the Mirai code was first released, “you will see more of these garbage edits.”
With the source code for the malware out there for anyone to see and use, cyberattacks leveraging Mirai botnets have increased, according to Arbor and other internet-monitoring companies. Last week’s attack, whose effects were felt mostly in the east coast of the United States, but also in some parts of Europe, was the most notable to date.
But given that no one’s really sure how to stop Mirai, and it’s unlikely that the FBI, or benevolent hackers, are willing and capable of taking the botnets down, it likely won’t be the last one.