Hey, you, keep away from my device: remotely implanting a virus expeller to defeat Mirai on IoT devices

Mirai is botnet which targets out-of-date Internet-of-Things (IoT) devices. The disruptive Distributed Denial of Service (DDoS) attack last year has hit major Internet companies, causing intermittent service for millions of Internet users. Since the affected devices typically do not support firmware update, it becomes challenging to expel these vulnerable devices in the wild. Both industry and academia have made great efforts in amending the situation. However, none of these efforts is simple to deploy, and at the same time effective in solving the problem. In this work, we design a collaborative defense strategy to tackle Mirai. Our key idea is to take advantage of human involvement in the least aggressive way. In particular, at a negotiated time slot, a customer is required to reboot the compromised device, then a “white” Mirai operated by the manufacture breaks into the clean-state IoT devices immediately. The “white” Mirai expels other malicious Mirai variants, blocks vulnerable ports, and keeps a heart-beat connection with the server operated by the manufacturer. Once the heart-beat is lost, the server re-implants the “white” Mirai instantly. We have implemented a full prototype of the designed system, and the results show that our system can evade Mirai attacks effectively.