This nasty trojan is targeted against Linux IoT devices.
Mirai is an evolution of an older trojan, also used for DDoS attacks, known under many names, such as Gafgyt, Lizkebab, BASHLITE, Bash0day, Bashdoor, and Torlus.
Mirai’s mode of operation is largely the same as Gafgyt, targeting IoT devices running Busybox.
The trojan also targets only a specific set of platforms, such as ARM, ARM7, MIPS, PPC, SH4, SPARC, and x86, on which IoT devices are usually built.
Mirai infects devices via brute-force attacks on the Telnet port, using a list of default admin credentials, trying to exploit cases where device owners have forgotten to change the built-in password.
Once it infects a device, it reports to the C&C server and awaits commands. Mirai comes with support for launching DDoS attacks and brute-force attacks to infect more IoT devices.
Other Linux trojans that have targeted IoT devices and Linux servers to enslave in DDoS botnets include PNScan and Remaiten.
12 Comments
Tomi Engdahl says:
Meet Linux.Mirai Trojan, a DDoS nightmare
http://www.epanorama.net/newepa/2016/10/03/meet-linux-mirai-trojan-a-ddos-nightmare/
Tomi Engdahl says:
New, More-Powerful IoT Botnet Infects 3,500 Devices In 5 Days
https://tech.slashdot.org/story/16/11/01/225221/new-more-powerful-iot-botnet-infects-3500-devices-in-5-days
There’s a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network.
New, more-powerful IoT botnet infects 3,500 devices in 5 days
Discovery of Linux/IRCTelnet suggests troubling new DDoS menace could get worse.
http://arstechnica.com/security/2016/11/new-iot-botnet-that-borrows-from-notorious-mirai-infects-3500-devices/
Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.
Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.
Tomi Engdahl says:
Guerilla researcher created epic botnet to scan billions of IP addresses
With 9TB of data, survey is one of the most exhaustive—and illicit—ever done.
http://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/
In one of the more audacious and ethically questionable research projects in recent memory, an anonymous hacker built a botnet of more than 420,000 Internet-connected devices and used it to perform one of the most comprehensive surveys ever to measure the insecurity of the global network.
In all, the nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open. A large percentage of the unsecured devices bore the hallmarks of broadband modems, network routers, and other devices with embedded operating systems that typically aren’t intended to be exposed to the outside world. The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. There were no signs of life from the remaining 2.3 billion IPv4 addresses.
Continually scanning almost 4 billion addresses for nine months is a big job. In true guerilla research fashion, the unknown hacker developed a small scanning program that scoured the Internet for devices that could be logged into using no account credentials at all or the usernames and passwords of either “root” or “admin.” When the program encountered unsecured devices, it installed itself on them and used them to conduct additional scans. The viral growth of the botnet allowed it to infect about 100,000 devices within a day of the program’s release. The critical mass allowed the hacker to scan the Internet quickly and cheaply. With about 4,000 clients, it could scan one port on all 3.6 billion addresses in a single day. Because the project ran 1,000 unique probes on 742 separate ports, and possibly because the binary was uninstalled each time an infected device was restarted, the hacker commandeered a total of 420,000 devices to perform the survey.
Tomi Engdahl says:
German ISP Confirms Malware Attacks Caused Disruptions
http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions
German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.
In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.
Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.
Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.
Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.
Tomi Engdahl says:
Mirai-Based Worm Targets Devices via New Attack Vector
http://www.securityweek.com/mirai-based-worm-targets-devices-new-attack-vector
A Mirai-based worm leverages a recently disclosed attack vector to hijack routers and modems. Researchers determined that a large number of devices around the world could be vulnerable to attacks.
Numerous devices have been infected by Mirai and many others could easily get compromised. The malware is responsible for some of the largest distributed denial-of-service (DDoS) attacks in history and it has been increasingly used by malicious actors after its source code was leaked.
Researchers at BadCyber were recently contacted by an individual in Poland who discovered that his Zyxel AMG1202-T10B gateway had been rebooting every 15-20 minutes. An analysis revealed that hackers managed to remotely execute malicious commands on the device by injecting them into the network time protocol (NTP) server name field. The value of the NTP server name is parsed as a command without being validated, leading to an RCE vulnerability.
The malicious code was inserted into the NTP server name field via the TR-064 protocol, which allows ISPs to manage devices on their networks. The problem is that some devices are configured to accept TR-064 commands from the Internet, allowing attackers to abuse the feature for malicious activities.
Researchers warned earlier this month that TR-064 commands can be sent to D1000 modems provided by Ireland-based ISP Eir.
A Shodan search showed that tens of thousands of D1000 modems are affected. BadCyber conducted its own search and found more than 5 million devices exposing the TR-064 service, with a majority located in Brazil, India, the UK and various other European countries.
The SANS Institute’s Internet Storm Center has also observed attack attempts on port 7547, the port used by TR-064. The organization identified roughly 41 million devices with the 7547 port open and its honeypots receive a request every 5-10 minutes.
Tomi Engdahl says:
German ISP Confirms Malware Attacks Caused Disruptions
http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions
German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.
In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.
Information on current problems
https://www.telekom.com/en/media/media-information/archive/information-on-current-problems-444862
Tomi Engdahl says:
@danimo @hanno @esizkur Its not just Zyxel. I’ve found T-Com, MitraStar, D-Link, Aztech, Digicom, Comtrend, ZTE…
Currently listing 48 devices vulnerable to the main TR-064/TR-069 issue. Scans will reveal more. Not scanning for the cmd inject though.
Source: https://twitter.com/info_dox/status/803244427300978688
Tomi Engdahl says:
Worldwide, there are an estimated millions of devices captured members of the Mirai-botnet. Among them are more than ten thousand Finns device.
Effects users
Malware infection detection by the user, is difficult. The malware can slow down the operation of the device or prevent its normal use altogether. Contaminated equipment likely to be involved in the user’s knowledge, for example, denial of service attacks and to use the interface capacity.
The open home routers to the Internet service enables remote exploit the device to be contaminated. After contamination of the device tends to infect other similar devices and will become part of a bot network. formed hijacked botnets devices are used, for example, denial of service attacks. remote management of devices commonly used TCP port 7547.
FICORA considers that the conditions for traffic filtering in this case, as defined in the Act have been met and has recommended that telecom operators to filter traffic port TCP / 7547 in order to prevent the exploit. Several telecommunications companies have begun to traffic filtering.
Currently, there are known the following manufactured Zyxel ADSL modems to be vulnerable. the list below will be updated as new information is obtained vulnerable devices:
Zyxel AMG1302-T11C
Zyxel AMG1312-T10B
Zyxel AMG1202-T10B (no longer marketed) What software
Zyxel P-660HN-T1A (No longer available)
Zyxel P660HN-T1Av2 (No longer available)
It is very likely that the vulnerability applies to other devices.
The malware is removed, the release also Rebooting and the telecommunications operator’s traffic filtering.
Sources:
http://www.tivi.fi/Kaikki_uutiset/yli-10-000-suomalaista-modeemia-kaapattu-nain-estat-mirai-haittaohjelman-toiminnan-6603349
https://www.viestintavirasto.fi/kyberturvallisuus/varoitukset/2016/varoitus-2016-04.html
Tomi Engdahl says:
Nearly 200,000 Wi-Fi Cameras Are Open To Hacking
https://it.slashdot.org/story/17/03/09/2212227/nearly-200000-wi-fi-cameras-are-open-to-hacking
What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.
Nearly 200,000 WiFi Cameras Open to Hacking Right Now
https://www.bleepingcomputer.com/news/security/nearly-200-000-wifi-cameras-open-to-hacking-right-now/
What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.
The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.
Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected.
According to Kim, the cameras are affected by a total of seven security flaws. The biggest ones are listed below.
Backdoor account – Telnet runs by default, and everyone can log in with the following credentials
Pre-auth info and credentials leak – An attacker can bypass device authentication procedures by providing empty “loginuse” and “loginpas” parameters when accessing server configuration files
Pre-auth RCE as root – An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.
Streaming without authentication – An attacker can access the camera’s built-in RTSP server on port 10554 and watch a live video stream without having to authenticate
Cloud – The camera provides a “Cloud” feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device’s credentials.
Nearly 200,000 vulnerable cameras available online right now
Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras.
“I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet,” Kim said in a blog post. “Hundreds of thousands [of] cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”
Tomi Engdahl says:
Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
Vulnerabilities Summary
The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.
It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.
So, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead and added vulnerable code inside.
Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.
these cameras are likely affected by a pre-auth RCE as root
Tomi Engdahl says:
Russell Brandom / The Verge:
Researchers: October’s Mirai botnet attack on Dyn DNS service was incidental; original target was PlayStation Network name servers used by Dyn
Angry gamers may have been behind last year’s web-breaking DDoS attack
Targets included Brazilian Minecraft servers and the PlayStation Network
https://www.theverge.com/2017/8/18/16170536/mirai-ddos-playstation-network-dyn-internet-angry-gamers
Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.
The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.
During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.
“This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”
Tomi Engdahl says:
Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem
https://www.securityweek.com/mirai-variants-continue-spawn-vulnerable-iot-ecosystem