Meet Linux.Mirai Trojan, a DDoS nightmare

https://www.hackread.com/linux-mirai-trojan-a-ddos-nightmare/

62 Comments

  1. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks
    http://www.securityweek.com/three-plead-guilty-mirai-botnet-attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

    Reply
  2. Tomi Engdahl says:

    Mirai-makers plead guilty, Hajime still lurks in shadows
    http://rethinkresearch.biz/articles/mirai-makers-plead-guilty-hajime-still-lurks-shadows/

    Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

    Reply
  3. Tomi Engdahl says:

    Mirai Variant “Satori” Targets Huawei Routers
    http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers

    Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

    The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

    Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

    Reply
  4. Tomi Engdahl says:

    From Mirai To Persirai — The Metamorphosis Of An Open Source Botnet
    https://www.incapsula.com/blog/from-mirai-to-persirai.html

    The Mirai malware has become particularly notorious for recruiting IoT devices to form botnets that have launched some of the largest DDoS attacks ever recorded. Mirai came onto the scene in late 2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date.

    The Rise of Persirai

    This brings us to Persirai, the newest version of Mirai that was also discovered last month by researchers at Trend Micro and comes equipped with even more advanced “features.” Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Persirai’s ability to leverage the previous features, plus its password stealing capability has led to a massive increase in the number of infected devices. By tracking thousands of infected IoT devices, Trend Micro discovered over half of those in the U.S. are infected, with almost two-thirds of the cameras in Japan infected.

    Persirai is on an aggressive recruitment push.

    How to Avoid Being part of a Botnet

    Additional measures to ensure IoT devices do not become unwitting members of a Persirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. Finally, scan your network with our Mirai vulnerability scanner to see if it hosts a device vulnerable to Mirai injection attacks.

    Mirai Vulnerability Scanner
    https://www.incapsula.com/mirai-scanner/

    Reply
  5. Tomi Engdahl says:

    Mirai Variant Targets ARC CPU-Based Devices
    http://www.securityweek.com/mirai-variant-targets-arc-cpu-based-devices

    A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

    Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.

    Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

    Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.

    One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn’t encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

    The researcher also explains that Okiru seems to lack the “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP that Satori has.

    Reply
  6. Tomi Engdahl says:

    Researchers Connect Lizard Squad to Mirai Botnet
    http://www.securityweek.com/researchers-connect-lizard-squad-mirai-botnet

    Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

    Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

    While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

    Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

    The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.

    Reply
  7. Tomi Engdahl says:

    Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K
    https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

    A monster distributed denial-of-service attack (DDoS) against KrebsOnSecurity.com in 2016 knocked this site offline for nearly four days. The attack was executed through a network of hacked “Internet of Things” (IoT) devices such as Internet routers, security cameras and digital video recorders. A new study that tries to measure the direct cost of that one attack for IoT device users whose machines were swept up in the assault found that it may have cost device owners a total of $323,973.75 in excess power and added bandwidth consumption.

    My bad.

    But really, none of it was my fault at all. It was mostly the fault of IoT makers for shipping cheap, poorly designed products (insecure by default), and the fault of customers who bought these IoT things and plugged them onto the Internet without changing the things’ factory settings (passwords at least.)

    The botnet that hit my site in Sept. 2016 was powered by the first version of Mirai

    Reply
  8. Tomi Engdahl says:

    Mirai botnet adds three new attacks to target IoT devices
    https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/

    This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.

    A new variant of the Mirai botnet has added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

    The new version of Mirai – a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late-2016 – has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.

    The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.

    While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.

    Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

    Reply
  9. Tomi Engdahl says:

    “Wicked” Variant of Mirai Botnet Emerges
    https://www.securityweek.com/wicked-variant-mirai-botnet-emerges

    A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

    Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

    The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

    Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

    Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

    A Wicked Family of Bots
    https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

    Reply
  10. Tomi Engdahl says:

    Something Wicked this way comes
    https://isc.sans.edu/forums/diary/Something+Wicked+this+way+comes/23681/

    The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.

    Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:

    80: Invoker Shell in compromised Web Servers
    81 – CCTV-DVR
    8443 – Netgear R7000 and R6400 (CVE-2016-6277)
    8080 – Netgear DGN1000 and DGN2200

    The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.

    After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*