Meet Linux.Mirai Trojan, a DDoS nightmare

https://www.hackread.com/linux-mirai-trojan-a-ddos-nightmare/

81 Comments

  1. Tomi Engdahl says:

    Three Plead Guilty in Mirai Botnet Attacks
    http://www.securityweek.com/three-plead-guilty-mirai-botnet-attacks

    US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

    The Justice Department announced plea agreements for Paras Jha, 21 — a former Rutgers University computer science student who acknowledged writing the malware code — and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

    In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 “internet of things” (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

    By commanding an army of bots — or computers under control of the attackers — the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

    The malware was used to make money through “click fraud,” a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

    The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

    Reply
  2. Tomi Engdahl says:

    Mirai-makers plead guilty, Hajime still lurks in shadows
    http://rethinkresearch.biz/articles/mirai-makers-plead-guilty-hajime-still-lurks-shadows/

    Riot doesn’t go in for New Year predictions much, but we think Hajime will be a name on most security reporters’ lips at some point in 2018 – a more potent version of the Mirai malware that threatens to run rampant across the Internet of Many Unsecured Things. Mirai itself has made the news this week, because its apparent author has now plead guilty to such accusations, leveled against him by the FBI. However, this isn’t the end for the now open-sourced Mirai.

    Reply
  3. Tomi Engdahl says:

    Mirai Variant “Satori” Targets Huawei Routers
    http://www.securityweek.com/mirai-variant-satori-targets-huawei-routers

    Hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers have been observed over the past month, Check Point security researchers warn.

    The attacks were trying to drop Satori, an updated variant of the notorious Mirai botnet that managed to wreak havoc in late 2016. Targeting port 37215 on Huawei HG532 devices, the assaults were observed all around the world, including the USA, Italy, Germany and Egypt, the researchers say.

    Common to these incidents was the attempt to exploit CVE-2017-17215, a zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed and intended for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

    Reply
  4. Tomi Engdahl says:

    From Mirai To Persirai — The Metamorphosis Of An Open Source Botnet
    https://www.incapsula.com/blog/from-mirai-to-persirai.html

    The Mirai malware has become particularly notorious for recruiting IoT devices to form botnets that have launched some of the largest DDoS attacks ever recorded. Mirai came onto the scene in late 2016 as the malware supporting very large DDoS attacks, including a 650 Mbps attack on the Krebs on Security site. It’s also purported to have been the basis of the attack in October 2016 that brought down sites including Twitter, Netflix, Airbnb and many others. Since then, Mirai has morphed into the most aggressive and effective botnet tool we’ve seen to date.

    The Rise of Persirai

    This brings us to Persirai, the newest version of Mirai that was also discovered last month by researchers at Trend Micro and comes equipped with even more advanced “features.” Previous versions of Mirai used to rely on guessing default passwords, so any IoT devices that had default passwords changed were considered protected. Researchers discovered that Persirai became even more aggressive by exploiting a zero-day vulnerability to steal the password file from an IP camera regardless of password strength. Persirai’s ability to leverage the previous features, plus its password stealing capability has led to a massive increase in the number of infected devices. By tracking thousands of infected IoT devices, Trend Micro discovered over half of those in the U.S. are infected, with almost two-thirds of the cameras in Japan infected.

    Persirai is on an aggressive recruitment push.

    How to Avoid Being part of a Botnet

    Additional measures to ensure IoT devices do not become unwitting members of a Persirai botnet include blocking internet access to admin ports and disabling universal plug and play (UPnP) on the router or firewall. Also consider isolating IoT devices on your network using segmentation or firewall policies and only let IoT devices communicate with IP addresses that are approved. Finally, scan your network with our Mirai vulnerability scanner to see if it hosts a device vulnerable to Mirai injection attacks.

    Mirai Vulnerability Scanner
    https://www.incapsula.com/mirai-scanner/

    Reply
  5. Tomi Engdahl says:

    Mirai Variant Targets ARC CPU-Based Devices
    http://www.securityweek.com/mirai-variant-targets-arc-cpu-based-devices

    A newly discovered variant of the Mirai Internet of Things (IoT) botnet is targeting devices with ARC (Argonaut RISC Core) embedded processors, researchers warn.

    Dubbed Okiru, the new malware variant appears to be different from the Satori botnet, although the latter was also called Okiru by its author. Security researchers analyzing the new threat have discovered multiple differences between the two Mirai versions, aside from the targeting of the ARC architecture.

    Originally designed by ARC International, the ARC processors are 32-bit CPUs widely used in system on chip (SOC) devices for storage, home, mobile, automotive, and IoT applications. Each year, over 1.5 billion devices are shipped with ARC processors inside.

    Mirai Okiru represents the very first known malware targeting ARC processors, independent security researcher Odisseus, who analyzed the threat, notes.

    One of the characteristics that sets them apart is the configuration, which in Okiru is encrypted in two parts with telnet bombardment password encrypted. Satori doesn’t split it in two and doesn’t encrypt brute default passwords either. Moreover, the new malware variant can use up to 114 credentials for telnet attack, while Satori uses a different and shorter database.

    The researcher also explains that Okiru seems to lack the “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP that Satori has.

    Reply
  6. Tomi Engdahl says:

    Researchers Connect Lizard Squad to Mirai Botnet
    http://www.securityweek.com/researchers-connect-lizard-squad-mirai-botnet

    Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

    Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

    While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

    Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

    The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.

    Reply
  7. Tomi Engdahl says:

    Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K
    https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

    A monster distributed denial-of-service attack (DDoS) against KrebsOnSecurity.com in 2016 knocked this site offline for nearly four days. The attack was executed through a network of hacked “Internet of Things” (IoT) devices such as Internet routers, security cameras and digital video recorders. A new study that tries to measure the direct cost of that one attack for IoT device users whose machines were swept up in the assault found that it may have cost device owners a total of $323,973.75 in excess power and added bandwidth consumption.

    My bad.

    But really, none of it was my fault at all. It was mostly the fault of IoT makers for shipping cheap, poorly designed products (insecure by default), and the fault of customers who bought these IoT things and plugged them onto the Internet without changing the things’ factory settings (passwords at least.)

    The botnet that hit my site in Sept. 2016 was powered by the first version of Mirai

    Reply
  8. Tomi Engdahl says:

    Mirai botnet adds three new attacks to target IoT devices
    https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/

    This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.

    A new variant of the Mirai botnet has added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

    The new version of Mirai – a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late-2016 – has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.

    The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.

    While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven’t been secured against known exploits.

    Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

    Reply
  9. Tomi Engdahl says:

    “Wicked” Variant of Mirai Botnet Emerges
    https://www.securityweek.com/wicked-variant-mirai-botnet-emerges

    A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

    Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

    The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

    Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

    Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

    A Wicked Family of Bots
    https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

    Reply
  10. Tomi Engdahl says:

    Something Wicked this way comes
    https://isc.sans.edu/forums/diary/Something+Wicked+this+way+comes/23681/

    The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.

    Wicked scans ports 8080, 8443, 80, and 81. Specifically it is targetting the following devices/vulnerabilities:

    80: Invoker Shell in compromised Web Servers
    81 – CCTV-DVR
    8443 – Netgear R7000 and R6400 (CVE-2016-6277)
    8080 – Netgear DGN1000 and DGN2200

    The Invoker Shell is interesting in that it does not exploit the device, but rather takes advantage of previously compromised web servers.

    After successful exploitation, it downloads what appears to be Omni Bot, the same code delivered by the attacks on the DASAN GPON home routers

    Reply
  11. Tomi Engdahl says:

    IoT Botnets Target Apache Struts, SonicWall GMS
    https://www.securityweek.com/iot-botnets-target-apache-struts-sonicwall-gms

    The infamous Mirai and Gafgyt Internet of Things (IoT) botnets are targeting vulnerabilities in Apache Struts and the SonicWall Global Management System (GMS), Palo Alto Networks has discovered.

    Reply
  12. Tomi Engdahl says:

    Garrett M. Graff / Wired:
    Court filing: US government seeks to continue FBI work with Mirai botnet hackers, who pled guilty to creating the malware last Dec., as part of their sentencing
    https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/

    Reply
  13. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/8458-fbi-palkkasi-mirai-bottinetin-kehittajat

    Pääsyylliseksi tunnistettiin Rutgersin yliopiston opiskelija Paras Jha, joka oli ladannut Mirai-lähdekoodiin Githubiin. Hänet tuomittiin 2500 tunnin yhdyskuntapalveluun. Palvelupaikka Jhalle on FBI ja tehtävänä jahdata hakkereita ja tunnistaa turvallisuusaukkoja.

    Viimeksi kesällä identifioitiin peräti 19 eri Mirai-virusta, jotka hyökkäsivät Linux-pohjaisia IoT-laitteita vastaan.

    Reply
  14. Tomi Engdahl says:

    Mirai Co-Author Gets 6 Months Confinement, $8.6M in Fines for Rutgers Attacks
    https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks/

    The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.

    Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.

    Reply
  15. Tomi Engdahl says:

    Mirai Evolves From IoT Devices to Linux Servers
    https://www.darkreading.com/attacks-breaches/mirai-evolves-from-iot-devices-to-linux-servers/d/d-id/1333329

    Netscout says it has observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

    Researchers from Netscout Alert have discovered what they believe are the first non-IoT versions of Mirai malware in the wild.

    Reply
  16. Tomi Engdahl says:

    New Mirai Variant Targets Enterprise IoT Devices
    https://www.securityweek.com/new-mirai-variant-targets-enterprise-iot-devices

    A recently discovered variant of the infamous Mirai botnet is targeting devices specifically intended for businesses, potentially signaling a focus toward enterprise.

    Best known for the massive attacks on OVH and Dyn in late 2016, Mirai is a Linux malware targeting Internet of Things (IoT) devices in an attempt to ensnare them into botnets capable of launching distributed denial of service (DDoS) attacks.

    Numerous variants of the malware have emerged ever since Mirai’s source code leaked in October 2016, including Wicked, Satori, Okiru, Masuta, and others. One variant observed last year was leveraging an open-source project to become cross-platform and target multiple architectures, including ARM, MIPS, PowerPC, and x86.

    Reply
  17. Tomi Engdahl says:

    New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices
    https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

    A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

    Reply
  18. Tomi Engdahl says:

    Mirai goes Enterprise
    https://www.kaspersky.com/blog/mirai-enterprise/26032/?utm_source=facebook&utm_medium=social&utm_campaign=gl_mirai-geo_ay0073_promo&utm_content=sm-post&utm_term=gl_facebook_promo_ay0073_sm-post_social_mirai-geo

    Given that Mirai’s code is very flexible and adaptable, it can easily be rearmed with new exploits to widen its range of targets. And that is exactly what happened this time. In addition to the new set of exploits for its usual prey, such as routers, access-points, ADSL modems, and network cameras, it can now infect enterprise devices such as high-capacity, enterprise-class wireless controllers, digital signage systems, and wireless presentation systems.

    Reply
  19. Tomi Engdahl says:

    New Mirai Variant Targets More Processor Architectures
    https://www.securityweek.com/new-mirai-variant-targets-more-processor-architectures

    Targeting IoT devices in an attempt to ensnare them into a botnet capable of launching distributed denial of service (DDoS) attacks, the malware has been around since late 2016, with numerous variants observed since (such as Wicked, Satori, Okiru, Masuta, and others).

    Mirai’s source code was publicly released in October 2016, and various threat actors built their own iterations of the malware in order to target additional device types. A version that emerged earlier this year aims at devices specifically intended for businesses.

    The newly observed Mirai samples, Palo Alto Networks reports, are compiled to run on Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors, which shows that the threat’s developers continue to innovate.

    Reply
  20. Tomi Engdahl says:

    New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
    https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-uses-multiple-exploits-to-target-routers-and-other-devices/

    We discovered a new variant of Mirai (detected as Backdoor.Linux.MIRAI.VWIPT) that uses a total of 13 different exploits, almost all of which have been used in previous Mirai-related attacks. Typical of Mirai variants, it has backdoor and distributed denial-of-service (DDoS) capabilities. However, this case stands out as the first to have used all 13 exploits together in a single campaign.

    This attack comes just a few weeks after we last reported on Mirai activity, when it had targeted various routers.

    Reply
  21. Tomi Engdahl says:

    Mirai Botnet Activity
    https://isc.sans.edu/forums/diary/Mirai+Botnet+Activity/26234/
    This past week, I noticed new activity from the Mirai botnet in my
    honeypot. The sample log with the IP and file associated with the
    first log appears to have been taken down (96.30.193.26) which
    appeared multiple times this week including today. . However, the last
    two logs from today are still active which is using a Bash script to
    download multiple exploits targeting various device types (MIPS,
    ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the
    User-Agent: XTC and the name viktor which appear to be linked to XTC
    IRC Botnet, aka Hoaxcalls.

    Reply
  22. Tomi Engdahl says:

    Developer of Mirai, Qbot-based DDoS botnets jailed for 13 months
    https://www.bleepingcomputer.com/news/security/developer-of-mirai-qbot-based-ddos-botnets-jailed-for-13-months/
    A 22-year-old Washington man was sentenced to 13 months in prison for
    renting and developing Mirai and Qbot-based DDoS botnets used in DDoS
    attacks against targets from all over the world.

    Reply
  23. Tomi Engdahl says:

    Mirai Botnet Exploit Weaponized to Attack IoT Devices via
    CVE-2020-5902
    https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/?
    Following the initial disclosure of two F5 BIG-IP vulnerabilities on
    the first week of July, we continued monitoring and analyzing the
    vulnerabilities and other related activities to further understand
    their severities. Based on the workaround published for CVE-2020-5902,
    we found an internet of things (IoT) Mirai botnet downloader (detected
    by Trend Micro as Trojan.SH.MIRAI.BOI) that can be added to new
    malware variants to scan for exposed Big-IP boxes for intrusion and
    deliver the malicious payload.

    Reply
  24. Tomi Engdahl says:

    Ttint Botnet Targets Zero-Day Vulnerabilities in Tenda Routers
    https://www.securityweek.com/ttint-botnet-targets-zero-day-vulnerabilities-tenda-routers

    A new Mirai-based botnet is targeting zero-day vulnerabilities in Tenda routers, according to researchers at 360 Netlab, a unit of Chinese cybersecurity company Qihoo 360.

    Dubbed Ttint, the Remote Access Trojan (RAT) contains distributed denial of service capabilities, just as any Mirai offspring does, but also implements 12 remote access functions, including a Socket5 proxy, modifying router DNS and iptables, and running system commands.

    In order to circumvent detection of typical traffic generated by Mirai botnets, Ttint uses the WSS (WebSocket over TLS) protocol for communication with the command and control (C&C) server, and also uses encryption.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*