It seems that Mirai, the notorious malware that is responsible for the botnet which hit a series of major websites a few months ago, is back with a vengeance – and with the ability to mine bitcoin, to boot. Mirai first came to wider attention in September 2016, when it carried out a distributed denial of service attacks (DDoS) in a groundbreaking way – using Internet of Things (IoT) devices which it turned into bots.
How Does Mirai Work?
Mirai’s first documented attack was on prominent security journalist Brian Krebs’ website, using traffic from zombie Internet of Things devices – hitting a record 620 Gbps, as reported by Krebs On Security. It then went on to make much of the internet unavailable for millions of users by overwhelming Dyn, a company that serves as the backbone for a wide array of websites such as Netflix, Twitter and LinkedIn. Overall, attacks affected prominent sites like Amazon, Twitter, Netflix and PayPal, as reported by Wired as well as major newspapers and TV stations.
Mirai operates by searching the internet for vulnerable IoT devices that use factory default usernames and passwords. Using a list of about 60 such usernames and passwords, it logs into the devices and infects them with malware that forces them to report to a central control server, thus “recruiting” them into an army of malign bots which can be controlled remotely. Then, this IoT “army” can be used to launch DDoS attacks based on instructions received from a remote C&C (command and control), in which the target’s servers are deliberately flooded with malicious junk traffic, overwhelming them and disrupting service. Infected devices will continue to function normally and in many cases will be wiped clean of the malware by a simple reboot (depending on the device, this may simply mean turning the device off and on again after a short wait), but unless the log in credentials are changed immediately too, then they can be re-infected within minutes.
Probably in an effort to cover the original hacker’s tracks, Mirai’s source code was publicly released on the English-language hacking community Hackforums just a few days after its first attack. A user going by the screen name Anna-senpai shared the code – as well as the fact that the malware was named after the 2011 TV anime series Mirai Nikki. According to analysis by Incapsula, IP addresses of Mirai-infected devices have been traced to 164 different countries, including remote locations such as Tajikistan and Somalia. Since then, worries have been expressed about the potential vulnerability of a wide spectrum of IoT devices, including Sony IPELA Engine IP Cameras.
Mirai Recruiting Mining Slaves?
New research suggests that there is a new Mirai version at loose, with increased capabilities – including the potential to mine bitcoins. The new variant of the ELF Linux/Mirai malware also comes with new extended attack capabilities: it can execute brute force attacks, as well as the SQL injection — a common attack vector. An SQL injection uses malicious SQL statements to access and edit information not intended for display, including sensitive company data, user lists or private customer details.
The new Mirai code also has the ability to deliver a bitcoin-mining module to its infected hosts which turns them into mining slaves for the C&C server. Since it is dubious whether IoT devices –which are usually low-capacity– would be able to mine significant quantities individually, it seems that the new variant will attempt to bundle devices together in order to be able to produce meaningful amounts of bitcoin.
The best way to be protected is, first and foremost, to get informed – about the newest attack methods as well as about ways to increase cyber-security. Take precautions such as changing default passwords, use a Web Application Firewall, and make sure you’re running up-to-date software, including on your home routers and other devices. Mirai’s modus operandi is surprisingly simple, but the results – especially with these increased capabilities – could be devastating.
Source Image: Internet of Things via Facebook