Mirai malware turned Linux devices into DDoS botnet and now it’s time for Windows devices.
MIRAI – possibly the biggest IoT-based malware threat that emerged last year, which caused vast internet outage in October last year by launching massive distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.
It is a malicious software program for Linux-based internet-of-things (IoT) devices which scan for insecure IoT devices, enslaves them into a botnet network, and then used them to launch DDoS attacks, and spreads over Telnet by using factory device credentials.
This MIRAI BOT is capable of targeting Windows systems and can take on more ports than its Linux version. Dr.Web researchers have dubbed the new version as Trojan.Mirai.1. The new Trojan targets Windows computers and scans the user’s network for compromisable Linux-based connected devices.
Mirai malware is capable of infecting a diverse array of devices, but its main targets happen to be internet routers and IoT devices such as CCTV systems and DVRs. Once the malware manages to infect a device, it creates a link with its C&C (command and control) server and downloads the “configuration file (wpd.dat) which helps in extracting list of random IPs and tries to log in through several ports such as 22 (SSH) or 23 (Telnet), 135, 445, 1433, 3306 and 3389. To do this, it utilizes the list of default admin credentials of the targeted device.
Successful authentication lets malware runs certain commands specified in the configuration file, depending on the type of compromised system.
In the case of Linux systems accessed via Telnet protocol, the Trojan downloads a binary file on the compromised device, which subsequently downloads and launches Linux.Mirai.
Once compromised, the Trojan can spread itself to other Windows devices, helping hackers hijack even more devices.
Besides this, researchers noted that the malware could also identify and compromise database services running on various ports, including MySQL and Microsoft SQL to create a new admin “phpminds” with the password a “phpgodwith,” allowing attackers to steal the database.
At this time it’s not known who created this, but the attack design demonstrates that your IoT devices that are not directly accessible from the internet can also get hacked to join the Mirai botnet army.