Mirai Botnet Upgraded

Recently published research shows that the infamous Mirai botnet has been upgraded to attack to new classes of Internet of Things (IoT) devices, those been smart signage TVs and wireless presentation systems. This at first glance does not appear to be a major revelation, what is worrying is how the authors of Mirai appear to have spent a lot of time and effort into these upgrades. The upgrades center around the inclusion of new exploits which have been added to older versions of the botnet. With the rise of IoT devices so did the rise of botnets, a malware type which can be defined as a collection of internet-connected devices, which may include PCs, servers, mobile devices, and importantly for Mirai’s case internet of things devices that are infected and controlled by the malware. This creates a network which can be used by a malicious actor to send email spam, engage in click fraud campaigns, and generate malicious traffic for distributed denial-of-service (DDoS) attacks.

Palo Alto Networks, which has been tracking the new developments and published their findings, say that this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. In conjunction with the inclusion of new exploits, the botnet operator has also expanded Mirai's built-in list of default credentials that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default credentials. While the botnet has gone through a list of improvements its goal is the same, that being to infect devices via scanning the internet for other IoT devices with exposed Telnet ports and use the default credentials to break in and take over these new devices. The malware is also capable of scanning the Internet for specific types of devices where one of the 27 exploits could be used to infect that device.

mirai botnet upgraded

In the past, Mirai was used to target routers, modems, security cameras, and DVRs/NVRs as its main priority. This did not mean other devices were not affected by the malware, in rare cases, Mirai malware has ended up on smart TVs, smartphones, and some enterprise Linux and Apache Struts servers. The latest version, according to researchers, has been intentionally targeting two new devices with exploits crafted specifically for that purpose. These new devices targeted are LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems. The two exploits used have been available online for months, however, it is believed that this is the first time the exploits have been weaponized. The exploit affecting the LG Supersign has shown that the device is vulnerable to remote code execution mainly due to improper parameter holding. The wireless presentation system exploits is detailed to be vulnerable to command injection attacks. Researchers said that,

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks. The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall.”

One of the interesting aspects of the latest campaign is that the shell script is still alive and been hosted at a compromised website for an electronic security, integration and alarm monitoring business in Colombia. Researchers concluded that,

“IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute-force, or both. In addition, targeting enterprise vulnerabilities allows them access to links with a potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks.”

Mirai’s Infamy

In 2016, Mirai was thrust into the public’s domain when a massive distributed denial of service (DDoS) attack left much of the internet inaccessible on the US east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was, in fact, the work of the Mirai botnet. The attack did not intend to knock out the internet for such a vast area, rather it aimed to make a little money off of Minecraft players but what started out humbly avalanched. Minecraft was the target because there's good money to be made in hosting Minecraft game servers, which leads to running skirmishes in which hosts launch DDoS attacks against their rivals, hoping to knock their servers offline and attract their business.

The unintentional knocking out of the US east coast would result in the original creators of Mirai pleading guilty to charges in December 2016. This would not be the end of the Mirai story as the source code was released into the wild. This resulted in a massive uptick in of malware authors continually upgrading the original source code to make it harder for authorities and researchers to combat. While Mirai continually evolves it is reliant on brute force attacks to compromise devices. This admins and users can prevent by changing IoT device passwords to something more robust and definitely not using the default credentials the device came with. Further, Mirai stores itself in memory, rebooting the device is enough to purge any potential infection but it is advised to change the password first as Mirai can quickly infect a device after a reboot.

Like with many other malware families protecting against Mirai can be done by individuals with relative ease. Hacker’s know that this is not often done, how many times to users and employees skip the need to update systems and software because it is not convenient at that time. When better security practices are adopted along with a comprehensive antivirus package life is made far harder for hackers.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal