Kaspersky Lab researchers have identified that a hacker of Chinese origin is spreading a variant of Mirai using repurposed botnet running on Windows OS.
Mirai malware was discovered in 2016 when it was used the Internet’s largest DDoS attack on DYN DNS and OVH hostings. A couple of weeks ago, it was also discovered that after infecting Linux devices, the Mirai malware is can also infect Windows devices.
Now, in a report published by Kaspersky Lab, it was identified that the code had been written by someone experienced and who is well-versed in spreading the IoT malware onto Linux systems in specific conditions.
According to their research, the campaign isn’t merely an over-hyped hike from Linux based Mirai to Windows based Mirai because it appears to be yet more proof of the dangers of public availability of the source code of Mirai malware and the inadequacy of security measures that has made IoT devices and embedded systems so vulnerable to hacking.
It is, however, quite alarming that Mirai is easily spreading from OS to OS.
As per the report from Kaspersky Lab, just like Zeus banking Trojan source code’s release turned out to be a devastating step for the online community, the leaking of Mirai IoT source code is also becoming a big problem as far as the security of the Internet-connected infrastructure is concerned.
This is indeed concerning for the online security fraternity as the problems will continue to rise for many years as it is just the beginning of hackers learning to use the source code in a variety of ways.
Windows botnet can spread to Linux-based machines through using brute force attack against the device’s remote telnet connection and may then spread over SMI, SQL Injection and SSH attacks as well as IPC techniques.
These can target cameras that are IP based, media center appliances, internet connected DVRs and Banana Pi and Raspberry Pi devices.
Kaspersky Lab researcher Kurt Baumgartner noted that this year around 500 different systems had been targeted and most of the targets are located in emerging markets.
“More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code.
A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning,” added Baumgartner.
As per their analysis, the bot was not just coded and compiled on a Chinese machine but also signed with code-signing certificates that were stolen from a pair of Chinese silicon and wafer manufacturers namely Xi’ a JingTech Electronic Technology, Ltd., and Partner Tech Co., Ltd. Both are Shanghai-based companies.
The malware’s main targets are Microsoft SQL servers, and MySQL database servers since these are internet-oriented servers and offer access to privately networked devices like IP-based cameras and DVRs.
Researchers at Kaspersky Lab have also noticed that the attack occurs in stages as these include scanning and attacking of online sources so that more instructions and malware could be added to the devices.
According to Kaspersky Lab telemetry data, almost 500 unique systems were attacked in 2017 by this Windows bot, with the attempts both detected and blocked.
Based on the geolocation of IP addresses involved in the second stage of attack, the countries most vulnerable are emerging markets that have invested heavily in connected technology, such as, India, Vietnam, Saudi Arabia, China, Iran, Brazil, Morocco, Turkey, Malawi, United Arab Emirates, Pakistan, Tunisia, Russia, Moldova, Venezuela, the Philippines, Colombia, Romania, Peru, Egypt and Bangladesh.
Kaspersky Lab is working with CERTs, hosting providers and network operators to address this growing threat to the internet’s infrastructure by taking down a significant number of command and control servers.
The quick and successful takedown of these servers minimizes the risk and disruption that fast-growing IoT-based botnets present. Since Kaspersky Lab can leverage its experience and relationships with CERTs and providers throughout the world, the company has been able to help expedite these efforts.
Kaspersky Lab products detect and protect against Windows and Mirai bots. Relevant to this research are the following verdicts:
- DangerousPattern.Multi.Generic (UDS).