Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Mirai Linux Backdoor Targets IoT Devices

A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.

A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.

As it turns out, the malware has managed to remain highly elusive because there are very few samples available for researchers to work with. The threat is targeting routers, DVRs, WebIP cameras, and other embedded Linux devices, which makes it difficult to fetch samples for analysis. Furthermore, the malware is also deleting itself from the infected devices to hinder detection and analysis.

Dubbed Linux/Mirai, the backdoor infects devices via the Linux system’s SSH or Telnet accounts, because some of them use default passwords. After gaining shell access to the exposed device, the attacker would download and execute the malware, sometimes without parameters. During execution, the malware opens the /etc/watchdog file in read-write state and changes the work directory to the root directory.

The backdoor uses the PF_INET socket and is opening UDP/53 port to access Google DNS server at 8.8.8.8 to establish a connection, MalwareMustDie! reveals. The threat also detects the outbound interface and opens a random TCP/port by re-using the previously used socket. If the operation is successful, the malware closes the socket.

While analyzing the threat, researchers observed that it delays the launch of its nefarious operations to avoid early detection. Immediately after infection, the malware just waits, while making sure that the opened backdoor port is up and used. What’s more, while the malicious process is still running, the backdoor deletes itself from the infected device.

The networking process, however, continues, and the malware opens the PF_INET socket for TCP and starts listening to the incoming connection. The main process exits but forks to a new process PID. In some cases, the malware wouldn’t fork, meaning that the infection doesn’t take place. On devices where the forked process exists, however, the attacker can start issuing malicious commands.

The backdoor, researchers say, packs a telnet scanner function that allows it to find and infect other nodes with accessible telnetd

Advertisement. Scroll to continue reading.

The Trojan uses hardcoded usernames and passwords to brute-force discovered devices and, once it has gained shell access, it sends a “shell one-liner command to install malware.” The command, which is also hardcoded, also instructs the malware to delete itself after infection, which, researchers say, fully explains why Mirai samples are so difficult to come by.

According to MalwareMustDie!, the backdoor is the next generation of BASHLITE, a botnet recently revealed to have infected millions of IoT devices. Mirai is designed to scan the Telnet service running on devices such as DVR and WebIP Camera on Busybox, other Busybox powered Linux IoT boxes, and unattended Linux servers, to recruit them into a botnet.

In fact, researchers say, the same actor using Bashlite (also known as Torlus or GayFgt) appears to be using this piece of malware too, given the same attack M.O, hacktivism being involved, and similar coding style. However, they also note that the new threat might have only re-used GayFgt/Torlus shared code and might not be created by the same developer.

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Related: BASHLITE Botnets Ensnare 1 Million IoT Devices

Related: Botnet Uses IoT Devices to Power Massive DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.