Security Experts:

Connect with us

Hi, what are you looking for?



Mirai Linux Backdoor Targets IoT Devices

A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.

A newly observed Linux Trojan backdoor is actively targeting Internet of Things (IoT) devices and enjoying very low detection rate, even on systems using the x86 architecture, researchers say.

As it turns out, the malware has managed to remain highly elusive because there are very few samples available for researchers to work with. The threat is targeting routers, DVRs, WebIP cameras, and other embedded Linux devices, which makes it difficult to fetch samples for analysis. Furthermore, the malware is also deleting itself from the infected devices to hinder detection and analysis.

Dubbed Linux/Mirai, the backdoor infects devices via the Linux system’s SSH or Telnet accounts, because some of them use default passwords. After gaining shell access to the exposed device, the attacker would download and execute the malware, sometimes without parameters. During execution, the malware opens the /etc/watchdog file in read-write state and changes the work directory to the root directory.

The backdoor uses the PF_INET socket and is opening UDP/53 port to access Google DNS server at to establish a connection, MalwareMustDie! reveals. The threat also detects the outbound interface and opens a random TCP/port by re-using the previously used socket. If the operation is successful, the malware closes the socket.

While analyzing the threat, researchers observed that it delays the launch of its nefarious operations to avoid early detection. Immediately after infection, the malware just waits, while making sure that the opened backdoor port is up and used. What’s more, while the malicious process is still running, the backdoor deletes itself from the infected device.

The networking process, however, continues, and the malware opens the PF_INET socket for TCP and starts listening to the incoming connection. The main process exits but forks to a new process PID. In some cases, the malware wouldn’t fork, meaning that the infection doesn’t take place. On devices where the forked process exists, however, the attacker can start issuing malicious commands.

The backdoor, researchers say, packs a telnet scanner function that allows it to find and infect other nodes with accessible telnetd

The Trojan uses hardcoded usernames and passwords to brute-force discovered devices and, once it has gained shell access, it sends a “shell one-liner command to install malware.” The command, which is also hardcoded, also instructs the malware to delete itself after infection, which, researchers say, fully explains why Mirai samples are so difficult to come by.

According to MalwareMustDie!, the backdoor is the next generation of BASHLITE, a botnet recently revealed to have infected millions of IoT devices. Mirai is designed to scan the Telnet service running on devices such as DVR and WebIP Camera on Busybox, other Busybox powered Linux IoT boxes, and unattended Linux servers, to recruit them into a botnet.

In fact, researchers say, the same actor using Bashlite (also known as Torlus or GayFgt) appears to be using this piece of malware too, given the same attack M.O, hacktivism being involved, and similar coding style. However, they also note that the new threat might have only re-used GayFgt/Torlus shared code and might not be created by the same developer.

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Related: BASHLITE Botnets Ensnare 1 Million IoT Devices

Related: Botnet Uses IoT Devices to Power Massive DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet