Security Experts:

Mirai Switches to Tor Domains to Improve Resilience

Mirai, the distributed denial of service (DDoS) botnet that leverages the power of Internet of Things (IoT) devices, is improving resilience by switching to .Onion domains, after briefly flirting with its own Domain Generation Algorithm (DGA).

The DGA functionality in Mirai was detailed about a week ago, but security researchers say that the botnet had been using it for a very short period of time. The DGA feature was associated with Mirai Botnet #14, which reportedly had over 3 million ensnared devices at the end of November.

In late November, a Mirai variant managed to hijack 900,000 routers from German ISP Deutsche Telekom using port 7547. Soon after, the same malware attack was confirmed to have also hit around 100,000 UK TalkTalk and Post Office ISP users. The attacks were revealed to leverage the TR-064 vulnerability, which can be used to steal WiFi network keys in addition to recruiting the router into a botnet.

Researchers with the China-based Network Security Research Lab at Qihoo 360, who managed to crack the Mirai DGA, said last week that multiple Mirai samples were using the functionality, and that they were leveraging three different top-level domains (TLDs) for that.

In a new post, the security researchers reveal that newly observed Mirai samples dropped the initial seed series and adopted a new one. Thus, new domains that matched the Mirai DGA algorithm but no longer featured the previous seed series were detected.

The new domains were said to belong to new Mirai variants, because layer 2 (L2) domain had the same 12-character length, a-y only, and because all TLDs for these domains were fixed to .online, one of the TLDs observed in the previous samples. What’s more, the botnet operators exercised a strict time control over the domains creation, to ensure that the overlap window was very short.

The researchers managed to brute-force the new DGA as well, and they even provided a list of the domains the Mirai samples will supposedly use before the end of the year. However, they also noted that at least one of the already generated domains wasn’t registered.

According to a report from BleepingComputer, however, there’s a clear explanation on why that happened: Mirai is moving to Tor (The Onion Router) domains, because they are far more difficult to shut down. The information reportedly comes from the individual who manages Mirai Botnet #14, and who goes by the online handle of BestBuy.

The hacker confirmed that the DGA functionality was used for a short period of time in early December, but that it has been already dropped. There was no authentication used with the temporary feature, which resulted in it being replaced with something better: a Tor variant.

Many cybercriminals are abusing the Tor network for their nefarious purposes, mainly because it offers an increased level of anonymity and makes it far more difficult for authorities to find servers hidden in the network. Mirai isn’t the first botnet to leverage Tor for communication purposes, as others have been doing so for years.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: Mirai Botnet Infects Devices in 164 Countries

view counter