Security Experts:

Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem

Mirai is the archetypal IoT botnet, first achieving infamy with a 665 Gbps DDoS attack against the KrebsOnSecurity website in September 2016. Within days, a second Mirai attack targeted the French hosting firm, OVH, with an attack that peaked at nearly 1 Tbps. These were, at the time, the largest DDoS attacks ever recorded.

But within a few more days, before the end of September 2016, the Mirai developer released the source code. It can now be found on GitHub. The developer closed his 'readme' file with a criticism of MalwareMustDie and the comment, "Just as I forever be free, you will be doomed to mediocracy forever."

He didn't remain free for very long. In January 2017, Brian Krebs identified Paras Jha as authoring Mirai; and in December 2017 the DoJ unsealed a plea-bargained guilty plea by Paras Jha for the development and use of Mirai. But it was too late to stop Mirai, because the code was in the public domain -- and it has ever since been used as the basic building block for other criminals to develop Mirai variants for their own use.

IoT ExploitsNetwork performance firm Netscout Arbor has taken a close look at four of the current Mirai variants: Satori, JenX, OMG and Wicked. Its Arbor Security Engineering & Response Team (ASERT) published in a recent blog post, describing how each of these botnets start from the basic building blocks of Mirai and add to and sometimes remove from the original Mirai functionality -- adding, says, ASERT, "their own flair."

Mirai itself spread by scanning for other internet-connected IoT devices (IP cameras and home routers) and 'brute-forcing' access via a list of default vendor passwords. Since so few consumers ever change the password that comes with the device, the process is remarkably successful. Paras Jha claimed that he had 380,000 bots in Mirai at the time of the Krebs attack.

Satori (or at least the 3rd variant of Satori) uses the same configuration table and the same string obfuscation technique as Mirai. However, says ASERT, "We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit." The exploit was CVE-2017-17215. In December 2017, Check Point reported that hundreds of thousands of attempts to exploit this vulnerability had been made on Huawei HG532 home routers attempting to download and execute the Satori botnet

The underlying code for JenX also comes from Mirai, again including the same configuration table and the same string obfuscation technique. However, JenX hard codes the C2 IP address while Mirai stores it in the configuration table. JenX has also removed the scanning and exploitation functions of Mirai, with this being handled by a separate system. 

"Currently," writes ASERT, "it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers."

OMG is described by ASERT as one of the most interesting of Mirai variants. While it includes all Mirai's functionality, "the author expanded the Mirai code to include a proxy server." This allows it to enable a SOCKS and HTTP proxy server on the infected IoT device. "With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device, including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device."

Fortinet discussed OMG in February 2018. "This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization," it concluded.

Wicked is the latest Mirai variant. "Similar to Satori variant 3," writes ASERT, "Wicked trades in Mirai's credential scanning function for its own RCE scanner. Wicked's RCE scanner targets Netgear routers and CCTV-DVR devices." When vulnerable devices are found, "a copy of the Owari bot is downloaded and executed."

However, an analysis of the same bot by Fortinet in May 2018 comes to a slightly different conclusion. The string 'SoraLOADER' suggests a purpose to distribute the Sora botnet. Further analysis showed that in practice it attempted to download the Owari botnet, but actually downloaded the Omni botnet. "We can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author's succeeding projects," says Fortinet.

The Mirai developer may have been apprehended, but in making his source code public, Mirai and Mirai variants continue to grow. The IoT ecosphere that Mirai and its variants target and exploit is still in its infancy. There were nearly 17 billion connected devices in 2017; but this is expected to rise to around 125 billion by 2030 according to a new analysis from IHS Markit. Vendors continue to rush their products in order to get early market share, but often at the cost of built in security.

"Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations," warns ASERT.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.