Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Windows Trojan Spreads Mirai to Linux Devices

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai, the Linux-based malware that ensnared hundreds of thousands of Internet of Things (IoT) devices for launch one of the largest distributed denial of service (DDoS) botnets out there, has a Windows variant as well.

Mirai became popular last fall, after it targeted Brian Krebs’ blog and infrastructure provider Dyn in two of the largest DDoS attacks on record. Soon after, the malware’s source code leaked online and new variants of the Trojan were spotted, including one packing worm-like capabilities.

Although focused on Linux-based IoT devices until now, Mirai recently switched focus to Windows systems as well, Doctor Web security researchers warn. Detected as Trojan.Mirai.1, the new malware variant is written in C++ and appears capable of performing various nefarious operations, one of which involves the spreading of the Mirai botnet to Linux-based devices.

When launched on the infected Windows machine, the Trojan would connect to its command and control (C&C) server, and then download a configuration file to extract a list of IP addresses from it. Next, the malware launches a scanner to search for the network nodes listed in the configuration file, and attempts to login to them using a list of logins and passwords combinations from the same file.

According to Doctor Web’s security researchers, the Windows version of Mirai is capable of scanning and checking several TCP ports simultaneously (including 22, 23, 135, 445, 1433, 3306, and 3389).

As soon as it connects to one of the attack nodes (via any of the available protocols), the Trojan begins the execution of a series of commands indicated in the configuration file. However, should the connection be made via Remote Desktop Protocol (RDP), none of the instructions is executed.

What’s more, if the threat manages to connect to a Linux device via the Telnet protocol, it then attempts to download a binary file to it. This file is meant to subsequently download and launch the Mirai botnet.

The Windows version of Mirai can also abuse Windows Management Instrumentation (WMI) to execute commands on remote hosts, using inter-process communication (IPC) technology. The malware was designed to launch new processes with Win32_Process.Create method, and create various files (such as Windows package files containing a certain set of instructions).

Advertisement. Scroll to continue reading.

If Microsoft SQL Server is present on the infected machine, the malware leverages it to spawn a series of files and a user that also has sysadmin privileges. Next, the malware abuses this user and the SQL server event service to execute various malicious tasks: to launch executable files with administrator privileges, delete files, or plant icons in the system folder for automatic launch (it can also create the corresponding logs in the Windows registry).

“After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals,” Doctor Web notes. This user has the following privileges: select, insert, update, delete, create, drop, reload, shutdown, process, file, grant, references, index, alter, show_db, super, create_tmp_table, lock_tables, execute, repl_slave, repl_client, create_view, show_view, create_routine, alter_routine, create_user, event, trigger, and create_tablespace.

Related: 100,000 UK Routers Likely Affected by Mirai Variant

Related: Mirai Switches to Tor Domains to Improve Resilience

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.