A Chinese-speaking attacker is spreading a Mirai variant from a repurposed Windows-based botnet.
Researchers at Kaspersky Lab published a report today, and said the code was written by an experienced developer who also built in the capability to spread the IoT malware to Linux machines under certain conditions.
The researchers caution that this isn’t a “sensational hop from Linux Mirai to Windows Mirai just yet,” but said this remains another consequence the public availability of the Mirai source code, as well as the shoddy protections around connected devices and embedded systems.
“Regardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows platform,” the Kaspersky Lab report said. “Much like the Zeus banking trojan source code release that brought years of problems for the online community, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure for years to come, and this is just a minor start.”
The only way the Windows botnet can spread to Linux systems is by running a brute force attack against a remote telnet connection on a device. It can also spread over SSH, SMI, SQL injection attacks and IPC techniques and targets IP-based cameras, connected DVRs and media center appliances, as well as various Raspberry Pi and Banana Pi devices.
“Unfortunately, this code is clearly the work of a more experienced bot herder, new to the Mirai game, and possibly one that is not juvenile like the original Mirai operator set,” Kaspersky Lab said.
The company said it has observed attacks against 500 unique systems this year, largely in emerging markets.
“More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code,” said Kurt Baumgartner, principal security research, Kaspersky Lab. “A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.”
This particular bot was not only coded and compiled on a Chinese system, but signed with stolen code-signing certificates from a pair of Chinese silicon and wafer manufacturers, Xi’ an JingTech electronic Technology Co., LTD, and Partner Tech (Shanghai) Co., Ltd. The malware targets Microsoft SQL Servers and MySQL database servers, Kaspersky Lab said, because these are often internet-facing servers with access to private networked devices such as IP-based cameras and DVRs.
“The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016,” Kaspersky Lab said. “It introduces newly available systems and network for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source is publicly available.”
The attacks happen in stages, Kaspersky Lab researchers said, and include scanning and attacking online resources to downloading additional malware and instructions. Most of the components are co-opted from other resources and attacks, the researchers said.
Mirai variants have been popping up in steady streams since the source code was made public last October, weeks before a large-scale DDoS attack powered by compromised connected devices took down DNS provider Dyn. Since then, another Linux-based botnet targeted weak telnet credentials, and communicated with hacked devices over IRC. In November, a Mirai variant was blamed for a DDoS attack that took down close to 1 million Deutsche Telekom DSL routers. The available Mirai source code has also given new life to the DDoS as a service industry, since the Mirai code isn’t easily converted into a profit-making machine without some previous expertise.