Criminals behind a Mirai botnet have been spotted using an unusual technique: Leveraging an open-source project called Aboriginal Linux to create a compiled binary, with versions of the malware tailored to each targeted platform.
The malware authors are leveraging Aboriginal – a legitimate tool for cross-compilation – to make Mirai executable on a wide variety of internet of things (IoT) devices and platforms, including routers, IP cameras, connected devices and Android devices.
“One of the major pain points for a cross-platform IoT botnet is portability,” wrote Dinesh Venkatesan, principal threat analysis engineer at Symantec, in an writeup Thursday. “The malware must be able to run on different architectures and platforms in a self-contained capsule without any runtime surprises or misconfiguration. This is also an area where many inexperienced malware authors, or script-kiddies, fail if they simply copy/paste and reuse the existing malware code base.”
Using Aboriginal “makes the process of easy, effective, and practically fail-proof,” he added.
Venkatesan found a live remote server hosting multiple Mirai variants, each for a specific platform, in late July. He saw that the server aimed shell script at vulnerable devices, which then started downloading and executing a series of individual executables until one that was capable of infecting the specific platform was found. That file in turn downloaded the Mirai payload.
The successfully executed executable file is responsible for the actual Mirai payload, such as enumerating a list of IP addresses by creating a list of random addresses and scanning for devices with default credentials, or vulnerabilities. Thus, the same botnet could use, say, an ARM7 malware variant running on an Android device, as well as one using Debian ARM.
The functionality is otherwise standard Mirai fare, according to Venkatesan.
“For example, when I executed the sample in a contained environment, it attempted to scan more than 500,000 IP addresses generated through the random generation process previously described, and then tried to send raw packet data over port 23,” he said.
The discovery marks yet another progression of Mirai – the malware has been morphing and adding sophistication since its source code was leaked in 2016, shortly after it burst on the scene with a head-turning DDoS attack that took out DNS provider Dyn, taking major sites like Spotify, Reddit and Twitter offline. It was also responsible for a 620Gbps DDoS attack on Krebs on Security, and even took the entire nation of Liberia offline for a while.
For instance, in April a Mirai botnet was used to launch a series of DDoS campaigns against the financial sector, using the relatively small number of 13,000 hijacked IoT devices (many IoT botnets number in the millions of endpoints). The notable aspect of it were its characteristics that link it to IoTroop (a.k.a. Reaper) botnet first identified October 2017. The IoTroop code allows the malware to be updated on the fly.
Meanwhile, its tactic of marshalling vulnerable IoT devices has allowed Mirai and its many variants to attack with increasing regularity.
“As it is, the IoT market is hugely fragmented and most of the devices do not receive software patches for the known vulnerabilities,” said Venkatesan. “To make things worse, the malware authors continue to evolve these variants, making the malware more powerful and portable across different platforms and architectures.”