New variants of Mirai botnet detected, targeting more IoT devices
Mirai, the “botnet” malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016—including one against the website of security reporter Brian Krebs—has gotten a number of recent updates. Now, developers using the widely distributed “open” source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.
Researchers at Palo Alto Networks’ Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors.
The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.
All of the new samples were discovered on a single server, hosted at Digital Ocean’s Amsterdam data center. The same server also hosted versions of Mirai exploits targeting D-Link, Netgear, Huawei, and Realtek devices, as well as the Chinese-developed ThinkPHP Web server framework.
These new variants are not the first to expand the number of targeted platforms accessible by Mirai. In January of 2018, a Japan-based researcher discovered a version of Mirai compiled for the ARC processor—a CPU used in network-attached storage, mobile, automotive and other embedded computing applications. But as the Unit 42 researchers noted, the addition of four more platforms “provides attackers with the advantage of a larger attack surface… Practically, this means that the family can now infect and propagate via a larger number of embedded devices, affording attackers greater DDoS firepower.”
Of course, to get that additional firepower requires actually finding and compromising the systems running on that additional hardware. If you’ve applied the latest software updates and use something other than the default password for access, then your devices are probably safe. But that doesn’t mean the Internet is—there are thousands, if not millions, of unpatched devices with default manufacturer passwords out there waiting to become Mirai minions.