Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

TROJAN.MIRAI.1

TROJAN.MIRAI.1

TROJAN.MIRAI.1

Background

The first instance of Mirai botnet was discovered in mid-2016. It elevated quickly and dramatically a few months later, when it targeted a DDOS attack on an internet traffic company DYN which provided services to websites such Amazon, Spotify and Twitter to name a few.

This malware turned computer systems running Linux into remotely controlled "bots", which could be used as part of a botnet in large-scale network attacks. It primarily targeted unsecured internet of things devices e.g. IP cameras, home routers and DVR’s. This botnet scanned for devices that were protected by default or hard-coded usernames and passwords. It exploited weak security measures such as standard passwords and username combinations, for instance (admin, passwords, 1234) across devices.

These systems then were infected with malware directing them to a central control system which was used to launch an attack to take websites offline, as it happened to DYN. In an interview with CNBC, DYN said that the attacks were “well planned and executed, coming from tens of millions IP addresses at same time.”

World Trojan Map

Figure 1DYN was hit with a massive DDos attack on its DNS infrastructure on the east coast of America

Further, two hackers began to advertise that the Mirai botnet of 400,000 was up for rent. The buyers could rent 20,000 compromised nodes for $2000 to launch an hour-long attack across two weeks.

Botnet

Figure 2 Mirai botnet on sale

TROJAN.MIRAI.1

After having targeted Linux systems, Mirai Botnet has now entered to hack the windows devices. An antivirus firm has discovered a new variation of Mirai, which is named Trojan.Mirai.1. The trojan uses Windows devices to increase Mirai’s botnet army by infecting Linux-based IoT devices.

How does the TROJAN.MIRAI.1 works?

This malware for Microsoft Windows is written in C++. The malware scans the TCP ports to execute commands and distribute the malware.

Tables

After the attack is launched, Trojan.Mirai.1 connects to its Command and Control server and downloads the configuration file which extracts the list of IP addresses. Then scanning of ports and launching of different flags is followed.

If the establishment of connection is successful with the attacked node via any protocol, it starts to execute a sequence of commands. This trojan can also execute commands on the remote machines which use IPC (inter-process communication) technology.

Further, if the target computer has Microsoft SQL Server, Trojan.Mirai.1 will act with administrative privileges and perform malicious tasks.

How would the Trojan.Mirai.1 spread?

For instance, if a Windows version of Mirai infects a new machine and the target turns out to be running Linux. In this case, a series of commands will be run and a new Mirai botnet will be created.

If Windows Mirai infects another Windows device, it will leave a copy on that machine and will continue further.

Currently, the exact consequences of this development cannot be anticipated, however its entrance on Windows will inspire hackers to try out new things.