Teaching Old Malware New Tricks: How the Latest Mirai Variant Targets New Devices

Learn how Mirai works, what its newest features are, and how you can protect your organization from this destructive malware strain. 

Though initially created to give players of the game Minecraft an advantage, the Mirai malware strain has since been responsible for a number of notable distributed denial of service (DDoS) attacks, including the one suffered by DNS provider Dyn, which resulted in outages for numerous Internet platforms. Before its creators were caught and prosecuted, they posted the source code online, allowing Mirai to take on a life of its own. Mirai has now reemerged, enhanced and ready to cause more damage. Read on to learn how Mirai works, what its newest features are, and how you can protect your organization from this destructive malware strain.

What is a Botnet?

Mirai operates by breaching Linux devices and creating botnets. This type of malware operates by having its original home device, known as a bot herder or bot master, infect and remotely controlling any kind of device – from a smart phone to a security camera. Using this command-and-control technique (C&C or C2), it can instruct the breached device to run a bot, which is a software application that runs automated scripts to perform tasks over the Internet. Once the bot herder has taken control of multiple devices, often numbering into the hundreds or thousands, it uses this cluster of bots, known as a botnet, to run more sophisticated, malicious tasks.

Most commonly, botnets are used in DDoS attacks, like the Dyn incident mentioned above. With so many bots under their control, an attacker can have all of them send requests to a targeted system, flooding it with traffic, blocking out any legitimate requests. Eventually, this influx of traffic will overwhelm a system, causing it to crash.

Brand New Enterprise Exploits

Mirai resurfaced a few times since its initial foray onto the scene. Since the code is now freely available, changes can be made at the whim of any malicious actor. For example, in early 2018, one successor used its botnet to steal cryptocurrency from computers dedicated to cryptocurrency mining.

Now Mirai has rematerialized once more, with this variant updated to target eleven additional devices. A few of these exploits, like the WePresent Wireless Presentations and LG Supersign TVs, are devices intended for use by enterprise organizations. This pivot into business class devices should put businesses on their guard, since it gives attackers a window into organizational networks for additional exploitation. Additionally, it shows a pivot towards loftier end goals, since devices connected to these enterprise networks give threat actors even more bandwidth to use in their botnet attacks.

Same Old Mirai Infrastructure

Mirai isn’t a particularly complex piece of malware – which is dangerous in its own right, as it gives far more people opportunities to use it. Ultimately, its success lies in its exploitation on the weak security that plagues most IoT devices.

Mirai’s bot master directs its controlled devices to continuously scan the Internet in search of IP addresses for IoT devices. From there, it uses a list of default usernames and passwords to attain administrative access of the device. Given Mirai’s numerous successful attacks, there are a worrisomely large number of devices that still have these credentials in place.

This strategy would be far less frequently successful on traditional workstations and servers within an organization. First, they are far more likely to have policies in place requiring frequent password changes, multi-factor authentication, or even identity and access management solutions to ensure that administrative access isn’t so easily acquired.

Moreover, most antivirus solutions for workstations or servers would be able to spot these simplistic breach attempts and stop them in their tracks. Unfortunately, nearly all IoT devices still lack antivirus solutions, making them a prime target for techniques that are no longer as common on workstations or network servers.

Finally, IoT devices are ideal because most of them are constantly connected to the internet and are owned or operated by users who are unaware of the security risks that these devices can pose.

Fighting Command and Control with Advanced Threat Detection

In addition to having ideal targets in IoT devices, botnets like Mirai are also particularly difficult to detect and remove because aside from causing a system to become sluggish at times, they don’t really do anything to make their presence known.

With this latest iteration of Mirai, along with a number of other botnets currently being deployed, threatening enterprise IoT devices, how can an organization be sure that their devices aren’t currently under the control of a bot master? Advanced threat detection solutions like Core Network Insight constantly monitor network traffic for threat behavior and activities, detecting anomalous behavior in real time and with certainty by providing definitive evidence of infections, regardless of device type. This allows security teams to take immediate action to clear bots from the system.

While this variant is new, Mirai’s structure of C&C communication techniques remain the same. Core Network Insight detects based on this type of communication, so no matter the variant, Network Insight will still be able to accurately uncover it. Network Insight is also agentless, as well as OS and platform agnostic, so no matter how many different device types are targeted, botnets like Mirai cannot evade detection.

To get more information on the only mature, purpose built active threat detection solution on the market, or  a personalized demonstration from one of our experts, contact us today.