Mirai botnet evolution since its source code is available online

Since the release of the source code of the Mirai botnet, crooks have improved their own versions by implementing new functionalities and by adding new exploits.

A recent report published by NetScout’s Arbor Security Engineering and Response Team (ASERT) confirmed the intense activities of threat actors related to the Mirai botnet, in a few months experts spotted at least four Mirai variants in the wild tracked as SatoriJenXOMG, and Wicked.

The availability of the Mirai source code allows malware author to create their own version.

“Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets. The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients,” states the report published by NetScout.

Figure 1 – Mirai botnet

Below the key findings for the new Mirai variants discovered by the experts:

  • Satori uses a remote code injection exploits to implement scanning feature.
  • The JenX bot evolved from Mirai to include similar coding, but authors removed scanning and exploitation capabilities.
  • The OMG bot adds HTTP and SOCKS proxy capabilities.
  • The Wicked Mirai exploits RCE flaws to infect Netgear routers and CCTV-DVR devices. When vulnerable devices are found, a copy of the Owari bot is downloaded and executed.

Let’s see the technical details for each variant.

In December 2017, security experts from Check Point Security firm discovered a new variant of the Mirai botnet dubbed Satori that was responsible for hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

The activity of the Satori botnet has been observed over the past month by researchers from Check Point security.

  • “A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532 has been discovered (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Pierluigi Paganini. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/utddoCkIays/