The nasty Mirai malware that’s been infecting IoT devices for several years and has been part of a number of large-scale DDoS attacks is still under active development, and researchers have discovered a set of new samples that are compiled for a variety of new processors and include new encryption functionality.
Mirai first emerged in 2016 and quickly gained notoriety, mostly for its propensity to infect IoT devices such as IP cameras and home routers. There are a number of separate versions of the malware and also several individual Mirai botnets, some of which have been involved in significant DDoS attacks. One of the larger attacks targeted Dyn, a DNS provider in New Hampshire, an attack that had a cascading effect that caused outages for several large sites, including Twitter and GitHub in October 2016. The malware typically scans for target devices listening on specific TCP ports and then either uses a brute-force attack with known credential sets or runs an exploit against a vulnerability in the device’s software.
Different versions of Mirai carry different sets of exploits and target different kinds of devices. Researchers on Palo Alto Networks’ Unit 42 research team recently came across new versions of the Mirai malware that are designed to target a new group of processors that previous versions couldn’t deal with.
“Unit 42 has found the newly discovered samples are compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. This is not the first time Mirai has been expanded for new processor architectures, samples targeting ARC CPUs were discovered in January 2018. Yet this development shows that Mirai developers continue to actively innovate, targeting a growing array of IoT devices,” Ruchna Nigam of Unit 42 wrote in a post on the new version.
“If the latest innovations lead to an increase in the number of infected devices, that means that Mirai attackers would have access to additional firepower for use in denial of service attacks.”
The addition of new processor architectures to Mirai’s capabilities means that the malware can target a broader range of devices. Those processors are found in many different kinds of hardware, and not just IoT devices, giving the Mirai malware a wider variety of potential victims. The new variant also includes a different version of the encryption algorithm used in previous Mirai versions, as well as a modified implementation of its TCP SYN flood DDoS attack method.
The Unit 42 researchers discovered the new samples on a server that had them stored in an open directory.
“Prior to the update on February 22, the same IP was hosting Mirai samples containing...exploits known to be used in previous versions of Mirai. The presence of these exploits in both previous versions of Mirai and our newly discovered samples help show the tie between the two are likely used by the same attacker in this case,” Nigam said.
One of those exploits is for a remote code execution vulnerability in some Netgear routers, and another is a for a command-injection flaw in some D-Link routers.
While Mirai botnets typically have targeted consumer-grade IoT devices, the malware also has been seen infecting some enterprise products, as well. Last year, Unit 42 discovered Mirai samples that included an exploit for a vulnerability in the Apache Struts framework.