Mirai Linux Trojan corrals IoT devices into DDoS botnets

Mirai, a newly discovered and still poorly detected piece of Linux malware, is being used to rope IoT devices into DDoS botnets.

Mirai Linux Trojan

Researchers from MalwareMustDie have recently gotten their hands on several variants of the threat, and have discovered the following things:

  • It comes in the form of an ELF file (typical for executable files in Unix and Unix-like systems)
  • It targets mostly routers, DVR or WebIP cameras, Linux servers, and Internet of Things devices running Busybox – the “Swiss Army knife of Embedded Linux.”
  • The attackers first gain shell access to the target devices by taking advantage of the fact that most have a default password set for the SSH or telnet account. Then they load the malware.
  • The malware sets up several delayed processes and then deletes malicious files that might alert users to its existence. It then starts opening ports and establishes contact with its botmasters, and scans for other accessible devices to infect. For other actions, it awaits further instructions.

They consider Mirai to be the direct descendant of an older Trojan dubbed Gafgyt (aka BASHLITE, aka Torlus), which is one of the main contributors to the rise of DDoS-for-hire services.

In order to protect their devices from this threat, administrators are advised to close up their telnet service, to block the TCP/48101 port (if unused), and to make sure their Busybox execution can be run only on specific user.

For more details about the analysis of the malware, check out MalwareMustDie’s blog post.