How Mirai spawned the current IoT malware landscape

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

When, in late 2016, US-based DNS provider Dyn suffered a massive DDoS attack that it resulted in the temporary unavailability of many popular online services, the name of the Mirai malware became instantly known outside the cybersecurity industry.

Mirai IoT malware landscape

Since then, we’ve come to know the identities of the author of the malware and the botmasters who used it to mount that and other attacks. But, even before the attack against Dyn, they released the malware’s source code in an attempt to muddy the waters.

As expected, other malicious actors took it and used it as a base for many malware variants targeting IoT devices.

Mirai’s successors

There are four prominent Mirai variants.

Satori, which arose in December 2017 and subsequently went through several iterations, used default credential scanning (as Mirai), added the use of two remote code exploits to improve efficiency, and then became the first IoT bot to target the ARC architecture.

JenX uses the same configuration table and same string obfuscation as Mirai, but removed the scanning and exploitation functions, which were transferred to a separate system.

“Currently, it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas,” Netscout researchers shared.

OMG is another Mirai heir that supports all of its functionalities.

“What makes OMG stand out is how the author expanded the Mirai code to include a proxy server. OMG incorporates 3proxy, which allows it to enable a SOCKS and HTTP proxy server on the infected IoT device,” the researchers explained.

With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device, but also make the infected IoT device act as a pivot to other networks that are connected to the device.

The latest addition to the list of Mirai-based malware has been dubbed Wicked.

As those that came before it, Wicked uses Mirai’s string obfuscation technique and, as Satori, it traded in Mirai’s credential scanning function for its own RCE scanner, which it uses to search for vulnerable Netgear routers and CCTV-DVR devices. Once compromised, these devices are instructed to download and execute a copy of the Owari bot.

The danger

None of these botnets/malware achieved the notoriety of Mirai, but who knowns what the future holds.

They are all capable of mounting a wide variety of DDoS attacks (TCP, UDP, GRE flooding, DNS “Water Torture” attacks, etc.), but only OMG retained the capability of effecting HTTP GET, POST, and HEAD attacks.

“Using Mirai as a framework, botnet authors can quickly add in new exploits and functionally, thus dramatically decreasing the development time for botnets,” the researchers noted.

“As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets. We are likely to see remnants of Mirai live on in these new botnets as well.”