View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
August 28, 2018

New Mirai Botnet Breed Taps Aboriginal Linux to Spawn Across Devices

When tested scans for more than 500,000 IP addresses and then tries to send raw packet data over port 23

By CBR Staff Writer

Security researchers at the California-headquartered company Symantec have identified a virulent new strain of the Mirai botnet, which is making use of a popular open source project to embed itself on multiple architectures and devices.

Mirai, which takes over insecure Internet of Things (IoT) devices from routers to baby monitors, became infamous in 2016 after using a sprawling network of compromised devices to cripple domain registration service provider Dyn.

The high profile DDoS attack, which made use of over 500,000 infected devices, took Dyn customers including the BBC, Netflix and Twitter offline for hours.

See also: Learning from Dyn and Mirai: Defeating IoT Botnets

Aboriginal Linux

The new variant has been created using an open source project named Aboriginal Linux; this allows the botnet to be compatible with an array of different architectures and devices such as IP cameras, routers, speakers and android-based devices.

Dinesh Venkatesan, Principal Threat Analysis Engineer at Symantec, said in a threat update: “One of the major pain points for a cross-platform IoT botnet is portability. The malware must be able to run on different architectures and platforms in a self-contained capsule without any runtime surprises or misconfiguration.”

“This is also an area where many inexperienced malware authors, or script-kiddies, fail if they simply copy/paste and reuse the existing malware code base.”

In July he identified a live remote server hosting multiple malware variants, each for a specific platform: “As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found.”

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

He added: “What makes it interesting is the compiled binary. These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof.”

Aboriginal’s “elegant cross-compilation framework” has given Mirai new teeth

There is “nothing wrong” with Aboriginal Linux, a shell script that builds the smallest/simplest linux system capable of rebuilding itself from source code and that it is a legitimate open source project, he added.

By combining Mirai code with an “elegant cross-compilation framework”, however, the resultant variants are “more robust and compatible with multiple architectures and devices, making it executable on a wide variety of devices.”

The security researcher for example spotted an ARM7 Mirai variant running on an Android device running Android 4.4, and as well as a variant on Debian ARM.

When Symantec tested these Mirai variants in a contained environment they found that it immediately tried to scan for more than 500,000 IP addresses and then tried to send raw packet data over port 23, a file transfer protocol.

The company suggests disabling Universal Plug and Play (UPnP) on routers unless absolutely necessary, using a strong encryption method when setting up Wi-Fi network access changing the default credentials on devices to help mitigate the risk.

Also See: Symantec Identifies Major Security Breach in Defence Contractor and Satellites


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.