Security researchers at the California-headquartered company Symantec have identified a virulent new strain of the Mirai botnet, which is making use of a popular open source project to embed itself on multiple architectures and devices.
Mirai, which takes over insecure Internet of Things (IoT) devices from routers to baby monitors, became infamous in 2016 after using a sprawling network of compromised devices to cripple domain registration service provider Dyn.
The high profile DDoS attack, which made use of over 500,000 infected devices, took Dyn customers including the BBC, Netflix and Twitter offline for hours.
The new variant has been created using an open source project named Aboriginal Linux; this allows the botnet to be compatible with an array of different architectures and devices such as IP cameras, routers, speakers and android-based devices.
Dinesh Venkatesan, Principal Threat Analysis Engineer at Symantec, said in a threat update: “One of the major pain points for a cross-platform IoT botnet is portability. The malware must be able to run on different architectures and platforms in a self-contained capsule without any runtime surprises or misconfiguration.”
“This is also an area where many inexperienced malware authors, or script-kiddies, fail if they simply copy/paste and reuse the existing malware code base.”
In July he identified a live remote server hosting multiple malware variants, each for a specific platform: “As with many Mirai infections, it starts by firing a shell script on a vulnerable device. That shell script sequentially tries downloading and executing individual executables one by one until a binary compliant with the current architecture is found.”
He added: “What makes it interesting is the compiled binary. These variants have been created by leveraging an open-source project called Aboriginal Linux that makes the process of cross-compilation easy, effective, and practically fail-proof.”
There is “nothing wrong” with Aboriginal Linux, a shell script that builds the smallest/simplest linux system capable of rebuilding itself from source code and that it is a legitimate open source project, he added.
By combining Mirai code with an “elegant cross-compilation framework”, however, the resultant variants are “more robust and compatible with multiple architectures and devices, making it executable on a wide variety of devices.”
The security researcher for example spotted an ARM7 Mirai variant running on an Android device running Android 4.4, and as well as a variant on Debian ARM.
When Symantec tested these Mirai variants in a contained environment they found that it immediately tried to scan for more than 500,000 IP addresses and then tried to send raw packet data over port 23, a file transfer protocol.
The company suggests disabling Universal Plug and Play (UPnP) on routers unless absolutely necessary, using a strong encryption method when setting up Wi-Fi network access changing the default credentials on devices to help mitigate the risk.