Mirai Variant Sets Up Proxy Servers on Compromised Devices
22.2.2018 securityweek BotNet IoT
A newly observed variant of the infamous Mirai botnet is capable of setting up proxy servers on the infected Internet of Things (IoT) devices, Fortinet warns.
Mirai is a distributed denial of service (DDoS)-capable malware family that emerged in late 2016. Targeting IoT devices to add them to a botnet and launch powerful attacks, Mirai has been involved on some massive incidents right from the start.
Referred to as OMG because of strings containing "OOMGA" it its configuration table, the malware keeps most of Mirai’s capabilities, but also adds its own features to the mix.
Unlike Mirai, the OMG variant’s configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed, Fortinet discovered.
However, the new malware variation keeps Mirai’s original attack, killer, and scanner modules, which means that it is capable of performing all of the operations that Mirai could, such as killing processes (telnet, ssh, http, and other processes related to other bots), telnet brute-force login, and DDoS attacks.
After initialization, OMG connects to the command and control (C&C) server on port 50023. Once the connection has been established, the malware sends a defined data message to the server to identify itself as a new bot.
The server responds with a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used: 0 if it should be used as a proxy server, 1 for attack, and >1 to terminate the connection.
OMG, the security researchers discovered, uses open source software 3proxy as its proxy server. During setup, it generates two random ports for the http_proxy_port and socks_proxy_port, reports them to the C&C, and adds a firewall rule to allow traffic on these ports.
After enabling the firewall rule, the malware sets up 3proxy with the predefined configuration embedded in its code. The researchers believe the attackers sell access to the IoT proxy server (because the C&C server wasn’t active during investigation, the researchers only performed static analysis).
“This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” Fortinet concludes.