Two years following the worldwide Mirai botnet attack criminals worldwide are utilizing it for various malicious uses. Recently security experts discovered that several new versions of it have been developed. An in-depth look shows that the new releases are the work of independent hackers not related to the original authors.
Independent Hackers Create Upgraded Versions of The Mirai Botnet
The [wplinkpreview url=”https://sensorstechforum.com/mirai-new-variant-port-23-port-2323-cve-2016-10401/”]Mirai botnet has been used to take down millions of sites by its original developers thanks to its ability to to infect thousands of vulnerable devices. This lead to the development of alternative botnet engines that all have the goal of being used as weapons that can achieve the same results according to a new security report. Ever since Mirai’s original source code was made available on the underground hacker forums independent hackers and criminal collectives started to develop their own versions. At the same time security researchers used it to gain insight into the attack operations to understand how to provide a working defensive mechanism.
One of the new versions of the Mirai botnet was discovered in July 2018. It lead the security researchers to a link containing seven different variants. All of them build upon the original behavior pattern which is the following:
- Scanning the target IoT devices for vulnerabilities associated with the malicious payloads.
- Brute forcing the open ports by using default and/or weak credentials via remote connection protocols.
- The devices will be infected with the malicious code holding the main Mirai botnet. It programs the compromised host to continue infecting other devices available on the internal local network.
- Over a predefined period of time the bot will report to a specific command and control server. When prompted the devices will launch a distributed denial-of-service attack against a certain target.
Further Information on the New Mirai Botnet Versions
The analysis of the newly discovered versions of Mirai shows that they take advantage of the modular framework. The leaked source code contains instructions, how-to messages and other information giving details on how they can be tweaked further.
The following versions were identified:
- Akiru — It kills ports related to the operations of CCTV DVR equipment (81), Netis routers (53413) and Realtek SDK access (52869).
- Katrina_V1 — alongside Netis and Realtek devices it can also affect Huawei HG532 models which utilize port 37215.
- Sora — It affects the same devices as Katrina_V1.
- Saikin — It targets the ARC and RCE.
- Owari — It affects the same devices as Katrina_V1.
- Josho_V3 — Still in development.
- Tokyo — It affects the same devices as Katrina_V1.
All of these versions can be used to cause large-scale attacks that may be as effective as Mirai if the right number of infrastructure devices are recruited. The fact there are numerous versions of the main code developed shows that many hacker individuals and groups are continuing to use this method.