Mirai botnet has now been equipped with a Windows variant, Trojan.Mirai.1, as revealed by security researchers at Dr. Web. The new variant targets Windows and can compromise more ports than its Linux counterpart. Trojan.Mirai.1 is also infecting IoT devices and carrying out DDoS attacks, as with the Linux version.
The latter first appeared in May 2016, again detected by Doctor Web after being added to its virus database under the name Linux.DDoS.87. The Trojan could work with with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers.
Linux.Mirai searched the memory for the processes of other Trojans and terminated them upon its launch. The Trojan then created a .shinigami file in its folder and verifies its presence regularly to bypass terminating itself. The malware was also designed to connect to a command & control server for further instructions.
What About the Windows Version of Mirai?
Dr. Web believes that it was developed because its authors wanted to make sure the menace spread to even more devices. Until now, the malware is capable of infecting a range of devices but up until now it preferred routers and CCTV cameras and DVRs. The infection process went like that: the malware selected random IP addresses and tried to log in through the SSH or the Telnet port via utilizing the device’s list of default admin credentials.
The Windows version is a Trojan written in C++. It appears to have been designed to scan TCP ports from the indicated range of IP addresses to execute various commands and distribute other malware, as explained by Dr. Web researchers. Once launched, Trojan.Mirai.1 establishes a connection with its command & control server and downloads “configuration file (wpd.dat), and extracts the list of IP addresses.” Next, it launches the scanner and starts checking for other ports.
Once a device is successfully compromised, the malware runs Linux and launches more command so that a DDoS Mirai bot is created. Interestingly, if the device is running Windows, the malware will only release its copy. Also, it creates DMBS user via the login ID “Mssqla and password Bus3456#qwein which provides sysadmin rights. Once all of this is done, the Windows Mirai can carry out various tasks via these credentials and the SQL server event service. The malware is not capable of executing instructions on any connection through the RDP protocol.