Mirai has more than one tentacle to its octopus
Mirai has more than one tentacle to its octopus

Security researchers have unearthed code in a Mirai botnet enabling it to mine for bitcoins using IoT devices.

Researchers at IBM's X-force found late last month the functionality in a variant of the ELF Linux/Mirai malware. The bitcoin attack started on 20 March, peaking on 25 March, but three days later the activity subsided.

What the researchers found in a sample of the code was the same Mirai functionality ported over from the Windows version but with a focus on attacking Linux machines running BusyBox. This software provides several stripped-down Unix tools in a single executable file, designed for digital video recording (DVR) servers.

The researchers said that BusyBox uses Telnet, which is targeted with a dictionary attack brute-force tool contained in the Mirai malware. “The DVR servers are targeted because many of them use default Telnet credentials,” said the researchers in a blog post.

While bots can perform flooding attacks using various protocols, the new variant has another add-on: a bitcoin miner slave. However, the researchers wondered how effective a bitcoin miner would be, given that many IoT devices lack the computation power needed to mine cryptocurrency.

“Given Mirai's power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium,” said the researchers.

While researchers haven't figured out this capability, they another possibility. “It's possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” said Dave McMillen, senior threat researcher at IBM.

But he questioned how such a strategy would make any money.

“Almost four years ago, Krebs on Security discussed bitcoin mining bots; in that case, the compromised hosts were PCs. Mining bitcoins, however, is a CPU-intensive activity,” he said.

“How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn't attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past? It's possible they're looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.”

Marco Hogewoning, the RIPE NCC's external relations officer, told SC Media UK that for a larger enterprise that manages its own network, Deep Packet Inspection (DPI) could show bitcoin transactions in the destination or content of packets (though encryption might prevent this). “Looking for unnatural traffic patterns would be the best way to get a sense of whether something like this was happening,” he said.

“For a smaller business that might not manage its own network, the biggest indication would be computers or other devices suddenly becoming much slower. Monitor the device's CPU or memory load if possible – mining for Bitcoins is incredibly CPU intensive and would typically be difficult to disguise – this also makes such an attack unlikely to target smaller IoT devices like webcams or thermostats.”

Andrew Tierney, security consultant at Pen Test Partners, told SC that unless the miner binary was extremely naive and used all CPU resource all of the time, it would likely go undetected. “IoT equipment doesn't have the monitoring in place to allow things like this to be detected. There is no anti-virus, anti-malware, or firewall alerting, making it pretty much a sitting duck,” he said.

He said that organisations could mitigate such an incident happening to IoT devices in their networks by following five rules.

“Don't expose IoT devices to the Internet; segment IoT from the rest of the network; change default passwords; update firmware; and get IoT equipment penetration tested to minimise exposure.

“The onus is still very much on the end user to take the steps necessary to secure these devices and prevent such incidents,” he said.