Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Network Security, Network Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

FYI, the OMG Mirai botnet variant turns IoT devices into proxy servers

A newly discovered variant of Mirai botnet malware forces infected devices to act as proxy servers capable of protecting the anonymity of cybercriminals engaging in illegal activities.

Fortinet's FortiGuard Labs research team, which uncovered the threat, believes the botnet operator may be selling credential access to these proxies for profit. This theory gibes with Fortinet's observation that many recent Mirai modifications have introduced for financial gain, rather than to support Mirai's original purpose of launching distributed denial of service (DDoS) attacks. (Earlier this year, for instance, researchers reported that the Mirai-based Satori IoT botnet was being used to steal Ethereum cryptocurrency from mining wallets.)

"This is the first time we have seen a modified Mirai capable of DDoS attacks as well as setting up proxy servers on vulnerable IoT devices," states a Feb. 21 Fortinet blog post, authored by researchers Jasper Manuel, Rommel Joven, Dario Durando. "With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization."

"The sample we analyzed is quite new and was seen in January 2018," added Joven, in emailed comments supplied to SC Media.

Minh Transenior security researcher at FortiGuard Labs, forecasted other possible ways that Mirai-variant botnets could be leveraged in the future to make money. "In general, there are really a lot of possibilities," said Tran in an email interview with SC Media. "If we consider how other malware evolved in the past [they could] use the bots to relay spam, which is still a popular medium to deliver most malwares... including ransomwares."

In addition infected devices could be used as command-and-control servers, Tran added, or we could see more being used to run cryptominers, especially those that don't use require processing power.

According to the Fortinet report, OMG still includes the original Mirai modules that kill processes, scan for vulnerable telnet systems, use brute-force login attacks to gain credential access, and execute DDoS attacks. But it also uses two random ports to set up 3proxy, a free open-source universal proxy server.

Traffic is allowed to flow through these two random ports (one for HTTP, one for SOCKS) due to a firewall rule, composed of two code strings, that OMG's programmers added to Mirai's original configuration table.

Upon connecting to the command-and-control server, OMG sends transmits a defined data message that identifies the infected device as a new bot recruit. Based upon this code, the C&C server then responds with a five-byte-long data string that includes a command for whether to act as a proxy server, launch an attack or terminate the connection.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.