Threat Management, Threat Management

Mirai evolves as Windows-based spreader is discovered on 500 systems


A Windows-based spreader for Mirai malware has been discovered by Kaspersky Lab, whose engineers were analysing the spreader in a recently published blog post.

Kaspersky analysis showed the spreader on 500 unique systems so far this year. Although those attempts were blocked, researchers warn that emerging markets currently investing in connected technology are particularly vulnerable. The Lab is reportedly working with CERTs in order to take emerging IoT botnets down.  

Kaspersky notes that most of the components and techniques of the new spreader are several years old. Furthermore, it's not quite a leap from Linux Mirai to Windows Mirai, but it does provide a new surface on which Mirai can spread. It can only deliver bots from a Windows host to a Linux host if it can brute force a remote telnet connection.

The author of this Windows spreader, is apparently a far more experienced actor than those we've previously seen launching Mirai DDoS attacks. The post notes, “with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016.”

Kaspersky's analysis also concluded that the authors likely speak Chinese due to the presence code compiled on a Chinese system and the host servers being maintained in Taiwan.

Kurt Baumgartner, principal security researcher at Kaspersky Lab, said: “More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.”

When Mirai's source code was published online, many thought it marked a sea change in capability for adversaries. An Institute of Critical Infrastructure Technology report called its publication a “quantum leap” in capability because it allowed even unsophisticated attackers to craft powerful DDoS attacks. Kaspersky notes, that from its “juvenile” roots, this development “demonstrates the slow maturing of Mirai now that the source is publicly available”.

Mike Ahmadi, global director of critical systems security at Synopsys told SC Media UK that this, indeed, is just the beginning: “Large scalable attacks draw lots of the attention hackers crave, and I believe it is just a matter of time before the hacking community begins exploiting the thousands of known and scalable vulnerabilities found in IoT devices worldwide, which are currently waiting their turn for the spotlight.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.