Mirai first appeared in 2016 as the first real botnet that could seriously exploit vulnerabilities in millions of IoT devices deployed across the world either to take control of industrial networks or to steal credentials of millions of IoT device owners.
Armed with a dictionary of username and password combinations, the Mirai botnet scanned IP addresses for open ports in IoT devices, subsequently infected millions of such devices in the process, and then used the affected devices in coordinated distributed denial of service (DDoS) attacks against websites worldwide.
Rising popularity of Mirai among hackers
The success of Mirai encouraged hackers to develop more botnet variants and by October last year, botnet-led malware attacks on IoT devices affected 49% of healthcare organisations, 82% of manufacturing, 76% of retail and 85% of government-owned or issued IoT tech.
"With the sheer amount of IoT devices, supposedly exceeding £20 billion in 2017, it makes perfect sense that malware writers and indeed digital criminals will utilise as many of those devices as possible to help them plunder the internet. Unlike normal criminal activity it’s not governed by boundaries- it makes no difference if the compromised device exists in the UK, USA or Australia, it’s all fair game to them," said Mark James, Security Specialist at ESET.
In the two years since the Mirai botnet attacks first took place, security researchers also observed that many new botnets shared code with Mirai and were simply more powerful variants of the latter. For example, earlier this year, a new variant of Mirai, dubbed Okiru, infected over a billion ARC processors that were used in IoT devices across the world.
"From this day, the landscape of #Linux #IoT infection will change. #ARC CPU has produced #IoT devices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It's a serious threat will be.
"This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn't been infected yet,' said security researcher Odisseus on Twitter.
Another variant of Mirai, dubbed Satori, infected more than 280,000 different IPs which were scanning ports 37215 and 52869 within a space of twelve hours. Unlike other Mirai variants, the Satori botnet featured two embedded exploits that connected to ports 37215 and 52869 to infect more IoT devices.
A month before Satori was discovered, it took the combined might of the FBI, the Luneburg Central Criminal Investigation Inspectorate in Germany, Europol’s European Cybercrime Centre (EC3), the Joint Cybercrime Action Task Force (J-CAT), Eurojust and several private-sector partners to destroy another Mirai variant named Andromeda that had spread to millions of IoT devices.
Many new botnets featuring the Mirai framework
According to new research by NETSCOUT Arbor, botnet authors are using Mirai as a framework to quickly add in new exploits and functionalities, thereby dramatically decreasing the development time for new botnets. Along with Satori, researchers at the firm also named three new botnets- JenX, OMG and Wicked, that contained the Mirai framework.
While JenX relies on external tools for scanning and exploitation, OMG capitalizes on the Mirai source code and expands it to add an HTTP and SOCKS proxy that enables the infected IoT device to act as a pivot point, and Wicked features the ability to target Netgear routers and CCTV-DVR devices which are vulnerable to remote code execution (RCE) flaws.
"On September 30, 2016 the source code for Mirai was published. Since then the Mirai source code has been a major influence on a slew of recent IoT based botnets. NETSCOUT Arbor saw several variants of Satori in the wild from December 2017 through January 2018. Each of these variants used Mirai as its foundation," the researchers said.
They added that Satori, JenX, OMG and Wicked use the same attack types supported by the original Mirai source code and feature DDoS capabilities such as TCP flooding, UDP flooding, valve Source Engine (VSE) query-flooding, GRE-flooding, pseudo-random DNS label-prepending attacks and HTTP GET, POST, and HEAD attacks.
"The Mirai source is not limited to only DDoS attacks. A variant of Satori was discovered which attacks Ethereum mining clients. As seen with the four samples, botnet authors are already using the Mirai source code as their building blocks. As the explosion of IoT devices does not look to be slowing down, we believe we’ll continue to see increases in IoT botnets.
"Malware authors will continue to leverage IoT based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet facing devices. It is important for organizations to apply proper patching, updates, and DDoS mitigation strategies to defend their organizations," they added.