Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

2/28/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OMG: Mirai Botnet Finds New Life, Again

The Mirai botnet refuses to die. This time, it has spawned a new bot called OMG, which Fortinet researchers have seen in the wild, and it's turning IoT devices into proxy servers.

The Mirai botnet -- used for so many Distributed Denial of Services (DDoS) attacks -- has a new variant that security company Fortinet has seen in the wild.

What company researchers are calling the OMG bot concentrates on establishing proxy servers that can be used to disseminate malicious traffic, and it uses Internet of Things (IoT) devices to get the job done.

Mirai variations have been designed for other tasks, such as cryptomining, in the past. While there have been attempts to include a proxy server before, this seems the first Mirai variant that is both widely distributed and emphasizes the proxy function as a main goal of the malware.

The goal of OMG may be to commercialize the proxy server for others to use as a distribution mechanism, according to Fortinet.

This kind of proxy server has many uses for malware. The proxy can relay instructions from another malware's Command and Control (C&C) server which will mask the true location of it. (See How Secure Are Your IoT Devices?)

Not only that, brute-force and dictionary attacks on something may be mitigated by only allowing certain number of attempts at a time to be made by a specific IP address. The proxy allows such an attack to continue by changing the IP address the victim sees.

Fortinet's analysis of the code found that OMG keeps Mirai's original module, which include an attack, killer and scanner module. This implies that it can function in the same way the original Mirai does. It can kill processes -- this can include telnet, ssh and http by checking open ports, and other processes related to other bots -- as well as telnet via brute-force login so it may spread, and launch a DDoS attack.

Once it initializes, the bot module tries to connect to the C&C server. Fortinet found that the C&C for Mirai OMG was at 188.138.125.235 with a port of 50023. However, they were not able to see the C&C in action, so their investigation is based only on static analysis of the code.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

The C&C server will respond to a module announcing that it has joined the net with either a 0 (be a proxy server), a 1 (attack something) or teardown the connection and hide.

The proxy server uses 3proxy, which is open source software. The server begins its life by generating two random ports that are used for the http_proxy_port and socks_proxy_port. Once the ports have been generated, they are reported to the C&C which then uses them.

The same techniques that prevent Mirai will help prevent this variant. It expects weak, default passwords to be present on the device. It's up to the user to change them to stronger, more robust ones.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4873
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow an attacker to obtain sensitive information due to an overly permissive CORS policy. IBM X-Force ID: 190836.
CVE-2020-4881
PUBLISHED: 2021-01-19
IBM Planning Analytics 2.0 could allow a remote attacker to obtain sensitive information, caused by the lack of server hostname verification for SSL/TLS communication. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID...
CVE-2021-22498
PUBLISHED: 2021-01-19
XML External Entity Injection vulnerability in Micro Focus Application Lifecycle Management (Previously known as Quality Center) product. The vulnerability affects versions 12.x, 12.60 Patch 5 and earlier, 15.0.1 Patch 2 and earlier and 15.5. The vulnerability could be exploited to allow an XML Exte...
CVE-2021-25323
PUBLISHED: 2021-01-19
The default setting of MISP 2.4.136 did not enable the requirements (aka require_password_confirmation) to provide the previous password when changing a password.
CVE-2021-25324
PUBLISHED: 2021-01-19
MISP 2.4.136 has Stored XSS in the galaxy cluster view via a cluster name to app/View/GalaxyClusters/view.ctp.