Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

2/28/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

OMG: Mirai Botnet Finds New Life, Again

The Mirai botnet refuses to die. This time, it has spawned a new bot called OMG, which Fortinet researchers have seen in the wild, and it's turning IoT devices into proxy servers.

The Mirai botnet -- used for so many Distributed Denial of Services (DDoS) attacks -- has a new variant that security company Fortinet has seen in the wild.

What company researchers are calling the OMG bot concentrates on establishing proxy servers that can be used to disseminate malicious traffic, and it uses Internet of Things (IoT) devices to get the job done.

Mirai variations have been designed for other tasks, such as cryptomining, in the past. While there have been attempts to include a proxy server before, this seems the first Mirai variant that is both widely distributed and emphasizes the proxy function as a main goal of the malware.

The goal of OMG may be to commercialize the proxy server for others to use as a distribution mechanism, according to Fortinet.

This kind of proxy server has many uses for malware. The proxy can relay instructions from another malware's Command and Control (C&C) server which will mask the true location of it. (See How Secure Are Your IoT Devices?)

Not only that, brute-force and dictionary attacks on something may be mitigated by only allowing certain number of attempts at a time to be made by a specific IP address. The proxy allows such an attack to continue by changing the IP address the victim sees.

Fortinet's analysis of the code found that OMG keeps Mirai's original module, which include an attack, killer and scanner module. This implies that it can function in the same way the original Mirai does. It can kill processes -- this can include telnet, ssh and http by checking open ports, and other processes related to other bots -- as well as telnet via brute-force login so it may spread, and launch a DDoS attack.

Once it initializes, the bot module tries to connect to the C&C server. Fortinet found that the C&C for Mirai OMG was at 188.138.125.235 with a port of 50023. However, they were not able to see the C&C in action, so their investigation is based only on static analysis of the code.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

The C&C server will respond to a module announcing that it has joined the net with either a 0 (be a proxy server), a 1 (attack something) or teardown the connection and hide.

The proxy server uses 3proxy, which is open source software. The server begins its life by generating two random ports that are used for the http_proxy_port and socks_proxy_port. Once the ports have been generated, they are reported to the C&C which then uses them.

The same techniques that prevent Mirai will help prevent this variant. It expects weak, default passwords to be present on the device. It's up to the user to change them to stronger, more robust ones.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.