Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //

Botnet

End of Bibblio RCM includes -->
2/28/2018
09:35 AM
Larry Loeb
Larry Loeb
Larry Loeb

OMG: Mirai Botnet Finds New Life, Again

The Mirai botnet refuses to die. This time, it has spawned a new bot called OMG, which Fortinet researchers have seen in the wild, and it's turning IoT devices into proxy servers.

The Mirai botnet -- used for so many Distributed Denial of Services (DDoS) attacks -- has a new variant that security company Fortinet has seen in the wild.

What company researchers are calling the OMG bot concentrates on establishing proxy servers that can be used to disseminate malicious traffic, and it uses Internet of Things (IoT) devices to get the job done.

Mirai variations have been designed for other tasks, such as cryptomining, in the past. While there have been attempts to include a proxy server before, this seems the first Mirai variant that is both widely distributed and emphasizes the proxy function as a main goal of the malware.

(Source: Pixabay)
(Source: Pixabay)

The goal of OMG may be to commercialize the proxy server for others to use as a distribution mechanism, according to Fortinet.

This kind of proxy server has many uses for malware. The proxy can relay instructions from another malware's Command and Control (C&C) server which will mask the true location of it. (See How Secure Are Your IoT Devices?)

Not only that, brute-force and dictionary attacks on something may be mitigated by only allowing certain number of attempts at a time to be made by a specific IP address. The proxy allows such an attack to continue by changing the IP address the victim sees.

Fortinet's analysis of the code found that OMG keeps Mirai's original module, which include an attack, killer and scanner module. This implies that it can function in the same way the original Mirai does. It can kill processes -- this can include telnet, ssh and http by checking open ports, and other processes related to other bots -- as well as telnet via brute-force login so it may spread, and launch a DDoS attack.

Once it initializes, the bot module tries to connect to the C&C server. Fortinet found that the C&C for Mirai OMG was at 188.138.125.235 with a port of 50023. However, they were not able to see the C&C in action, so their investigation is based only on static analysis of the code.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

The C&C server will respond to a module announcing that it has joined the net with either a 0 (be a proxy server), a 1 (attack something) or teardown the connection and hide.

The proxy server uses 3proxy, which is open source software. The server begins its life by generating two random ports that are used for the http_proxy_port and socks_proxy_port. Once the ports have been generated, they are reported to the C&C which then uses them.

The same techniques that prevent Mirai will help prevent this variant. It expects weak, default passwords to be present on the device. It's up to the user to change them to stronger, more robust ones.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-32033
PUBLISHED: 2022-07-01
Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via the function formSetVirtualSer.
CVE-2022-32034
PUBLISHED: 2022-07-01
Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the items parameter in the function formdelMasteraclist.
CVE-2022-32035
PUBLISHED: 2022-07-01
Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formMasterMng.
CVE-2022-32036
PUBLISHED: 2022-07-01
Tenda M3 V1.0.0.12 was discovered to contain multiple stack overflow vulnerabilities via the ssidList, storeName, and trademark parameters in the function formSetStoreWeb.
CVE-2022-32037
PUBLISHED: 2022-07-01
Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the function formSetAPCfg.