The Mirai botnet -- used for so many Distributed Denial of Services (DDoS) attacks -- has a new variant that security company Fortinet has seen in the wild.
What company researchers are calling the OMG bot concentrates on establishing proxy servers that can be used to disseminate malicious traffic, and it uses Internet of Things (IoT) devices to get the job done.
Mirai variations have been designed for other tasks, such as cryptomining, in the past. While there have been attempts to include a proxy server before, this seems the first Mirai variant that is both widely distributed and emphasizes the proxy function as a main goal of the malware.
The goal of OMG may be to commercialize the proxy server for others to use as a distribution mechanism, according to Fortinet.
This kind of proxy server has many uses for malware. The proxy can relay instructions from another malware's Command and Control (C&C) server which will mask the true location of it. (See How Secure Are Your IoT Devices?)
Not only that, brute-force and dictionary attacks on something may be mitigated by only allowing certain number of attempts at a time to be made by a specific IP address. The proxy allows such an attack to continue by changing the IP address the victim sees.
Fortinet's analysis of the code found that OMG keeps Mirai's original module, which include an attack, killer and scanner module. This implies that it can function in the same way the original Mirai does. It can kill processes -- this can include telnet, ssh and http by checking open ports, and other processes related to other bots -- as well as telnet via brute-force login so it may spread, and launch a DDoS attack.
Once it initializes, the bot module tries to connect to the C&C server. Fortinet found that the C&C for Mirai OMG was at 220.127.116.11 with a port of 50023. However, they were not able to see the C&C in action, so their investigation is based only on static analysis of the code.
The C&C server will respond to a module announcing that it has joined the net with either a 0 (be a proxy server), a 1 (attack something) or teardown the connection and hide.
The proxy server uses 3proxy, which is open source software. The server begins its life by generating two random ports that are used for the http_proxy_port and socks_proxy_port. Once the ports have been generated, they are reported to the C&C which then uses them.
The same techniques that prevent Mirai will help prevent this variant. It expects weak, default passwords to be present on the device. It's up to the user to change them to stronger, more robust ones.
- DDoS Today: No Safety Inside the Perimeter
- Can the IoT Be More Secure?
- A New BotNet Is Growing: Are You Already Part of Its Army?
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.