[ARTICLE] Mirai…is back

Mirai, from ancient history? One would have thought it was a closed case.

Discovered by MalwareMustDIe researchers in August 2016, Mirai malware had launched record denial of service attacks. In September 2016, Twitter, CNN, Spotify and many others were paralyzed for several hours, like the French hosting company OVH and the American provider DNS Dyn (since acquired by Oracle). While webcams are one of these prime targets, its new prime targets include routers, connected TVs and media players.

After two variants identified last fall, targeting Apache Struts servers and SonicWall equipment, the new variant identified by Palo Alto Networks 42 researchers targets two new device classes: intelligent display TVs and wireless presentation systems. This version uses 27 exploits, 11 of which are completely new. One of the 11 new exploits is for the WePresent WiPG-1000 wireless presentation systems and another is for the LG Supersign TVs. Both devices are intended for businesses, which generally have networks with higher bandwidth than Mirai’s more traditional target, namely home consumers. The other new exploits targeted vulnerabilities in a range of devices in the Netgear, DLink and Zyxel products.





In addition to scanning other vulnerable devices, the new version can be used to send HTTP Flood DDoS attacks. At the time of the publication of the discovery of this new malware, the shell script of the payload was still online, ironically on the compromised website of an unnamed “electronic security, integration and alarm monitoring” service in Colombia. In addition, the binaries downloaded by the shell script have been named in “clean…[arch]” format (e. g. clean.x86, clean.mips etc.), but they no longer seem to be hosted on the site.

Pivoting on the payload source revealed that some samples were recovering the same payload that was housed at 185[…]248.140.102/bins/. The same IP address hosted Gafgyt samples in “eeppinen…[arch]” format a few days before the update to this new multi-exploit variant.

To protect themselves from Mirai, computer security researchers recommend the following measures:

  1. The installation of patches and firmware updates of the connected equipment ;
  2. The systematic modification of the default passwords of these equipment by solid passwords (several different characters);
  3. The restart or even the reset of any equipment considered suspicious. It should be noted that while this restart does tend to eliminate most Mirai variants, it does not prevent the re-infection of the device;
  4. The implementation of continuous network monitoring to monitor the behaviour and communications of all IoT devices within the system;
  5. Improved monitoring and response time in the event of an incident