The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Mirai, a new Trojan virus for Linux, is difficult to detect and already exists in the wild.
The threat is a new variant of the Gafgyt, (aka BASHLITE, aka Torlus) malware, which has been used by distributed denial of service (DDoS) service providers.
How Does This New Trojan Virus Attack?
Mirai’s name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices.
Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it’s able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. Because of this, it’s difficult to identify an infected system without doing a memory analysis.
Mirai opens ports and creates a connection with botmasters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.
According to Best Security Search, “The low detection ratio can also be explained by the Mirai feature to delete all malware files once it successfully sets the backdoor port into the system. It leaves only the delayed process where the malware is running after being executed.”
How Is Mirai Different from Previous Variants?
MalwareMustDie states that, “The actors are now having different strategy than older type of similar threat. By trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner.”
Who Could Be Infected?
This malware could infect a wide range of remote devices that are rarely scanned for malware. Security Affairs states that, “Countries that are having Linux busybox IoT embedded devices that can connect to the Internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as targets, especially to the devices or services that is not securing the access for the telnet port (TCP/23) service.”
How to Prevent Infection
To prevent infection:
Stop the telnet service and block TCP port 48101 if you’re not currently using it
Set Busybox execution to be run only for a specific user
Scan for open telnet connections on your network