Mirai leveraging Aboriginal Linux to target multiple platforms

Researchers say the latest Mirai builds are like the others, with one significant difference

20160224 stock mwc internet of things iot sign
Stephen Lawson

The Mirai botnet hasn't gone away, you don't hear about it much, but the code has been constantly updated and maintained. Recently, Symantec's Dinesh Venkatesan discovered a command and control (C&C) server hosting various types of malware, each one targeted for a specific platform.

In October of 2016, the Mirai botnet was used in attacks against Dyn Inc., knocking out internet service to most of the east coast in the United States, but it was later determined to be a variant of Mirai in the Dyn Inc. attack, it wasn't the same set of Mirai bots used to target OVH and Brian Krebs the month prior.

The Mirai botnet source code was released to the public shortly before the Dyn Inc. attack, leading copycats to create botnets of their own, a practice that has continued to this day.

"One of the major pain points for a cross platform IoT botnet is portability. The malware must be able to run on different architectures and platforms in a self-contained capsule without any run-time surprises or misconfiguration," Venkatesan wrote in a blog post.

To overcome this pain, someone has turned to Aboriginal Linux in order to increase the reach of Mirai.

By using the open-source project, the Mirai controllers are able to easily cross compile binaries, making the botnet compatible with multiple architectures and devices, and executable on a number of devices, including routers, IP cameras, Android, and other connected devices.

It isn't the first-time criminals have opted to use a legitimate tool for their dirty work, and it won't be the last.

When tested, Venkatesan said that the malware attempted to scan 500,000 IP addresses using a random generation process that Mirai is known for.

Symantec urges IoT developers and administrators to take care and remember to audit the devices on their network, and to remove default passwords and settings.

In addition, Symantec also stressed limiting access to non-essential functions and features, and to disable UPnP (Universal Plug and Play) on routers unless "absolutely necessary" along with disabling Telnet in favor of SSH.

Consumers should use wired over wireless when it comes to connections, and should research the capabilities and security features of any IoT device before searching, and pay close attention to the manufacturer for firmware releases.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.