The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Mirai, a new Trojan virus for Linux, is difficult to detect and already exists in the wild.The threat is a new variant of the Gafgyt, (aka BASHLITE, aka Torlus) malware, which has been used by distributed denial of service (DDoS) service providers.How Does This New Trojan Virus Attack?Mirai\u2019s name comes from the discovered binaries having the name \u201cmirai.()\u201d and was initially discovered in August. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox, a common tool for IoT embedded devices.Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it\u2019s able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. Because of this, it\u2019s difficult to identify an infected system without doing a memory analysis.Mirai opens ports and creates a connection with botmasters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.According to Best Security Search, \u201cThe low detection ratio can also be explained by the Mirai feature to delete all malware files once it successfully sets the backdoor port into the system. It leaves only the delayed process where the malware is running after being executed.\u201dHow Is Mirai Different from Previous Variants?MalwareMustDie states that, \u201cThe actors are now having different strategy than older type of similar threat. By trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF\u2019s ASCII data, and with a big \u201chush-hush\u201d among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner.\u201dWho Could Be Infected?This malware could infect a wide range of remote devices that are rarely scanned for malware. Security Affairs states that, \u201cCountries that are having Linux busybox IoT embedded devices that can connect to the Internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as targets, especially to the devices or services that is not securing the access for the telnet port (TCP\/23) service.\u201dHow to Prevent InfectionTo prevent infection:Stop the telnet service and block TCP port 48101 if you\u2019re not currently using itSet Busybox execution to be run only for a specific userScan for open telnet connections on your networkConclusionMirai is the latest variant in a line of malware that is trying to attack IoT devices. It\u2019s important that you take steps today to monitor your infrastructure, including endpoint protection software.