Dark Reading on a new Mirai botnet variant OMG which aims to turn infected IoT devices into proxy servers as a potential method for generating income:
“One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals,” Fortinet said in a blog post this week. Proxies give cybercriminals a way to remain anonymous when carrying out malicious activity like cyber theft, or breaking into systems.
“Adversaries could also spread multiple attacks through a single source. They could get around some types of IP blocking and filtering,” as well, according to a Fortinet spokesperson.
OMG uses an open source tool called 3proxy as its proxy server. For the proxy to work properly, OMG includes two strings containing a command for adding and removing certain firewalls rules so as to allow traffic on two random ports, Fortinet said. OMG also packs most of the functionality of the original Mirai malware, including the ability to look for open ports and kill any processes related to telnet, http, and SSH and to use telnet brute-force logins to spread, Fortinet said.
When installed on a vulnerable IoT device, OMG initiates a connection to a command-and-control server and identifies the system as a new bot. Based on the data message, the C&C server then instructs the bot malware whether to use the infected IoT device as a proxy server or for DDoS attacks – or to terminate the connection.
According to Fortinet, OMG is the first Mirai variant that incorporates both the original DDoS functionality as well as the ability to set up proxy servers on IoT devices.
Attackers are always creating new ways of leveraging their malware toolset. This is a pretty interesting use-case and probably not likely one attractive to most actors. Nonetheless, although a novel use of Mirai, it is just as dangerous as its predecessors and therefore needs to be properly eradicated before it causes any major damage.
A new massive IoT botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time.
The botnet has reportedly already infected over 280,000 IP addresses in just 12 hours, enslaving hundreds of thousands of home routers by exploiting a recently discovered zero-day vulnerability.
Satori, which reportedly means “Awakening” in Japanese, is actually the infamous Mirai botnet’s successor.
According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm.
Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw.
Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month.
Drew reportedly warned that Satori botnet’s operators could launch an Internet-crippling DDoS attack at any time.
Mirai, the Internet-of-things malware that turns cameras, routers, and other household devices into potent distributed denial-of-service platforms, may be lying low, but it’s certainly not dead. Last week, researchers identified a new outbreak that infected almost 100,000 devices in a matter of days.
Over a span of 60 hours starting on November 22, the new Mirai strain was able to commandeer almost 100,000 devices.
As the underlying CVE-2016-10401 vulnerability description explains, affected ZyXEL devices by default use the same su, or superuser, password that makes it easier for remote attackers to obtain root access when a non-root account password is known.
The recently discovered Reaper botnet is significant because it doesn’t rely on passwords at all to spread. That raises the specter of outbreaks that infect devices even when owners or service providers have taken the time to change default credentials.
If the addition of two default credentials can recruit almost 100,000 new devices in less than three days, attackers likely have plenty of other ways to take over IoT devices in mass quantities.
IoT security vulnerabilities are going to continue to cause major problems for the Internet until countries enact minimum security baseline requirements. Consider we are expected to have 20 billion IoT devices online by 2020. If we continue to allow IoT manufacturers act like this is the wild west, things are only going to get exponentially worse.
The Gameover Zeus botnet owners looked at their operation as a complete criminal organization, owned all the assets and put them all under one roof, Elliott noted. “They were very centralized, which made it good for them from a logistics standpoint and very good for us in law enforcement.”
One of the principal servers used by Gameover Zeus was referred to by the botnet owners as the “Business Club.” Through the Business Club, the FBI was able to connect the dots across attacks and victims. There was a full ledger system in place that kept accurate track of all the fraud committed by the Gameover Zeus botnet, Elliott said.
As to how the FBI actually identified the individuals responsible, Elliott said the criminals weren’t part-time criminals; cybercrime was their full-time job. That’s how the FBI was able to identify Evgeniy Bogachev as the kingpin behind the Gameover Zeus botnet.
“One of the things we try to do as law enforcement is work ourselves in, so we can attack the seams between their personal life and their criminal life,” Elliott said. “Fortunately Bogachev was a user of VPNs, and he liked to use the same VPNs to log into his personal accounts as he would to administrate the backend of the botnet servers.”
The FBI did a botnet takeover in June of 2014 to protect victims and stop future fraud.