Dark Reading on a new Mirai botnet variant OMG which aims to turn infected IoT devices into proxy servers as a potential method for generating income:
“One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals,” Fortinet said in a blog post this week. Proxies give cybercriminals a way to remain anonymous when carrying out malicious activity like cyber theft, or breaking into systems.
“Adversaries could also spread multiple attacks through a single source. They could get around some types of IP blocking and filtering,” as well, according to a Fortinet spokesperson.
OMG uses an open source tool called 3proxy as its proxy server. For the proxy to work properly, OMG includes two strings containing a command for adding and removing certain firewalls rules so as to allow traffic on two random ports, Fortinet said. OMG also packs most of the functionality of the original Mirai malware, including the ability to look for open ports and kill any processes related to telnet, http, and SSH and to use telnet brute-force logins to spread, Fortinet said.
When installed on a vulnerable IoT device, OMG initiates a connection to a command-and-control server and identifies the system as a new bot. Based on the data message, the C&C server then instructs the bot malware whether to use the infected IoT device as a proxy server or for DDoS attacks – or to terminate the connection.
According to Fortinet, OMG is the first Mirai variant that incorporates both the original DDoS functionality as well as the ability to set up proxy servers on IoT devices.
Attackers are always creating new ways of leveraging their malware toolset. This is a pretty interesting use-case and probably not likely one attractive to most actors. Nonetheless, although a novel use of Mirai, it is just as dangerous as its predecessors and therefore needs to be properly eradicated before it causes any major damage.
A new massive IoT botnet dubbed Satori has emerged, which security researchers fear, can launch crippling attacks at any time.
The botnet has reportedly already infected over 280,000 IP addresses in just 12 hours, enslaving hundreds of thousands of home routers by exploiting a recently discovered zero-day vulnerability.
Satori, which reportedly means “Awakening” in Japanese, is actually the infamous Mirai botnet’s successor.
According to a new report by security researchers at Qihoo 360 Netlab, the Satori botnet can propagate rapidly by itself, which essentially makes it an IoT worm.
Dale Drew, chief security strategist at CenturyLink, told ArsTechnica that the Satori botnet has already infected two widely-used types of home routers by exploiting the recently-discovered zero-day flaw.
Qihoo 360 Netlab security researcher Li Fengpei told Bleeping Computer that there are some clues that hint at the possibility of Satori being linked to yet another Mirai-based botnet discovered last month.
Drew reportedly warned that Satori botnet’s operators could launch an Internet-crippling DDoS attack at any time.
Mirai, the Internet-of-things malware that turns cameras, routers, and other household devices into potent distributed denial-of-service platforms, may be lying low, but it’s certainly not dead. Last week, researchers identified a new outbreak that infected almost 100,000 devices in a matter of days.
Over a span of 60 hours starting on November 22, the new Mirai strain was able to commandeer almost 100,000 devices.
As the underlying CVE-2016-10401 vulnerability description explains, affected ZyXEL devices by default use the same su, or superuser, password that makes it easier for remote attackers to obtain root access when a non-root account password is known.
The recently discovered Reaper botnet is significant because it doesn’t rely on passwords at all to spread. That raises the specter of outbreaks that infect devices even when owners or service providers have taken the time to change default credentials.
If the addition of two default credentials can recruit almost 100,000 new devices in less than three days, attackers likely have plenty of other ways to take over IoT devices in mass quantities.
IoT security vulnerabilities are going to continue to cause major problems for the Internet until countries enact minimum security baseline requirements. Consider we are expected to have 20 billion IoT devices online by 2020. If we continue to allow IoT manufacturers act like this is the wild west, things are only going to get exponentially worse.