Mirai-infected bots can now cross over from the Windows platform to embedded Linux systems via the help of a previously active botnet.
In January 2016, researchers at Kaspersky Lab first detected the Windows botnet, which has been serving bot components since at least August 2014, pushing out Mirai downloaders. The platform crossover they observed is limited in scope. The spreader helps Mirai bots leap from a Windows host to a Linux host only if it can brute force a remote telnet connection. Given this condition, Mirai can’t purely hop from Windows to Linux.
But what they observed is still cause for concern. As the Kaspersky team explains in a blog post:
“Regardless, it’s unfortunate to see any sort of Mirai crossover between the Linux platform and the Windows platform. Much like the Zeus banking trojan source code release that brought years of problems for the online community, the Mirai IoT bot source code release is going to bring heavy problems to the internet infrastructure for years to come, and this is just a minor start.”
Many of the bots pushed out by the Windows spreader appear to be signed with certificates stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China. That’s not the only link between the botnet and China, however. Other aspects about the bot code, including word choice and the fact it was compiled on a Chinese system, suggest the developer is Chinese speaking.
The bots are capable of brute forcing over telnet, SSH, and WMI. They’re also capable of SQL injection and IPC techniques.
Infection proceeds over the course of several stages, with components embedded in JPEG comments. The botnet’s downloaders all spread the Linux variant over telnet to vulnerable devices like IP-based cameras, DVRs, and products powered by Raspberry Pi and Banana Pi. They can also copy a downloader and execute it if tftp or wget aren’t present.
Targets in India have been hardest hit by this component. Vietnam, Saudi Arabia, China, and Iran have also seen numerous attacks.
These techniques (and their documented successes) bode well for the future of Mirai but not for individual users. As Kaspersky explains:
“The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016. It introduces newly available systems and network for the further spread of Mirai bots. And it demonstrates the slow maturing of Mirai now that the source is publicly available.”
News of this component follows four months after another variant of Mirai targeted Dyn’s DNS infrastructure and took down Shopify, Twitter, and several other popular web services.