Cyber-criminals have used Mirai as a framework on which to build improved IoT malware with new capabilities in the years since it broke, according to a new report from Netscout Arbor.
The DDoS mitigation expert claimed that Mirai was nothing short of revolutionary when it first appeared in 2016, helping to launch some of the biggest attacks ever recorded.
These include one against DNS provider Dyn which took some of the biggest names on the internet offline by harnessing the power of botnets of compromised consumer-grade IoT devices like DVRs and CCTV cameras.
Realizing the Mirai authors were onto a good thing, others have followed, with the emergence of several new variants including Satori, JenX, OMG and Wicked.
While Mirai originally worked by scanning for devices secured only by factory default log-ins, Satori makes the code even more effective by adding remote-code injection exploits.
JenX removed various features from the Mirai code and instead relies on external tools for scanning and exploitation.
OMG goes further still by adding HTTP and SOCKS proxy capabilities.
“With these two features, the bot author can proxy any traffic of its choosing through the infected IoT device,” said Netscout. “Including additional scans for new vulnerabilities, launching additional attacks, or pivot from the infected IoT device to other networks which are connected to the device.”
Finally, the most recent discovery, dubbed Wicked, replaces the credential scanning of Mirai with RCE vulnerability scanning, specifically in Netgear routers and CCTV-DVR devices.
“Within the RCE exploit, Wicked would include instructions to download and execute a copy of the Owari bot,” the security firm continued. “Often, the scanning and exploitation of devices can be automated, resulting in any susceptible devices becoming part of the botnet.”
The continued popularity of Mira-like malware makes prompt patching from users/IT admins and DDoS mitigation strategies essential, said Netscout.