Mirai 2.0

‘Mirai’ is the name which was given to an ‘Internet of Things’ strain of malware which was discovered in late 2016.  The Trojan is used by criminals to carry out DDoS attacks.  According to security researchers the malicious executable was called Linux.Mirai and had the following SHA1 value: 7e0e07d19b9c57149e72a7ed266e0c8aa5019a6f.

At the time, this trojan was only capable of infecting Linux based devices. However, a new version of the malware has been discovered which is capable of infecting Windows devices in order to contribute to the distribution of the Linux malware.

The way the Mirai malware worked before was that it chose random IPs and attempted to access Linux based devices via Telnet and SSH using default usernames and passwords. Upon successful connection it executed commands to turn the victim devices into Mirai DDoS bots.

According to Dr.Web, the new version of the Mirai malware is called Trojan.Mirai.1. Furthermore, Dr.Web states the that the new version is:

“A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.”

“When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports.”

Originally the Mirai malware was aimed at infecting devices via telnet and SSH connections but according to Dr.Web, the new trojan scans even more ports. The list of ports is as follows:

  • 22 – SSH
  • 23 – Telnet
  • 135 – DCE/RPC
  • 445 – Active Directory
  • 1433 – MSSQL
  • 3306 – MySQL
  • 3389 – RDP

There are different results when the trojan infects a new device given the circumstances.

Upon successful connection to a new device, with the exception of connection via the RDP protocol, the Trojan executes a set of commands indicated in its configuration file.

– If the victim device runs Linux OS

  • While connecting via Telnet a series of commands are executed to turn that device into a new DDoS Mirai bot. The Trojan downloads a binary file and that file subsequently downloads and launches Linux.Mirai, to turn the device into a Mirai bot.

– If the device runs Windows OS

  • The malware drops a copy of itself and continues to target new devices.

– If the Trojan infects a database such as MSSQL or MySQL, the Trojan creates a new user with admin privileges.

For MS SQL

It creates a DBMS user with the login Mssqla and password Bus3456#qwein. It then grants that user account sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, a series of tasks are then executed.

For MySQL

The Trojan creates a user with the name MySQL and password phpgod and grants that user several privileges.

SHA1 hashes

The following is a list of Trojan.Mirai.1 hashes in SHA1 which were shared by www.securityaffairs.co

  • – 9575d5edb955e8e57d5886e1cf93f54f52912238
  • – f97e8145e1e818f17779a8b136370c24da67a6a5
  • – 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
  • – 938715263e1e24f3e3d82d72b4e1d2b60ab187b8

Sources

  • https://news.drweb.com/show/?i=11140&lng=en
  • https://vms.drweb.com/virus/?_is=1&i=14934685
  • https://news.drweb.com/show/?i=10218&c=23&lng=en&p=0
  • http://securityaffairs.co/wordpress/56103/malware/windows-mirai-bot.html