Skilled Attacker Develops Advanced Windows Botnet to Spread Infamous Mirai Malware

Woburn, MA – February 21, 2017 – Kaspersky Lab experts are analyzing the first Windows-based spreader for the Mirai malware as part of a concerted effort to close down Mirai botnets in the wild. The Windows bot appears to have been created by a developer with more advanced skills than the attackers who unleashed the massive Mirai-powered DDoS attacks in late 2016, a fact that has worrying implications for the future use and targets of Mirai-based attacks. The malware author is likely to be Chinese-speaking and Kaspersky Lab data shows attacks on around 500 unique systems in 2017.

The Windows-based spreader is richer and more robust than the original Mirai codebase, but most of the components, techniques, and functionality of the new spreader are several years old. Its capacity for spreading the Mirai malware is limited: it can only deliver the Mirai bots from an infected Windows host to a vulnerable Linux IoT device if it is able to successfully brute-force a remote telnet connection.

Despite this limitation, the code is clearly the work of a more experienced developer, although probably one who is new to the Mirai game. Artefacts such as language clues in the software, the fact that the code was compiled on a Chinese system, with host servers maintained in Taiwan, and the abuse of stolen code-signing certificates from Chinese companies, suggest that the developer is likely to be Chinese-speaking.

“The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers. The release of the source code for the Zeus banking Trojan in 2011 brought years of problems for the online community – and the release of the Mirai IoT bot source code in 2016 will do the same for the Internet. More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning,” said Kurt Baumgartner, principal security research, Kaspersky Lab.

According to Kaspersky Lab telemetry data, almost 500 unique systems were attacked in 2017 by this Windows bot, with the attempts both detected and blocked.

Based on the geolocation of IP addresses involved in the second stage of attack, the countries most vulnerable are emerging markets that have invested heavily in connected technology, such as, India, Vietnam, Saudi Arabia, China, Iran, Brazil, Morocco, Turkey, Malawi, United Arab Emirates, Pakistan, Tunisia, Russia, Moldova, Venezuela, the Philippines, Colombia, Romania, Peru, Egypt and Bangladesh.

Kaspersky Lab is working with CERTs, hosting providers and network operators to address this growing threat to the internet’s infrastructure by taking down a significant number of command and control servers. The quick and successful takedown of these servers minimizes the risk and disruption that fast-growing IoT-based botnets present. Since Kaspersky Lab can leverage its experience and relationships with CERTs and providers throughout the world, the company has been able to help expedite these efforts.

Kaspersky Lab products detect and protect against Windows and Mirai bots. Relevant to this research are the following verdicts:

Trojan.Win32.SelfDel.ehlq
Trojan.Win32.Agentb.btlt
Trojan.Win32.Agentb.budb
Trojan.Win32.Zapchast.ajbs
Trojan.BAT.Starter.hj
Trojan-PSW.Win32.Agent.lsmj
Trojan-Downloader.Win32.Agent.hesn
Trojan-Downloader.Win32.Agent.silgjn
Backdoor.Win32.Agent.dpeu
HEUR:Trojan-Downloader.Linux.Gafgyt.b
DangerousPattern.Multi.Generic (UDS)

To learn more about the tools and techniques of the Windows-based Mirai spreader you can read the blog on Securelist.com.