Mirai IoT Malware Now Infecting Windows Systems

Recent reports revealed a new development in the march of the infamous Mirai malware, which was responsible for the headline-grabbing DDoS attacks against DNS provider Dyn at the end of last year. Kaspersky Lab discovered a new Windows-based spreader for the Mirai malware that has already been planted on over 500 unique systems during 2017, effectively creating a new Windows botnet for Mirai.

The Windows-based spreader appears to have been created by a developer with advanced skills, and has a richer and more sophisticated code and components than the original Mirai malware.  Its capacity for spreading Mirai malware is limited, because it can only deliver it from an infected Windows host to a vulnerable Linux IoT device by brute-forcing a remote telnet connection. But nonetheless, it is described by researchers as a “real concern” and has sparked fears of the botnet spreading to a plethora of newly available devices that were previously unavailable to attackers. So what does it really mean for the world of cybersecurity?

Mirai code is becoming more potent and sophisticated

At the end of last year Corero predicted that the size of the Mirai botnet, which is currently believed to have a population of around 300,000 compromised devices, could increase significantly if hackers amend the source code to include root credentials for other types of vulnerable devices. The new spreader allows cyber criminals to do precisely that. The Windows variant of the Mirai code is used to herd IoT devices that may not have otherwise been accessible from the Internet. Indeed, the IoT will continue to make up a significant portion of the ‘future’ of DDoS attacks, as many of these devices are broadband connected, many have poor and default security administration, and many are not software upgradeable, allowing Mirai to remain a persistent threat.

The motivations for DDoS attacks are endless, and the range of potential political and economic fallout from such attacks could be far-reaching. Our entire digital economy depends upon access to the Internet, so organizations should think carefully about business continuity in the wake of such events.

Certainly the Internet community needs to prepare for new methods like this to be added to botnets like Mirai. Given the combination of zero-day DDoS vectors, Mirai delivery mechanisms and attacker ingenuity, it’s likely that Terabit-scale attacks will continue to occur, threatening internet availability in entire geographic regions. Individual DDoS attacks, on average, cost large enterprises $444,000 per incident in lost business and IT spending, so the combined economic impact from an entire region being affected would be extremely damaging.

ISPs Must Play a Role in Reducing DDoS Attacks

In the wake of recent IoT-related DDoS attacks many have encouraged manufacturers to install proper security controls on internet-connected devices before they are issued. That’s a step in the right direction, but ISPs also have an important role to play in reducing the number of future DDoS attacks.

At a local level, ISPs could significantly reduce the overall volume of DDoS attacks across their networks by employing systems to detect and remediate infected bots that are used to launch DDoS attacks. Furthermore, they can leverage best practices such as ingress filtering to remove the problem of spoofed IP addresses that are widely used in reflection DDoS attacks. This simple improvement to service provider hygiene would be a great initial step towards reducing the overall volume of DDoS traffic. These steps can’t protect against the full spectrum of DDoS attacks, but they would speed up the global response to attacks.

The only proper way to mitigate against IoT-based DDoS attacks is to use a defense solution that detects and stops attacks in real-time. It is only by using an always-on, automatic mitigation system that it is possible to negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches.

To find out more, please contact us

Leave a Reply