February 16, 2017 by

Dreaded IoT Malware Mirai Spotted in a Windows Trojan

Mirai, the infamous strain of IoT-based malware that triggered an unprecedented distributed denial-of-service (DDoS) attack against prominent DNS provider Dyn leading to a sweeping blackout last year, has now been spotted in a Windows Trojan.

Researchers at Russian cybersecurity firm Dr.Web have discovered a Windows-based Trojan that distributes the Mirai IoT malware. Mirai is widely known as a Linux-based malware that targets Internet-of-Things (IoT) devices, looking for insecure IoT devices such as CCTV cameras before enslaving them in a botnet. Operators behind the malware fundamentally gain the ability to launch crippling DDoS attacks.

The Linux variant of the malware is already the most widespread Trojan in the platform and the new malicious program, dubbed Trojan.Mirai.1 by researchers, connects to a command and control server to download a configuration file. This file contains a range of IP addresses through which the Trojan attempts to log in using credentials included in the same file. The sophisticated Trojan then launches a scanner to check several TCP ports simultaneously.

When authenticated, the malware runs commands specified in the configuration file specific to the compromised system.

An excerpt from the Dr. Web report reads:

If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands…[W]hile connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.

The only exception to the otherwise sweeping compromise is connections via the RDP protocol where no instructions are executed.

However, a compromised system can see the Trojan spread onto other Windows devices on the network to allow attackers hijack additional devicees.

If the compromised computer contains database management system Microsoft SQL Server installed on it, the Trojan even sets up a user with administrative privileges.

The Trojan can then launch new processes, create Windows package files, launch executable files with administrative privileges, set up auto-launch tasks or even delete files.

Toward the end of 2016, a Mirai attack impacted a near million telecom customers in Germany while a separate attack left hundreds of thousands of UK telecom users without any access to the internet.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Former Rutgers Student Pleads Guilty to Creating Mirai Botnet

A former Rutgers university student is among three men who pleaded guilty to creating the dreaded...

Read more arrow_forward

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward

DDoS Attacks Blamed on Mirai-Style Botnet of 70,000 Android Devices

Researchers from a number of cybersecurity giants are banding together to fight a vast botnet...

Read more arrow_forward