New Mirai Botnet Variants Observed: How to Identify a Mirai-Style DDoS Attack

The Mirai Internet of Things (IoT) botnet, notorious for targeting connected household devices like cameras, alarm systems, and personal routers, continues evolving and poses significant cybersecurity threats. It has a history of executing massive DDoS attacks, including a major incident that disrupted much of America’s internet. Recently, the Imperva Threat Research team has observed considerable activity involving Mirai botnet malware campaigns exploiting known web vulnerabilities to target over 1,200 sites. These campaigns employed malicious URLs like hxxp://94.156.79.129/tenda.sh and hxxp://85.239.33.65/d.sh, delivering more than 200 malicious URLs or botnets.

These vulnerabilities have been targeted in over 780 customer accounts, affecting over 1,200 sites.

We have identified over 200 different malicious URLs used in these attacks, including:

code blog post

In total, we have obtained over 230 distinct malicious samples, including bash scripts and ELF binaries.

Typically, the malware is delivered by exploiting known web vulnerabilities, which are used to execute shell commands like wget or curl. These commands download a stage 1 bash script which then downloads and executes a second-stage binary tailored to the architecture of the target server.

Figure 1 code

The image shows an example of a bash script that, when executed, downloads a second-stage binary that installs the Mirai malware onto the infected host.

This surge in malicious URL delivery coincides with attackers’ increasing use of AI and machine learning to generate sophisticated DDoS attacks. AI has lowered the bar for DDoS attackers, broadening the threat landscape. Polymorphic malware, if AI-generated, could evade detection and infect systems on a massive scale. The combination of AI making DDoS attacks easier to launch and the resurgence of Mirai botnets presents a dual threat that organizations must be prepared to counter.

Understanding Mirai’s Mechanisms

A DDoS Botnet

A DDoS botnet attack is relatively straightforward. It gives commands to the control server, which then issues attack commands to each individual node (infected devices) in the botnet. These nodes, in turn, send attack traffic to the target.

Figure 2 diagram

Not all DDoS attacks come from botnets, but botnets are effective for several reasons:

Obfuscation: The attacker can conceal their identity from the victim.
Amplification: Using compromised systems allows the attacker to launch a larger attack.
Geographical Dispersion: A large botnet can span the globe, making the attack massively distributed and hard to mitigate.

Evolution of DDoS Botnets

Over time, the motivations behind DDoS attacks have shifted. Instead of merely trafficking in spam, botnet operators have found ways to monetize their efforts through extortion or by launching DDoS-for-hire platforms like Mirai.

Figure 3 DDOS Event

When discussing Mirai, the focus often shifts to the threat posed by household IoT devices. This does not account for all Mirai activity, but certain aspects make these personal devices attractive to attackers:

Large Numbers of Devices: Most people own a single computer, but likely have multiple internet-enabled appliances.
Weak Vendor Security: IoT appliances have historically lacked robust security measures.
Consumer Neglect: Consumers are less vigilant about securing their internet-connected devices than their personal computers.
Emerging Market Opportunity: The proliferation of IoT devices expands the pool of potential botnet nodes.
Homogenous Platforms: Unlike personal computers, IoT platforms are generally identical, making it easier for malware to spread.

Figure 4 diagrampng

Mirai’s Workflow

Mirai operates through three distinct workflows: scanning, infection, and attack.

Scanning Workflow

The scanning workflow identifies potential new members for inclusion in the botnet. It involves the following activities:

  • SYN Port Scan: Probing the internet to identify possible targets.
  • Brute Force Authentication: Performing simple pattern matches to gain access.
  • Report Success: Sending results to a centralized reporting server.

Infection Workflow

The infection workflow involves the following steps:

  • Scan Success Identified: Successful identification of vulnerable devices.
  • Loader Receives Data: The loader processes the data.
  • Loader Pushes Malware: The loader deploys the malware onto the target device.

Figure 5 Injection workflow

The malware code is cross-compiled for various architectures. The loader identifies the device’s architecture and loads the appropriate executable. Once the executable is running, the device becomes part of the botnet and begins scanning and attacking like any other node.

Attack Workflow

The attack workflow activates the DDoS attacks on the nodes inside the botnet:

  • Bot Master Issues Attack Command: The command is sent to the control server.
  • Command and Control System Dispatches Details: Nodes receive specific attack instructions.
  • Nodes Execute Attack: Nodes send packets quickly without rate limits.

During the attack, nodes continue their background scanning activities, never ceasing to search for new websites and devices to infect.

Figure 6 attack workflow

Covering Tracks and Competing

Mirai employs several strategies to protect itself from discovery and competition:

  • Self-Deletion: The malware deletes itself from the file system once running.
  • Process Concealment: It deletes itself from the running process list and alters its name to a randomized value.
  • Competition Blocking: Mirai searches for identifiers associated with competing botnets and kills those processes, taking over the system.

The Dual Threat of AI and Mirai

The resurgence of Mirai botnets and the increasing use of AI to facilitate DDoS attacks create a dual threat. AI-generated polymorphic malware can evade detection, making DDoS attacks easier to launch and harder to defend against. Organizations must be vigilant and prepared to counter these evolving threats.

Learn more about Imperva DDoS Protection.

The post New Mirai Botnet Variants Observed: How to Identify a Mirai-Style DDoS Attack appeared first on Blog.