The Mirai botnet has begun using a Windows Trojan to expand with bitcoin mining capability. IBM’s secruity research team X-Force found a new variant of the malware ELF Linux/Mirai with the built-in bitcoin mining capability.
The Mirai botnet was created to find and embed onto Internet of Things (IOT) devices to expand the botnet, and to engage in distributed denial of service (DDoS) strikes. An IBM report described successful attacks of this botnet in the past year. The variant was found August 2016 by MalwareMustDie, a security researcher. The attacks included one on DynDNS that slowed traffic on much of the U.S. East Coast.
The use of IOT devices to mine for bitcoins is novel. Krebs on Security addressed bitcoin mining bots four years ago in a case where PCs served as the hosts. Mining bitcoins, however, is CPU intensive. It would take a number of compromised devices to make bitcoin mining a high revenue opportunity.
Attackers would be more likely to attack a bitcoin exchange, as evidenced by previous cases. But the possibility exists that the malware users want to mine bitcoin by compromising IoT devices.
A recent ELF Linux/Mirai campaign that was short-lived but high in volume used a bitcoin miner slave and attacked IBM X-Force clients.
Traffic containing links to ELF 64-bit binary files emerged in March 2017. Activity jumped by 50 percent in a four-day period, then subsided after eight days.
Attack Came In Stages
The attack occurred in stages, first exploiting the victim system, according to David McMillen, senior threat researcher at IBM Security Services. The miner was a second-stage infection, as the bitcoin client wasn’t embedded in the Mirai malware. The miner was part of an archive of files containing a Mirai dropper, a bitcoin miners slave, a Linux shell and Dofloo backdoor.
The same Mirai functionality was found in a sample ported from the Windows version but with a focus on Linux machines running BusyBox. BusyBox offers stripped down Unix tools in digital video recording servers and an executable file. It uses Telnet, which is targeted with a brute force tool in the Mirai software. The DVR servers use the default Telnet credentials, which is why they were targeted.
The Telnet protocol serves as the gateway to undermining IOT devices, many of which use Telnet’s remote access functions.
Mirai bots can conduct the usual attacks using multiple flooding tools with HTTP, UDP and TCP protocols. In addition, the WL4-A0ACM1 Windows version has other capabilities like brute force attack tools and SQL injection.
Bitcoin Miner Slave
The bitcoin miner slave raised the question of how effective a bitcoin miner would be operating on an IOT device lacking the ability to create a lot of bitcoins. But considering Mirai’s ability to attack thousands of devices simultaneously, the miners could act in unison as a miner consortium.
A Mirai dropper was found in a web console. The site served as a malware package archive repository containing a real-time counter of infected victims.
All stakeholders must act to protect devices, including enterprise and home users in addition to manufacturers. DDoS botnets could become bitcoin miners.
Featured image from Shutterstock.