Malware

The source code of the Mirai IoT botnet leaked online. Do you trust it?

A hacker released the source code of the Mirai malware that powered the record-breaking DDoS attack against the Brian Krebs Website, but …

A couple of weeks ago the unknown hackers launched a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs.

Further investigation revealed the involvement of a powerful botnet composed of more than 1 million Internet of Things used to launch the DDoS attack, the devices were infected by a certain malware that is now in the headlines because its code was publicly disclosed.

A reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”

“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.

The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.

The first group of research that published a detailed analysis of the Mirai malware is the MalwareMustDie crew.

Experts from MalwareMustDie analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/ Mirai,  which was targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The ELF Linux/Mirai is very insidious, when the MalwareMustDie team discovered it many antivirus solutions were not able to detect the threat.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, popular brands of DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.

The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”.

And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”

The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor, or what hackers refer as LizKebab/Torlus/Gafgyt/Qbots. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”

This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case.

Back to the present, let’s read the announcement made by Anna-senpai.

“When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO,” Anna-senpai wrote. “So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

“So, I am your senpai, and I will treat you real nice, my hf-chan,” Anna-senpai added, cheekily using the Japanese honorific for a fellow classmate.”

While many experts are investigating the reason why the hacker published the code of the Mirai Malware online, authoritative experts have doubts about its authenticity.

Someone speculate that the hackers behind the threat intend to spread the Mirai malware code around to make hard the investigation of the last string of DDoS attacks, including the one against Brian Krebs’s website.

“Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home,” wrote Krebs“Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants.”

I contacted the MalwareMustDie research team for a comment.

“When the Mirai malware was we firstly published on the Internet, it was widespread news, almost everyone knows that, including the Mirai herder/seller actor who just “released” the malicious code. He didn’t act anything that time. The code was originally coded by a third-party and was used to run services by the mentioned actor w/modification etc. We suspect, it is NOT the original one, but it is partial or modified version with the intent to leak it. He is not sharing it generously. If a blackhat actor leaks such level of codes with that kind of disclosure, experiences has tons of proof that must be something not right behind it. He wanted us to believe it is legit, I ask you now: “How would you trust a criminal actor?’s statement””

The statement above looks making much sense, looking at the thread in the forum where the source was published, there was hardly found successfully built test as per instruction that the bad actor “generously leaked.”

“So (I asked MalwareMustDie), what is the purpose of leaking something that doesn’t work as per expected? What was leaked then?” The replied is:

“Yes, the “leaked code” was partially looked like Mirai functionality, but is that all of the code? I suspiciously don’t think so..“”

He also added: “Who would trust the blackhat bad actor’s statement? I urge him to surrender himself to the law before he makes some more announcement”

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Linux Mirai malware, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.