Researchers at Dr Web spotted a Windows version of the Mirai bot

Pierluigi Paganini February 08, 2017

Researchers at the antivirus firm Dr.Web discovered a new strain of the Mirai bot, a Windows variant, targeting more ports.

Security experts at the antivirus firm Dr.Web discovered a new strain of the Mirai bot targeting more ports, and it is a Windows version of the popular IoT malware.

The Windows version of the Mirai bot was being used by some criminals to infect IoT devices and carry out DDoS attacks through the spreading of the Mirai Linux malware.

“One of the recent developments on the Mirai malware front was discovered by Russian cyber-security firm Dr.Web, whose experts came across a Windows trojan built with the sole purpose of helping Mirai spread to even more deviceswrote

The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.

mirai bot

It infected thousands of routers and IoT devices, including DVRs and CCTV system). When the Mirai bot infects a device, it chooses random IPs and attempts to log via the Telnet and SSH port using a list of admin credentials.

Back to the present, the researchers from Dr. Web dubbed the threat Trojan.Mirai.1.

“A Trojan for Microsoft Windows written in C++. Designed to scan TCP ports from the indicated range of IP addresses in order to execute various commands and distribute other malware.” states Dr. Web.

“When launched, the Trojan connects to its command and control server, downloads the configuration file (wpd.dat) and extracts the list of IP addresses. Then the scanner is launched: it refers to the listed addresses and simultaneously checks several ports.”

Unlike the original Mirai Linux malware, Trojan.Mirai.1 scans more ports.

“The Trojan can address the following ports:

 * 22
 * 23
 * 135
 * 445
 * 1433
 * 3306
 * 3389

When the Trojan.Mirai.1 succeeds infecting a new device, if the device runs the Linux OS, it executes a series of commands, which end up with the creation of a new DDoS Mirai bot. Instead, if the device that has been infected is is running the Windows OS, it releases a copy of itself.

“It also creates DBMS user with login Mssqla and password Bus3456#qwein, grants him sysadmin privileges. Acting under the name of this user and with the help of SQL server event service, various tasks are executed.” continues the analysis.

“The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.”

Below some Trojan.Mirai.1’s hash in SHA1:

  • 9575d5edb955e8e57d5886e1cf93f54f52912238
  • f97e8145e1e818f17779a8b136370c24da67a6a5
  • 42c9686dade9a7f346efa8fdbe5dbf6fa1a7028e
  • 938715263e1e24f3e3d82d72b4e1d2b60ab187b8

Written by: @GranetMan

Granet is a young and Junior IT Security Researcher, he is passionate in Linux, Arduino, Digital Forensics, Cyber Security, Free software and Malware Analysis



[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Mirai bot, IoT)

[adrotate banner=”13″]

you might also like

leave a comment