Don't panic over new Mirai botnet

Kaspersky Labs has moved to calm the panic over the discovery of an advanced Windows botnet spreading the Mirai malware. It has issued both a press release and a more detailed blog on the subject. The language used in the press release and the blog are at odds with each other which doesn’t help. However, the underlying message from both is that while this discovery raises the threat level it is not the start of botageddon.

Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab
Kurt Baumgartner, Principal Security Researcher, Kaspersky Lab

In the press release Kurt Baumgartner, principal security research, Kaspersky Lab said: “The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers. The release of the source code for the Zeus banking Trojan in 2011 brought years of problems for the online community – and the release of the Mirai IoT bot source code in 2016 will do the same for the Internet.

“More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.”

Meanwhile in a technical blog from the Kaspersky Lab Global Research & Analysis Team they say: “A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So let’s make a level-headed assessment of what is really out there.”

Mike Ahmadi, Global Director, Critical Systems Security at Synopsys, said: “Popular malware spreads much like fashion trends throughout the world of cyber hacking, and the Mirai BotNet is indeed the height of cyber hacking fashion today, and may very well hold this position until something bigger and better comes along. Large scalable attacks draw lots of the attention hackers crave, and I believe it is just a matter of time before the hacking community begins exploiting the thousands of known and scalable vulnerabilities found in IoT devices worldwide, which are currently waiting their turn for the spotlight.”

What is the deal with this new Mirai botnet?

According to Baumgartner, this new: “Windows-based spreader is richer and more robust than the original Mirai codebase.” That is not good news because hardening the spreader and providing a better interface will increase its longevity and effectiveness. Surprisingly it also turns out that most of the components and techniques are several years old. This does not mean it can be ignored. SQL Injection attacks were being discussed almost 20 years ago and have been in the top 10, even top 5 web app vulnerability lists for a number of years.

It currently uses infected Windows hosts to attack vulnerable Linux IoT devices. To do that it needs to brute-force a remote telnet connection. This is where all the confusion and panic is occurring. Many people are ignoring the need to create a telnet connection. Instead, they have focused on the Linux IoT devices where being vulnerable is a default state for many manufacturers.

Who is under attack?

So far it has had limited success. Baumgartner disclosed that Kaspersky Labs have evidence of 500 attempts this year to infect systems. Success was mixed but it has declined to say what the success rate is. The attacker is focusing on countries who are rapidly adopting IoT. Many of them have a severe deficit of cyber security skills. Among those countries named in the release are the six ASEAN countries that NEC has signed a deal to help protect. It also includes countries in the Middle East, North Africa, South America and Russia.

The Kaspersky Labs analysis is that this Windows-spreader was created by someone who is Chinese speaking. There are several indicators that have led to this conclusion. The code was compiled on a Chinese system, uses stolen code-signing certificates from Chinese companies and the command and control servers are based in Taiwan. The blog lists the known IP addresses of the C&C servers to allow companies to add them to blacklists.


Mirai caused major problems with last years attacks. However, this latest discovery does not presage botageddon. However, despite the panicky response of some commentators, there are good reasons to be concerned. Kaspersky accepts that this is the work of an experienced bot herder. This means that they have the experience and even the machines to keep refining this code.

With all the evidence pointing to Taiwan or China as the place of origin this does raise the stakes. Both countries are key players in the explosion of IoT devices, especially for the home. Few of those devices have any security making them easy to attack. It will be interesting to see if attackers attempt to infect some devices at source. This means that companies need to rethink their approach to IoT. Devices should be kept isolated from the Internet until they have had a security assessment.

This will be hard for a lot of organisations who do not have the skills, time or money to test and secure every IoT device. There is also the risk to their companies from the explosion of IoT in the homes of their workers. There is a need for the IT industry to come up with solutions to the threat of another IoT meltdown. If it doesn’t we are going to see at least one major takedown of the Internet in 2017. It just remains to be seen when, where and how bad it will be.


Please enter your comment!
Please enter your name here