Mirai botnet adds three new attacks to target IoT devices

This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.
Written by Danny Palmer, Senior Writer

A new variant of the Mirai botnet has added at least three exploits to its arsenal, which enable it to target additional IoT devices, including routers and DVRs.

The new version of Mirai -- a powerful cyberattack tool which took down large swathes of the internet across the US and Europe in late 2016 -- has been uncovered by researchers at security company Fortinet, who have dubbed it Wicked after lines in the code.

The original version of Mirai was deployed to launch massive distributed denial-of-service (DDoS) attacks, but has also been modified for other means after its source code was published online including to turn unpatched IoT devices into crytocurrency miners and proxy servers for delivering malware.

While the original Mirai uses traditional brute force attacks in an attempt to gain control of IoT devices, Wicked uses known and available exploits in order to do its work. Many of these are old, but the inability of many IoT devices to actually install updates means they haven't been secured against known exploits.

Vulnerabilities used by Wicked include a Netgear R7000 and R64000 Command Injection (CVE-2016-6277), a CCTV-DVR Remote Code Execution and an Invoker shell in compromised web servers.

Following a successful compromise, Wicked downloads an additional payload in the form of Owari, another Mirai variant -- although researchers found that the Owari bot samples could no longer be found in the website directory and Wicked was now downloading the Omni bot.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

According to Fortinet, this is the latest product by the malicious developer, although Owari had been previously distributed. Researchers have come to the conclusion that four IoT botnets -- Wicked, Sora, Owari and Omni -- are all by the same author.

"This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later re-purposed to serve the author's succeeding projects," wrote researchers.

IoT devices remain popular targets for cyber attackers -- not only do they often lack the security built into other products, but the very nature of the devices mean they're often installed and forgotten about. In order to avoid falling victim to IoT hacks, users should regularly patch the devices when updates are available.


Editorial standards