New Mirai botnet lurks in the Tor network to stay under the radar

The malware’s command center is hidden to make takedowns a more complicated process.
Written by Charlie Osborne, Contributing Writer

A new variant of the Mirai botnet has been discovered which utilizes the Tor network to prevent command server takedowns or seizure. 

Mirai is an Internet of Things (IoT) botnet which has been used in distributed denial-of-service (DDoS) attacks in the past against prominent websites. 

The botnet tends to focus on enslaving IoT devices including routers, surveillance cameras, smart home appliances, and vehicles through brute-force attacks and the automatic cracking of default credentials.

Soon after the botnet was used to attack a website belonging to prominent security expert Brian Krebs, Mirai source code was released into the wild, allowing others to develop and launch their own variants. 

Evolved versions of Mirai include Okiru, Satori, Masuta, and PureMasuta. In March, a variant of Mirai was spotted which targets smart signage TVs and wireless presentation systems. 

See also: Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

On Wednesday, researchers from Trend Micro said the new strain of the botnet contains the same functions as other samples. These include remote access and control through vulnerable, open ports and default credentials, as well as the ability to perform DDoS attacks and User Datagram Protocol (UDP) floods. 

The latest Mirai sample focuses on TCP ports 9527 and 34567, which could indicate a preference for enslaving IP cameras and DVRs. 

However, this variant is interesting given the location of the malware's command-and-control (C2) server. When C2 servers are present in the 'clear' web, it is possible to quickly send takedown requests to neuter or at least to mitigate the damage of malware infections -- however, when they are hidden through .onion addresses and the Tor network, this can be a more challenging task.

CNET: Huawei ban: Full timeline on how and why its phones are under fire 

"This may be a developing trend among IoT malware developers, given that malicious actors' C&C servers in the surface web can be reported and taken down -- and it's one trend that cybersecurity researchers, enterprises, and users alike may have to start defending against," the researchers say. 

In total, Mirai strains will usually have between one and four C2s. In this case, there were 30 hard-coded IP addresses present and socks5 proxies were used to communicate with servers in the Tor network. If one connection fails, the malware will try another server on its list. 

TechRepublic: 5 experimental cybersecurity trends your business needs to know about

This is far from the first time that malware has attempted to anonymize itself and become more difficult to combat by using Tor, but Trend Micro says this could be a "possible precedent for other evolving IoT malware families."

"Because of Tor's available environment, the server remains anonymous, therefore keeping the malware creator and/or C&C owner unidentifiable," the researchers added. "Likewise, the server remains running despite discovery, network traffic can masquerade as legitimate and remains encrypted, and it may not necessarily be blacklisted due to other possible legitimate uses for Tor."

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards