Mirai is an example of the newest trend in rapidly evolving, constantly improving malware. These seven variants show how threat actors are making bad malware worse.
Where Mirai is relatively broad in scope, able to plant itself on many different routers and devices, Satori is quite specific. Discovered in December 2017, Satori takes advantage of vulnerabilities in two devices: Realtek’s UPNP SOAP interface and Huawei’s home gateway.
In addition to the device changes, Satori differs from Mirai (in at least some versions) by changing the way it propagates. Whereas Mirai uses the venerable telnet protocol, several Satori versions take advantage of device-specific communications protocols to spread to new targets.
With Satori, malware developers have added targets and communication protocols to a functional core of capabilities.
Unlike Satori, Okiru — based, in part, on Satori’s improvements to Mirai — is broad in its scope. Okiru targets systems with an Argonaut RISK Core (ARC) processor and uses executable and linkable format (ELF) distribution files.
The ARC target is important because ARC processors are used in a vast number of IoT devices. In addition, ELF files are commonly used as a distribution source for Linux applications; using them for Okiru brings into reach IoT devices running a Linux variant as the embedded OS.
Some researchers consider Okiru, first identified in January 2018, to be a version of Satori. But the advances in target architecture and distribution method show the kind of evolution that gives Okiru a name of its own.
Malware can exploit vulnerabilities in many things, but threat actors love a protocol exploit because it can hit so many targets. Masuta and its PureMasuta subvariant take advantage of SOAP to convince targeted devices to run commands issued by the threat actor.
Masuta is presumed to have been created by the same developer who built the Satori botnet, but the code for Masuta demonstrates “professional development” both in the additional functionality and in the way the programmer covered identifying tracks left in the code.
The development in Masuta shows not only the evolution of an exploit family but the evolution of an individual programmer — and is typical of the kind of skills development researchers are seeing more frequently in the malware world.
Where Masuta widened Mirai’s (and Satori’s) scope with more SOAP, PureMasuta bring it back to a specific vulnerability first found on D-Link routers in 2015. PureMasuta exploits a known vulnerability in HNAP (Home Network Administration Protocol), which is based on SOAP.
Once again, PureMasuta shows how a hacker develops skill, building exploit on exploit and trying new targets. PureMasuta’s programmer, Nexus Zeta, has so far specialized in SOAP exploits. That’s a trivial limitation, though, given SOAP’s ubiquity in the modern Internet world.
The old saying goes, “There’s more than one way to skin a cat.” There’s also more than one way to monetize a botnet, and the OMG Mirai variant takes a commercial tack that is far removed from the original.
Where all the variants of Mirai discussed so far were DDoS engines, OMG, just like the original, uses 3proxy, an open source proxy server, to turn any infected device into a proxy server that can then be used for a variety of purposes. OMG even goes so far as to check for, and rewrite, firewall rules to ensure that the ports used by the new proxy server can transit the network perimeter with no trouble.
OMG provides a network of proxy servers that can be rented out for use by a huge number of clients, whether they’re looking for DDoS generators, a SPAM network, crypto-jacker scheme, or ransomware empire. No matter the demand, the OMG proxy network can provide the illicit proxy.
Like many family trees, Mirai has branches that shoot directly from the original root and others that are a bit farther out in the canopy. IoTroop is one of the latter, but it’s curving back to rejoin the main stem, making it more interesting than your average third cousin, twice removed.
IoTroop has Mirai code as its foundation, but it is a variant that has taken a huge leap from its roots. It begins with the way that IoTroop infects a device. Whereas Mirai uses brute force user ID and password guessing, IoTroop searches for vulnerabilities to exploit.
Then come the big changes: IoTroop doesn’t place a Mirai-style DDoS engine on a device. Instead, it places a loader that constantly communicates with a C&C server. The server can then pass any one of a number of payloads to the victim device, turning the network into whatever illicit form someone is willing to pay for.
Wicked Mirai is the most recent major variation on a theme, and it adds a dangerous capability to the Mirai family tree: persistence.
Wicked Mirai takes many of the advances in other variants, such as vulnerability scanning and a payload downloaded on demand from a C&C server, and adds code to the firmware in many common residential routers that makes the malware persistent – that is, able to remain on the device through reboots.
Mirai will likely continue to evolve and develop. It has also shown to the malware market the possibility of rapid code evolution and an agile mindset. The question for the security world is whether the defender can evolve as quickly, or as effectively, as the attacker.