A couple of weeks ago the unknown hackers launched a massive Distributed Denial of Service (DDoS) attack against the website of the popular cyber security investigator Brian Krebs.
Further investigation revealed the involvement of a powerful botnet composed of more than 1 million Internet of Things used to launch the DDoS attack, the devices were infected by a certain malware that is now in the headlines because its code was publicly disclosed.
A reference to the malicious code was spotted by Brian Krebs on the popular criminal hacker forum Hackforum. The Hackforum user with moniker “Anna-senpai” shared the link to the source code of the malware “Mirai.”
“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed ‘Mirai’ spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.” reported Krebs.
The Mirai malware was specifically designed to infect Internet of Things (IoT) devices using the credential factory settings, a circumstance that is quite common in the wild.
The first group of research that published a detailed analysis of the Mirai malware is the MalwareMustDie crew.
Experts from MalwareMustDie analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/ Mirai, which was targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.
The ELF Linux/Mirai is very insidious, when the MalwareMustDie team discovered it many antivirus solutions were not able to detect the threat.
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, popular brands of DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.
The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them.
But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”.
And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”
“The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor, or what hackers refer as LizKebab/Torlus/Gafgyt/Qbots. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”
This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case.
Back to the present, let’s read the announcement made by Anna-senpai.
“When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO,” Anna-senpai wrote. “So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
“So, I am your senpai, and I will treat you real nice, my hf-chan,” Anna-senpai added, cheekily using the Japanese honorific for a fellow classmate.”
While many experts are investigating the reason why the hacker published the code of the Mirai Malware online, authoritative experts have doubts about its authenticity.
Someone speculate that the hackers behind the threat intend to spread the Mirai malware code around to make hard the investigation of the last string of DDoS attacks, including the one against Brian Krebs’s website.
“Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home,” wrote Krebs“Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants.”
I contacted the MalwareMustDie research team for a comment.
“When the Mirai malware was we firstly published on the Internet, it was widespread news, almost everyone knows that, including the Mirai herder/seller actor who just “released” the malicious code. He didn’t act anything that time. The code was originally coded by a third-party and was used to run services by the mentioned actor w/modification etc. We suspect, it is NOT the original one, but it is partial or modified version with the intent to leak it. He is not sharing it generously. If a blackhat actor leaks such level of codes with that kind of disclosure, experiences has tons of proof that must be something not right behind it. He wanted us to believe it is legit, I ask you now: “How would you trust a criminal actor?’s statement””
The statement above looks making much sense, looking at the thread in the forum where the source was published, there was hardly found successfully built test as per instruction that the bad actor “generously leaked.”
“So (I asked MalwareMustDie), what is the purpose of leaking something that doesn’t work as per expected? What was leaked then?” The replied is:
“Yes, the “leaked code” was partially looked like Mirai functionality, but is that all of the code? I suspiciously don’t think so..“”
He also added: “Who would trust the blackhat bad actor’s statement? I urge him to surrender himself to the law before he makes some more announcement”
— Odisseus (@_odisseus) 1 ottobre 2016