Newly observed variants of the Mirai botnet pack domain generation algorithm (DGA) features that haven’t been associated with previous Mirai samples, security researchers warn.
Mirai emerged several months ago as just another Internet of Things (IoT) botnet, but managed to make a name for itself fast, after it was used in large distributed denial of service (DDoS) attacks against the websites of security blogger Brian Krebs and hosting provider OVH in late September. However, it was only after the malware’s source code was made public in early October that interest in Mirai spiked.
By the end of October, researchers found that Mirai infected devices in 164 countries around the world, preying on their weak security credentials. Also in October, Mirai was said to have been used in a massive DDoS attack against DNS provider Dyn, which resulted in many popular websites becoming inaccessible for some of their users.
As expected, the public availability of Mirai’s source code resulted in numerous new malware variants being created, including a Mirai-based worm that used the TR-064 protocol for sending commands to infected devices. According to researchers with Network Security Research Lab at 360, at least 53 unique Mirai samples exist, given that they have been captured by their honeypots from 6 hosting servers.
What’s more, the researchers reveal that newly spotted Mirai samples that spread through TCP ports 7547 and 5555. Moreover, the researchers discovered that the malware author who uses the email address dlinchkravitz[at]gmail[dot]com has already registered some of the generated domains.
According to the security researchers, the analysed malware samples use 3 top-level domains (TLDs), namely .online, .tech, and .support, with each layer 2 (L2) domain having a fixed length of 12-bytes, with each character randomly chosen from ‘a’ to ’z’. The security researchers also note that the generated domain is only determined by month, day and hardcoded seed string.