New Mirai IoT Botnet Found

May 20, 2018


The Mirai IoT botnet has been utilized to carry out a few of the biggest distributed denial of service (DDoS) attacks ever seen. Since the announcement of the source code in October 2016, there have been many variations of the botnet created. Now a new variation has been identified, which has been called Wicked, because of some of the strings in the source code.

The new variation was found by security scientists at Fortinet, who informed that the new malware variation includes three new abuses which are used to spread the malware. The original Mirai botnet depended on brute force attacks to gain access to weak IoT devices. Although the abuses are not new, several IoT appliances are not updated frequently and remain susceptible to old abuses.

The Wicked botnet checks ports 8080, 8443, 80, and 81 and starts a fresh socket SYN connection on the targeted appliance. As soon as the connection is made, attempts are made to abuse weaknesses to copy the hateful payload by writing exploit strings to the socket. Different activities are used dependent on the port where the link was set up.

On port 8080, Netgear DGN1000 and DGN2200 v1 router exploits are utilized, a CCTV-DVR distant code execution exploit is utilized on port 81, and Netgear R7000 and R6400 command injection exploits are utilized on port 8443. An invoker shell exploits in compromised web servers is utilized on port 80, leveraging hateful web shells already fixed on those web servers.

The scientists first thought the new bot was being utilized as a downloader to fix a different botnet called Sora due to the presence of the string SoraLOADER in the source code. Nevertheless, more research exposed the bot connects to a hateful domain to copy the Owari bot – a variation of Mirai.

Although attempts seem to be made to copy Owari, no samples of the Owari bot might be found in the website directory, in its place they discovered samples of a different bot called Omni.

The scientists found an interview between a threat actor working under the name Wicked, who has earlier been involved with two botnets: Sora and Owari. Wicked declared in that interview that Sora has been retired, even though work was continuing on Owari.

Additional research indicates that both Sora and Owari have now been discarded, and now the present project is exclusively Omni. The Fortinet scientists think Wicked is accountable for creating all four botnets: Wicked, Owari, Sora, and Omni.