New Variants of Mirai Botnet Detected, Targeting More IoT Devices

An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

MAGA Country!

d888888b d8888b. db . .db .88b, d88. d8888b.
  ~ 88 ~ 88 `8D. 88 . .88 88'YbdP`88 88, `8D
  . 88 . 88oobY' 88 . .88 88. 88 .88 88oodD'
  . 88 . 88`8b . 88 . .88 88. 88 .88 88
  . 88 . 88 `88. 88b_ d88 88. 88 .88 88
  . YP . 88 . YD ~Y8888P' YP. YP .YP 88

.d888b.. .d88b.. .d888b.. .d88b.
VP. `8D .8P. 88. VP. `8D .8P. 88.
.. odD' 88. d'88. . odD' 88. d'88
..88'. .88 d' 88. .88'. .88 d' 88
j88.. . `88. d8' j88.. . `88. d8'
888888D. `Y88P'. 888888D. `Y88P'

Re: MAGA Country!

It's not a particularly clever variant any more than the rest. It's similar to selective sampling of traffic to get port numbers by searching for colon symbols. The development technique requires a lot of data to get a small set of targets. It gets fooled a lot, kind of like the line "street number: 20035" is obviously not a properly formed URL scheme with port. It might then attempt to connect to said port and the use buffer overruns to execute hundreds of megabytes of code. Do a little research. My guess would be it's really easy to stop with a single anti-malware technique like noqueue.

Re: MAGA Country!

d888888b d8888b. db . .db .88b, d88. d8888b.
  ~ 88 ~ 88 `8D. 88 . .88 88'YbdP`88 88, `8D
  . 88 . 88oobY' 88 . .88 88. 88 .88 88oodD'
  . 88 . 88`8b . 88 . .88 88. 88 .88 88
  . 88 . 88 `88. 88b_ d88 88. 88 .88 88
  . YP . 88 . YD ~Y8888P' YP. YP .YP 88

.d888b.. .d88b.. .d888b.. .d88b.
VP. `8D .8P. 88. VP. `8D .8P. 88.
.. odD' 88. d'88. . odD' 88. d'88
..88'. .88 d' 88. .88'. .88 d' 88
j88.. . `88. d8' j88.. . `88. d8'
888888D. `Y88P'. 888888D. `Y88P'

Re: MAGA Country!

Funny. It sounds like trying to build a model from test data. It wouldn't be an accurate model and you would immediately see quality degradation as soon as it saw real data. Fear not. Like phishing.

Y A N G G A N G 2020! SECURE THE BAG!

All citizens receive $1000 month freedom dividend!

Remember kids ...

[dc29A]

The 'S' in IoT stands for 'Security'.

Oh goody

[JustAnotherOldGuy]

Yay, more malware. Just what we need.

Re:Oh goody

Just remember it was written by some a-hole.

A deliberate act of terrorism.

They need to be found and have all their fingers removed!

Re:Oh goody

Their will always be people that can and will do this stuff.
Needs to be lock down on security with IoT.

And this is not just malware . a Worm a legit virus.

Hosts files to the rescue YET AGAIN... apk

0.0.0.0 timeserver.host
0.0.0.0 securityupdates.us
0.0.0.0 l.ocalhost.host

* The last entry in hosts prevents the executable that does this thing's "dirty work" (& it rotates IP addresses so hostname's THE way here) per https://securelist.com/new-wav... (some entries are IP addresses you want to add to your firewall rules tables too).

APK

P.S.=> For the best hosts file multiplatform:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)... apk

Re: Hosts files to the rescue YET AGAIN... apk

Enough. You sound like a pawn of Mirai Botnet. Go play on YouTube. It's actually a very nice website and service. It has videos. Literally millions of them. Go outside. Blink at the sun.

Re: Hosts files to the rescue YET AGAIN... apk

Enough. You sound like a pawn of Mirai Botnet. Go play on YouTube. It's actually a very nice website and service. It has videos. Literally millions of them. Go outside. Blink at the sun.

This is what lonely desperate insecure old has-beens compulsively do. They turn into a one-note song. They cling to their single mediocre accomplishment, their one characterizing thing, and work it into every possible conversation no matter how much it is unwanted or unappreciated. It's like with every post, he is saying "WHY WON'T YOU JUST LOVE ME?!?!"

Perhaps soon he will start spamming big walls of text, to drown out those bad men who say hurtful truths.

Re:Hosts files to the rescue YET AGAIN... apk

I didn't know your shitware worked on embedded devices. Also as always you are a day late and a dollar short, maybe you can post that incomplete list of the times your work failed to prevent an attack that you are so fond of posting and then state that your work is becoming even more ineffective. Must be hard being a washed up has been who never was.

Re:Hosts files to the rescue YET AGAIN... apk

MIRAI isn't limited to IoT devices only.

Times change on /.

Remember when posts here that warned of the stupidity/danger of the IoT were routinely derided, mocked and down voted here? Good times.

Re:Times change on /.

Remember when posts here that warned of the stupidity/danger of the IoT were routinely derided, mocked and down voted here? Good times.

Yes, just like back in the day when some of us knew that the federal government included an intelligence apparatus which could and would spy on American citizens, Constitution be damned, due to total lack of accountability. We were tin-foil-hat-wearing nutters. Then Snowden came along. Then it became a thing (the main thing lacking in the Constitution is a very harsh criminal penalty for public officials who knowingly violate it).

Being ahead of the mainstream (in both cases, due to the mainstream's sense of denial) is never easy. You get constantly attacked by lesser minds who lack insight because they're totally focused on what is convenient and comfortable for them, not on what is logical or consistent with known history. Too many people operate from how they want things to be, not how they can observe that they are. It's the kind of naivete one might expect from a child.

Monetize or Politicize?

Every time I see one of these stories it makes me think... If a state actor or whistle blower wanted to get their info out to the public, then delivery via exploit vector would bypass the obviously censored press.

Hell, even a guy with some damaging information and armed with even older exploit vectors readily available in exploit toolkits could massively disrupt the political apparatus of any nation.

I mean, shit, if I worked in a COINTELPRO capacity and knew of anyone who had some damaging information I might not pester them too much lest it be my fault that said release happened due to my actions.

In fact, I might just fuck off with that shit before something terribad happened.

Re: Monetize or Politicize?

Hey that's pretty good. You got curse words in every paragraph

Hell, shit, fuck, fuck this shit.

Well done! I bet you are a hit at partiey

MAGA

[raind]

My attorney got arrested. Doesn't matter when it's backdoored.

Cadence Tensilica Xtensa

The Espressif ESP8266 and ESP32 SoCs run Tensilica Xtensa cores and are used for WiFi connectivity in all sorts of connected devices.

You can pick up generic modules with circuit board antennas for $2. I use one of them to control my Christmas lights.

Re:Cadence Tensilica Xtensa

[arglebargle_xiv]

That's a weird set of processors, Nios II and Microblaze are either soft-cores or IP blocks on an FPGA, they aren't really used on consumer equipment. And who uses OpenRISC at all? Did they do this just because they can?

Re:Cadence Tensilica Xtensa

[Zocalo]

Mirai doesn't really target PCs; it's main focus is embedded systems, especially routers and (obviously) IoT devices in both consumer and industrial spaces, so I guess the authors are mostly trying to expand their attack space. They've already added a whole bunch of additional vendors and device types since the original version, so I guess this is just the next stage down the long tail of being able to attack as much as possible. My understanding is the Mirai code is very modular and fairly easy to add new exploits, so maybe the effort of doing so was trivial enough that someone just decided to add the extra modules and see how effective they are?

Alternatively, there's definitely a lot of interest from state-sponsored and ransomware-pushing APTs in targetting infrastructure/industy so maybe that's the motivation for the new processor additions, rather than consumer space devices? Once you've pwned a device, if you can also brick it at the flip of a software switch the potential for the next major cyberattack or WannaCry against another entity is definitely something those groups would be interested in, and infrastructure and industry are going to be much higher profile and/or more lucrative than a random consumer.

Re:Cadence Tensilica Xtensa

That's a weird set of processors, Nios II and Microblaze are either soft-cores or IP blocks on an FPGA, they aren't really used on consumer equipment. And who uses OpenRISC at all? Did they do this just because they can?

FPGA's make up a significant (in 2014 it was close to 40%, probably more these days) of the IC's the US DoD purchases, as they are used in pretty much every military 'thing' the government purchases these days (tanks, fighter jets, missiles, etc). Xilinx FPGA's are the majority of what the DoD buys. Microblaze is a soft core that is run in the fabric of Xilinx FPGA's. OpenRiscV cores are slowly becoming popular to synthesize in the fabric as well.

Now, this is just my opinion - but I'd say these devices would be a pretttty attractive target for a lot of different organizations.

Has been? You're a NEVER WAS or will be

Has been? You're a NEVER WAS or will be! I'm just doing the right thing putting out a useful tool in a world of malicious attacks to help others out vs. them.

HOW EFFECTIVE IS IT?? Take a peek (far from complete as to what /. reported on no less) https://yro.slashdot.org/comme...

* You give me your guff for THAT?

(Please - I don't see YOU doing BETTER on any front!)

APK

P.S.=> No, miserable MISANTHROPES like you? You'll never achieve anything & STALK (or impersonate) ME online BEHIND UNIDENTIFIABLE anonymous troll posts, lol - some "accomplishment" for YOU, Jealous "Lil' Jowie" (the do-NOTHING "ne'er-do-well")... apk

Re:Has been? You're a NEVER WAS or will be

Apparently that one stuck in your craw. Noted. At least you are providing some very funny entertainment.

By the way, you did spam some walls of text, exactly as predicted. Validating the previous poster. That's how science works you know. A theory makes testable predictions. You validated it.

LOL! YOU sound like... apk

LOL! YOU sound like the author of the Mirai botnet that doesn't like I'm showing others how to protect themselves vs. your machinations.

APK

P.S.=> As to the rest of your statement: I do those things quite often - do you? apk

I am APK the LORD of HOSTS

I am APK the great "LORD of HOSTS", a.k.a. AlecStaar from ArsTechnica or Alexander Peter Kowalski.

See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).

I am the godlike creator of various GUI front-ends for other people's configuration files.

Don't call me out on anything as I will state that you are a webmaster and that I cut off your revenue stream.

You must be conspiring with the Jews and Soros if you disagree with me.

Mistaking mockery and parody for impersonation is how I think people flatter me because I can't possibly understand that they detest me.

When presented with facts I rebut them with wild speculations, false support, and out of context quotes

Bask in my debilitating mental illness

Watch as I claim I am world class and a winner but in reality I am a fucking loser.

Witness my descent into madness

APK

Learn to READ illiterate moron... apk

The only incomplete thing's /. missing reports of other malwares (instead reporting "SJW" bs) https://yro.slashdot.org/comme...

LEARN TO READ MORON!

(Since THAT is what I said in the link above - Not your ADD/ADHD/Dyslexic MISINTERPRETATION brain-damaged retard assburger brain 'thought' (using the term loosely since thought is a foreign concept to "your kind" (& so are good deeds + decent accomplishment))

Yes, your doltish BRAIN (lol) is "incomplete" too.

* Shitware?

DOZENS of our REGISTERED /. PEERS say otherwise (you're outnumbered dozens++:1) w/ ~200++K users worldwide liking/using my work (not your "notthereware", lol) & everyone's SEEN my quoted lists of those folks (who don't praise your LACK OF EFFORT & SKILLS, lmao - but THEY DO MINE...).

APK

P.S.=> You ASSBURGER defective brained DO-NOTHING "ne'er-do-well" types that STALK me by UNIDENTIFIABLE anonymous trollings (or impersonate me proving you WISH you were me, as imitation IS the sincerest form of flattery)? You're just JEALOUS "Lil' Jowies", lol & you KNOW it (proving it constantly) - HAS BEEN = ME? LOL - you're a NEVER WAS or WILL BE lmao... apk

Re:Learn to READ illiterate moron... apk

You might be more successful at hawking your stuff if you weren't such a hostile ass wipe. I've got software that hundreds of thousands of people have used too but do I give a shit? Nope, I'm just doing my job.

IoT Default Password Scanner

If it hasn't been done already, now is probably a good time to audit your environment for any IoT devices that may be using default or easily guessed passwords. Either the open source or paid versions of IoT Crusher (https://opcode41.com/) makes a great place to start.

Addendum/UPDATE (more C&C's to block)

0.0.0.0 srrys.pw
0.0.0.0 tr069.pw
0.0.0.0 mziep.pw

* See parent post https://it.slashdot.org/commen... for more/original batch as well...

APK

P.S.=> SOURCE (same as I used yesterday, just updated) https://securelist.com/new-wav... ... apk

Further PROOF you WISH you were ME

Further PROOF you WISH you were ME is your post IMPERSONATING me, lol. Grow up dolt. Do something useful w/ your WASTED "ne'er-do-well" DO-NOTHING zero of a so-called 'life' (for your OWN sake, pitiful as you are).

Make a Wheel https://isc.sans.edu/forums/di... as I did giving users more speed/security/reliability & anonymity NATIVELY doing more for less vs. ANY single 'solution' via the best hosts file multiplatform!

APK

P.S.=> APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... ... apk

No, the truth of what I wrote stuck in yours

No, the truth of what I wrote stuck in yours (hence your reply proving it, lmao): That truth is that YOU aren't even a "has been" - you're a NEVER WAS or WILL be, ever.

APK

P.S.=> What a WASTE OF LIFE you are - seriously! You STALK me by UNIDENTIFIABLE anonymous posts (or impersonate me https://it.slashdot.org/commen... because you WISH YOU WERE ME obviously) thinking (not, your type can't think - it's a FOREIGN CONCEPT to you much like doing good things are) you've "accomplished something"? Please - lol, you're a JEALOUS "Lil' Jowie" DO-NOTHING "ne'er-do-well" & YOU KNOW IT (+ you constantly PROVE it)... apk

APK is right, I wish I was him

APK is right
I wish I was him so I can become a professional cum dumpster for truckers and host unlimited dicks.
He can teach me how to write like a serial killer and how to buy derelict houses in the ghetto for a $1.
I desperately need to know how to keep from being institutionalized while suffering from several different mental illnesses.
These are all things he has expertly mastered but refuses to tell me how to do them and fail at everything else like he does.

Re:APK is right, I wish I was him

APK shouldn't have to tell you how to live your life correctly and to get your own home paid off. You must be a millenial helpless henry types.

Prove you do... apk

Prove you do, come on now, lol - let's see PROOF of it & I've written multimillion line systems that for DECADES have run companies entire data information structures on TONS of levels shopfloor industrial up to the business side, circa 1994-2007 until I retired to go into business for myself.

* JUST PROVIDE US PROOF - BLOWHARD 'talker' you are.

You won't & "your kind" (weezils that STALK me by UNIDENTIFIABLE anonymous whom I defend myself WITH verifiable. concrete & UNDENIABLE facts against)? Never do OR CAN, period!

It's NOT about "success" for me on this program. It's about DOING THE RIGHT THING! Success in life on TONS of levels I long ago achieved.

APK

P.S.=> Apparently you don't KNOW that literally 200++K folks use this hobbyware of mine & DOZENS of REGISTERED (not cowards HIDING from me like you) like/use/praise MY work - not yours. You have NOTThereWare/HotAirWare... apk