Mirai may be coming to a Windows machine near you

by Monique Magalhaes [Published on 8 March 2017 / Last Updated on 8 March 2017]

The Mirai botnet has been the cause of many notorious DDoS attacks of late, denying access to popular services including Facebook, Amazon, Twitter and Netflix to name a few. The IoT based botnet is now going a step further and is utilising Windows hosts to facilitate attacks

At a time when IoT is on the rise and it is becoming commonplace in both businesses and homes, malware such as this is of great concern. Let’s try to understand how Mirai functions and what can be done to avoid becoming victim of such an attack.

Devices and their users make attacks that much easier

Multitudes of devices are being connected to both public and private networks globally. These devices have the potential for connecting to, and allowing access into many consumers and business networks, especially when not properly secured. More and more IoT devices are now finding a place in our homes. These devices can be routers, lights, cameras, door locks, amongst others (any ‘smart’ internet- connected device).

 Maintaining security of and supporting these devices and their potential vulnerabilities is challenging. Each device has a different functionality, varying capabilities and different vendors, differing types of data and amounts of data that they process and differing potential security risks that each inadvertently impose. The lack of standardisation in the area, although improving, remains alarming.

 The IoT has multiple security layers to address. The devices themselves are vulnerable as well as the platforms that support them. Previous to the IoT, systems were considered isolated and thus secure however the IoT presents the ability for devices to communicate outside of these secure boundaries.

 The rise of IoT malware echoes the viruses, worms, and email spam that overwhelmed premature internet user’s way back when. Back then, most personal computers were not properly secured and the importance of internet security was not accurately understood. We are noticing the same trend for IoT devices today, the security is lacking and not necessarily made priority by most.

 Commonly on PCs, the presence of malware often manifests itself to the user as a dip in performance and action is then frequently taken. However, an infected IoT device regularly goes unnoticed and the malware continues to lurk on the device (especially now that some malware stays in memory) and users are typically unaware that their device is possibly part of a functioning botnet.

 The rise in the acceptance and the sheer number and variety of IoT devices used in our businesses and our homes combined with the multiplicity of security vulnerabilities is highlighting a prolific attack vector for adversaries. Marai is taking advantage of this and users (of these devices) are failing to take precautionary security measures, perhaps due to lack of knowledge but in some instances they just can’t be bothered. Together they are carving an easy route in.

Marai, Windows and IoT Devices

 Mirai is an Internet of Things (IoT) botnet. What does this mean?

 A botnet is a network of devices that have been infected with malware and become controllable. Once infected, the commander of the botnet can instruct the devices to undertake certain functions. This usually entails the instruction of all devices to send masses of data to a particular target resulting in a DDoS (Distributed Denial of Service) attack which ultimately results in access issues.

 Marai works through exploiting the vulnerable security of many IoT devices. IoT devices are accessible over the internet and are delivered with default or hardcoded usernames and passwords. Users tend to avoid changing these, allowing this attack to easily spread. Using a list of default username and password combinations to login to the devices Marai can quickly spread. Once in, Mirai infects the devices with malware that forces them to report to specific location and ultimately converts them into bots that can be used in DDoS attacks.

 First observations of Marai were in September last year, however attacks have become prominent in the months that followed. Previously only utilising Linux systems, Marai is now using Windows machines to facilitate rapid infection and spread to devices. Windows does not assist the actual DDoS attack but aids the search for new vulnerable devices that can be infected.

 The Marai bot does not run on the Windows Machine, as it does on Linux but rather the Windows Trojan code infects the Windows machine. Network ports can be scanned for the presence of vulnerable devices and when located they are infected with a malicious file, turning the device into a controllable bot. Instead of random IP address selection the process is refined as the Windows Trojan can check IP addresses on behalf of Marai, enhancing the discovery of further potential victims and heightening the potential spread.

 Although the main purpose of utilising the Windows machine is to increase the rate of spread and is an alternate attack vector, the Windows version can also be particularly harmful to the computers it infects. The malware can create and delete files, modify the registry and inflict chaos on SQL databases.

 Furthermore, Marai is a type of malware that is very flexible and easily adaptable-the code is available (on the dark web) for anyone to modify and use. This is not so good for users trying to fight back as varying strains of Mirai can be easily developed to target new devices or emerging vulnerabilities.  It can be assumed that Marai as well as additional adaptations of the malware will be around for some time to come.

 Infected devices can be cleaned by restarting them. The infection must be realised first though and this will often go unnoticed. Even so, re-infection is likely soon after restart (Marai is continually scanning devices that are accessible over the internet) unless default credentials are changed.

15 Precautionary measures to consider

 As the owner of a IoT device: there are measures that can be taken to mitigate incidents from Marai. It should be considered your responsibility to improve the protection of those around you as you might not be the target but your device can be used as one of many others to target someone else or another organisation. Home device users as well as organisations should take the necessary precautions to improve security and safety.

  1. Change those default passwords! This cannot be emphasised enough yet too many just don’t do it. This should be one of the first actions taken when obtaining a new device. Do not use default or generic passwords.
  2. Keep the devices updated and stay on top of firmware updates.
  3. Do not allow Wide Area Network (WAN) access to your devices- disable this.
  4. Change router default passwords and disable Universal Plug and Play on routers.
  5. Secure your Windows machine.
  6. Secure your Wi-Fi network and have a secure access control method in place.
  7. Where possible utilise wired connections over wireless.
  8. Know your device and ensure that the device that you choose has the necessary security features and capabilities.
  9. Disable remote access to IoT devices if not required.
  10. If you are not using features and services-disable them!
  11. Remove surplus idle devices that have access to the internet-if they are not being used remove them as they will only increase exposure and chance for attack. These are ideal DDoS attack points.
  12. Limit the number of devices, know the devices that are connected, manage them properly and protect them.
  13. Only use approved IoT devices so that all devices in use meet the necessary levels of security.
  14. Regularly scan devices and remediate.
  15. Utilise network segmentation whenever possible.

 

Marai won’t be the last malware to take advantage of our IoT security vulnerabilities

  IoT provides an agape landscape that is not properly secured- meaning that capturing devices to be used for botnets is generally too easy. In addition, Windows machines that accelerate the spread means that the infection can now reach a broader area and faster. With the expanding popularity of IoT devices in our businesses and homes- not to mention the abundance of Windows machines actively running- we can expect the acceleration of sizeable DDoS attacks. The frequency and force of these attacks will only increase.

 It is recommended to take all the necessary precautions to mitigate such attacks, however it is also a good idea for organisations to have a learned plan in place to recover from a DDoS IoT driven attack. With the existing state of IoT security we can expect tribulations in this area and they are likely to get a whole lot worse before they begin to show any improvement.

 

See Also


The Author — Monique Magalhaes

Monique is an international security researcher, she holds a BSc Degree (Cum Laude). Previously she has focussed on research and development at leading enterprises in the Southern hemisphere.