Mirai malware which attacks the Internet of things devices to perform Distributed Denial of Service attacks is now improving itself by switching to .Onion domains, after it made a few tweaks to its Domain Generation Algorithm(DGA).
According to the security researchers, Mirai started using the DGA recently for a very short period of time. This feature was added to Mirai Botnet #14 which has infected morethan 3 million devices by the end of November.
In late November, a Mirai variant managed to hijack 900,000 routers from German ISP Deutsche Telekom using port 7547. Soon after, the same malware attack was confirmed to have also hit around 100,000 UK TalkTalk and Post Office ISP users. The attacks were revealed to leverage the TR-064 vulnerability, which can be used to steal WiFi network keys in addition to recruiting the router into a botnet.
Researchers with the China-based Network Security Research Lab at Qihoo 360, who managed to crack the Mirai DGA, said last week that multiple Mirai samples were using the functionality and that they were leveraging three different top-level domains (TLDs) for that.
In a new post, the security researchers reveal that newly observed Mirai samples dropped the initial seed series and adopted a new one. Thus, new domains that matched the Mirai DGA algorithm but no longer featured the previous seed series were detected.
The new domains were said to belong to new Mirai variants because layer 2 (L2) domain had the same 12-character length, a-y only, and because all TLDs for these domains were fixed to .online, one of the TLDs observed in the previous samples. What’s more, the botnet operators exercised a strict time control over the creation of the domain, to ensure that the overlapping window was very short.
The researchers managed to brute-force the new DGA as well, and they even provided a list of the domains the Mirai samples will supposedly use before the end of the year. However, they also noted that at least one of the already generated domains wasn’t registered.
According to a report from BleepingComputer, however, there’s a clear explanation of why that happened: Mirai is moving to Tor (The Onion Router) domains because they are far more difficult to shut down. The information reportedly comes from the individual who manages Mirai Botnet #14, and who goes by the online handle of BestBuy.