After Linux, Mirai Botnet is Attacking Windows

Recently the Antivirus firms Dr.Web’s researchers have found that a new variant of Mirai bot, the famous IoT malware. This recently found new variant is able to target Windows systems and can even take on more ports than its original Linux version. Dr.Web researchers have named the new version as Trojan.Mirai.1.

This Mirai’s Windows version is now used by cybercriminals to infect Internet of Things (IoT) devices and also conducting DDoS attacks. The original version of this malware was found in August 2016 by a researcher MalwareMustDie. Back then, the malware was identified as malware designed to target the IoT devices and turn them into a controllable bot specifically. Many high-profile organizations like DynDNS and OVH hostings are among the key targets.

The purpose of this development of a Windows compatible version of the infamous malware, according to Dr.Web researchers, is to ensure that the Mirai is “spread to even more devices.”

The Mirai malware is able of infect a diverse array of devices, but it’s main targets are IoT devices and internet routers. Once the malware infects a device, it selects random IP addresses and tries to log in through SSH or Telnet port.

This new version is believed to be developed for Microsoft Windows and is written in C++ language. According to the researchers, it was designed to “scan TCP ports from indicated range of IPs to execute various commands and distribute many other malware.”

When it was launched, this malware creates a link with its C&C (command and control) server and downloads the “configuration file (wpd.dat), and extracts the list of IP addresses.”

Afterward, it launches the scanner and also checks for other ports. After Trojan.Mirai.1 succeeds in compromising a new device with the malware, it runs the Linux OS and also launches various commands to create a DDoS Mirai bot, but if the device is running MS Windows OS, it just releases its copy. Additionally, it creates DBMS user through using the login ID “Mssqla and password Bus3456#qwein.”

source: hackread

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Glove Stealer Emerges A New Malware Threat For Browsers

ANY.RUN Discovers Tricky Phishing Attack Using Fake CAPTCHA