The Windows variant of the infamous Mirai Linux botnet is the offspring of a more experienced bot herder, possibly of Chinese origin, Kaspersky Lab security researchers warn.
Recently detailed by Doctor Web, its main functionality is to spread the Mirai botnet to embedded Linux-based devices. The malware also abuses Windows Management Instrumentation (WMI) to execute commands on remote hosts, and targets Microsoft SQL Server and MySQL servers to create admin accounts and abuse their privileges.
In a report published this week, Kaspersky Lab researchers explain that Mirai for Windows is nothing but a malware spreader and that it shouldn’t be considered a new botnet. However, the new threat features code differences when compared to the original Mirai, which emerged in the second half of last year, targeting insecure Internet of Things (IoT) devices.
The spreader, Kaspersky confirms, was designed to brute force a remote telnet connection to spread Mirai to previously unavailable resources. By targeting Windows, the Trojan has access to Internet facing vulnerable SQL servers running on the platform, which can be connected to IP cameras on private networks, as well as to DVRs, media center software, various Raspberry and Banana Pi devices, and other internal devices.
What the Russia-based security firm underlines, however, is that the Windows bot isn’t actually new, and that some of its components date back as far as 2014, while its functionality can be traced “back to public sources at least as early as 2013.” The threat can spread “Mirai bots to embedded Linux systems over a very limited delivery vector,” the security company also says.
However, the Mirai crossover between the Linux and Windows platforms is unfortunate, and the public availability of botnet’s source code is expected to bring “heavy problems to the internet infrastructure for years to come,” Kaspersky says. The company also believes that this Windows Trojan is only a minor start compared to the issues to come.
The Windows spreader was designed to search for and attack hosts based on a specific list, and to spread the Linux Mirai botnet over telnet. It can also drop a downloader onto the compromised systems, which in turn downloads Mirai.
Mirai for Windows, Kaspersky says, is the work of a more experienced developer. Various artefacts, the word choice in strings, and the fact that the malware was compiled on a Chinese system (the host servers are maintained in Taiwan), suggest that this author might be a Chinese speaker. The fact that this Trojan is using code-signing certificates stolen exclusively from Chinese companies appears to support this idea as well.
“The addition of a Chinese-speaking malware author with access to stolen code-signing certificates, with the ability to rip win32 offensive code from multiple offensive projects effective against MSSQL servers around the world, and the ability to port the code into an effective cross-platform spreading bot, introduces a step up from the juvenile, stagnating, but destructive Mirai botnet operations of 2016,” Kaspersky notes.
Furthermore, the security company says, this exposes more systems and networks to Mirai, while also demonstrating the slow maturing of Mirai. The bot code has been put together from other projects and previous sources, with most components, techniques, and functionality being several years old. The components are hosted embedded within jpeg comments, a technique used since 2013.
Other interesting characteristics of Mirai for Windows include the blind SQLi (sql injection) and brute forcing techniques, which are compiled from a “Cracker” library meant with the “tasking” of various attacks. Furthermore, the Windows bot’s source was supposedly developed in a modular manner in C++, with its functionality broken out across source libraries. The code signing certificates used by the threat appear to have been stolen from a solar and semiconductor grinding wafer products manufacturer in Northwest China.
Related: Windows Trojan Spreads Mirai to Linux Devices
Related: 100,000 UK Routers Likely Affected by Mirai Variant
Related: Mirai Switches to Tor Domains to Improve Resilience
