The first 665 Gbps DDoS attack of the Mirai botnet was against the KrebsOnSecurity website in September 2016. Just a few days later, the second attack that peaked at nearly 1 Tbps, hit the French hosting firm, OVH. Despite the fact that the Mirai developer released the source code soon after the botnet attacks, it did not remain free for long.
In January 2017, Brian Krebs identified Paras Jha as authoring Mirai, and in December 2017 the DoJ unsealed a plea-bargained guilty plea by Paras Jha for the development and use of Mirai. However, it was too late to stop the botnet because its code was already revealed and other criminals could develop new Mirai variants.
Security researchers at Netscout Arbor have observed the following Mirai variants so far: Satori, JenX, OMG and Wicked.
The Mirai botnet spreads by scanning for other internet-connected IoT devices (IP cameras and home routers) and ‘brute-forcing’ access via a list of default vendor passwords. As the consumers usually do not change the password that comes with the device, the process is remarkably successful.
Satori uses the same configuration table and the same string obfuscation technique as Mirai. However, the ASERT teams claims that, “We see the author expanding on Mirai source code to include different exploits such as the Huawei Home Gateway exploit.” The exploit was CVE-2017-17215.
The underlying code for JenX also comes from Mirai, including the same configuration table and the same string obfuscation technique. The difference here is that JenX hard codes the C2 IP address while Mirai stores it in the configuration table. Besides, JenX has removed the scanning and exploitation functions of Mirai, being handled by a separate system.
According to ASERT, “it appears JenX only focuses on DDoS attacks against players of the video game Grand Theft Auto San Andreas, which has been noted by other researchers.”
OMG is known as one of the most interesting of Mirai variants. While it includes all Mirai’s functionality, “the author expanded the Mirai code to include a proxy server.” This allows it to enable a SOCKS and HTTP proxy server on the infected IoT device.
Wicked is the latest Mirai variant, which is quite similar to Satori variant 3.
“Wicked trades in Mirai’s credential scanning function for its own RCE scanner. Wicked’s RCE scanner targets Netgear routers and CCTV-DVR devices.” When vulnerable devices are found, “a copy of the Owari bot is downloaded and executed.” the ASERT team explains.
However, further analysis showed that in practice Wicked tried to download the Owari botnet, but actually downloaded the Omni botnet.
“We can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet experts claim, while the Mirai variants keep increasing.
