NEWSBYTE: Researchers discover that IoT devices are being used to anonymise hackers
Security researchers have discovered a new variant of the Mirai malware that turns infected IoT devices into proxy servers to protect the identity of hackers.
According to a blog post by Fortinet’s FortiGuard Labs research team, researchers dubbed the variant OMG. The malware has added some new features to Mirai and retired others. However, the original modules, including the attack, killer, and scanner modules, have been retained, they said.
“This means that it can also do what the original Mirai could, i.e. kill processes (related to telnet, ssh, http, by checking open ports and other processes related to other bots), telnet brute-force logins to spread [sic] and DOS attack,” says the research team’s blog update.
Researchers discovered that the main purpose of the new malware was to turn IoT devices into proxy servers. They said in the post that they believed the botnet operator could be selling access to these proxies for cash.
“This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetisation,” said Fortinet.
Firewall set up on proxy
They added that two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports.
“This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the http_proxy_port and socks_proxy_port. Once the ports are generated, they are reported to the CnC,” said researchers.
“Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape,” they added. “These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures.
“We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable ETH mining rigs to mine cryptocurrency.”
Internet of Business says
It was long thought that the key security risk of the IoT would be electronics companies with little track record in enterprise-grade security rushing to market with insecure smart lightbulbs or HVAC systems, or placing a spy in every home/office with insufficiently secured robots.
However, it is now clear that the threat landscape is far more complex than that, particularly when it comes to harnessing the computing power inherent in a network of smart devices to enable either brute-force attacks, or mining for cryptocurrency.