The Mirai variant, dubbed OMG, adds and removes some configurations that can be found in the original botnet’s code.
The Mirai botnet is in the news again with a new variant. Dubbed OMG, it was discovered by researchers at FortiGuard Labs. They found that OMG is capable of turning IoT devices into proxy servers. It removes some of the configurations from the original Mirai code but keeps its modules including the attack and scan module, but turning IoT devices into proxy servers seems to be its primary function. Cybercriminals use them to remain anonymous when carrying out their activities, and they can be monetized by selling them to other criminals. The researchers believe that is what OMG was created for.
OMG’s authors added a firewall rule to allow traffic on the generated ports. This was necessary for the proxy to function as intended. After doing this, the researchers said, it sets up a 3proxy with predefined configurations embedded in its code.
See also: Unsecured IoT devices could lead to “catastrophic” cyberattack, says survey
“This means that it can also do what the original Mirai could, (such as) kill processes related to telnet, ssh, and http by checking open ports and other processes related to other bots, telnet brute-force login to spread and DOS attack,” FortiGuard researchers said in an analysis.
FortiGuard said this is the first time a Mirai variant has been found capable of DDoS attacks but that they feel it’s unlikely it will stand alone for long.
“Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape,” researchers said. “These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of exploits and the targeting of more architectures. We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable Ethereum mining rigs to mine cryptocurrency.”