The latest version of the Mirai IoT botnet includes an exploit for a vulnerability in Comtrend and Netlink GPON Wi-Fi routers
Mirai botnet is back! After wreaking havoc in 2016, the Mirai botnet made intermittent appearances but now Trend Micro researchers have discovered a new version of the botnet which includes an exploit for the Comtrend W-Fi routers.
What is the Mirai Internet of Things (IoT) botnet?
Mirai IoT botnet is an Internet of Things malware that turns your everyday Internet-connected things into zombies or botnets. Mirai is Japanese for future and is named after the Japanese Anime series, Mirai Nikk. The malware turns Internet-connected devices running on Linux operating systems into remotely controlled bots or zombies. These can then be used by the operator to launch large scale Distributed Denial of Service (DDoS) attacks. It primarily targets online consumer devices such as IP cameras and home routers.
It was first discovered in 2016 by a white hat researcher group, MalwareMustDie. It has been used in DDoS attacks like the 20 September 2016 attack on computer security journalist Brian Krebs’ web site, an attack on French web host OVH, and the October 2016 Dyn DDoS attack which partially took down the Internet in the United States.
Mirai malware works by infecting IoT devices that run on the ARC processor. If the IoT devices run on the default username and password combination, Mirai malware is able to infect it and turn it into a zombie or botnet. Though Mirai malware primarily infects Wi-Fi routers and security cameras, there have been instances of it infecting baby monitors, vehicles, network routers, agricultural devices, medical devices, environmental monitoring devices, home appliances, DVRs, CC cameras, headset, and even smoke detectors.
Mirai malware code was written by Paras Jha and Josiah White co-founded Protraf Solutions, a company offering mitigation services for DDoS attacks. They designed the malware to bring down websites and then offer the very same companies DDoS protection.
In 2016, an anonymous handle leaked the source-code of Mirai Botnet online on Hack Forums. Since then it has been adapted to include new exploits. We have had the instance of an Anime lover alter the Mirai botnet into newer versions called Masuta, Okiru, Satori, Mukashi, etc just to download Anime movies.
Latest Mirai IoT botnet version
Researchers at Trend Micro found that the latest version of Mirai IoT botnet malware includes an exploit for the CVE-2020-10173 vulnerability impacting Comtrend Wi-Fi routers. In addition to Comtrend, this Mirai variant also includes an exploit for the latest Netlink GPON routers.
The Mirai botnet was found to target CVE-2020-10173 authenticated command injection vulnerability in the Comtrend VR-3033 Wi-Fi routers.
The vulnerabilities used by this Mirai variant consist of a combination of old and new that help cast a wide net encompassing different types of connected devices. The nine vulnerabilities used in this campaign affect specific versions of IP cameras, smart TVs, and routers, among others. As mentioned earlier, the most notable of these vulnerabilities is CVE-2020-10173, a Multiple Authenticated Command injection vulnerability found in Comtrend VR-3033 routers. Remote malicious attackers can use this vulnerability to compromise the network managed by the router.
Trend Micro researchers say that despite the availability of a proof of concept (POC) for CVE-2020-10173, this is the first time they found it exploited by malware. The Mirai variant analyzed by Trend Micro also includes another five old vulnerability:
- AVTECH IP Camera / NVR / DVR Devices – Multiple Vulnerabilities
- D-Link Devices – UPnP SOAP Command Execution
- MVPower DVR TV-7104HE 1.8.4 115215B9 – Shell Command Execution
- Symantec Web Gateway 126.96.36.199 Remote Code Execution
- ThinkPHP 5.0.23/5.1.31 – Remote Code Execution
The Trend Micro researchers say that this shows the Mirai malware continues to be a favorite among botnet operators. If you own any networked device, it is suggested that you change the default username and password immediately.