IBM has recently discovered that the Mirai Internet of Things (IoT) botnet has been actively installing Bitcoin mining code on some victims’ computers. This botnet has been used in some of the largest known distributed denial-of-service (DDoS) attacks such as the takedown of Dyn DNS, which experts say was the largest of its kind in history.
Mirai IoT Botnet
Discovered in August last year by white-hat security research group Malwaremustdie, Mirai turns networked devices running on out of date versions of Linux into remotely controlled “bots” or “zombies”, for use in DDoS attacks.
“The Mirai botnet was developed for two primary purposes,” explained Dave Mcmillen, Senior Threat Researcher at IBM Managed Security Services. The first is to identify and compromise IoT devices to grow the botnet, and the second is to perform DDoS attacks against predefined targets, he detailed. X-Force is IBM’s threat intelligent and security research unit which provides actionable threat intelligence and insights for business and IT leaders.
In January, a Windows botnet spreading a Mirai bot variant was discovered. “But this Windows bot is not new,” wrote Kaspersky Lab’s global research team. “The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection.” Nonetheless, Kaspersky Lab’s data shows that 500 unique systems had already been attacked as of this February. Kurt Baumgartner, Kaspersky Lab principal security research, said:
The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern […] A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.
Deploying Bitcoin Mining Code
Last week, IBM X-Force uncovered “a new variant of the ELF Linux/Mirai malware that has a new twist: a built-in Bitcoin mining component,” Mcmillen wrote. The Mirai with Bitcoin mining attack began on March 20 and spiked on March 25, but the activity “subsided eight days after it began.”
“We did not find any evidence to indicate why this attack was short-lived, however seeing campaigns with a short lifecycle such as this is common,” Mcmillen told Eweek publication.
In addition, “the Bitcoin client was not embedded into the Mirai malware itself. Rather, the Bitcoin miner was part of an archive of files that contained a Mirai dropper, a Dofloo backdoor, a Linux shell, and a Bitcoin miner slave,” the publication explained. While much about the attackers are currently unknown, Mcmillen confirmed to the publication that “the majority of the attack activity came from the Asia-Pacific region, and the language interface does suggest that the attack could have originated from a Chinese-language source.”
Mcmillen also revealed: “We do not have any insight into whether or not bitcoins were actually mined during these attacks.” Citing how more work needs to be done to determine the new variant’s capability, he wrote:
It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.
“Addressing the IoT botnet phenomenon is going to require all stakeholders to take steps to secure these devices,” Mcmillen noted. “If the weaponization of IoT devices into DDoS botnets is the latest malicious trend, then turning them into Bitcoin miners may be just around the corner,” he concluded.
What do you think of the Mirai botnets mining Bitcoin? Let us know in the comments section below.
Images courtesy of Shutterstock and IBM
Need to calculate your bitcoin holdings? Check our tools section.