Posted on August 2, 2019 at 10:21 AM
Another major botnet was recently revealed by security researchers from Trend Micro, who found it hiding within the Tor network. According to reports, the new threat is a variant of the infamous Mirai botnet, which uses the Tor network for command server seizure and takedown.
The origin of Mirai
Mirai is a well-known botnet which was used for launching DDoS (Distributed Denial-of-Service) attacks by utilizing vulnerable IoT (Internet-of-Things) devices. Its targets mostly included prominent websites, which it would bombard with requests for information until the server hosting the website could not take any more of them. The server would then crash, taking the website down with it.
As mentioned, this type of botnet focuses on infecting IoT devices and adding them to its network. Basically, the devices are enslaved and forced to act as part of the network, giving it brute strength necessary for conducting DDoS attacks. The network contains all kinds of IoT devices, including surveillance cameras, routers, smart home appliances, and even vehicles. Typically, it adds these devices by using default login credentials of brute-force attacks to gain access to them.
One of the best-known usages of Mirai botnet was against a website owned by a security expert, Brian Krebs. After that, the Mirai source code ended up being published and released into the wild. Ever since then, hackers have been using it to create their own variants, often with additional features and new capabilities. Some of these new versions include Masuta, PureMasuta, Okiru, and Satori. One variant that was detected back in March targeted wireless presentation systems and smart signage TVs.
A new variant emerges
Now, Trend Micro researchers detected a new strain of Mirai which contains mostly the same functions and others, including remote access and control, obtained via default credentials and open ports. Also, the botnet has the ability to conduct DDoS attacks and UDP floods. Researchers also noted that the new Mirai focuses on two TCP ports — 34567 and 9527. This indicates that the botnet might be after DVRs and IP cameras, as far as preferred devices go.
The interesting thing regarding this version of Mirai, however, is the fact that its malware has its C&C server hidden through .onion addresses of the Tor network. Typically, the servers are in the ‘clear’ web, which allows them to send takedown requests quickly. The fact that this variant uses the Tor network makes sending requests significantly more challenging.
Researchers believe that this might be the beginning of a new trend among the developers of IoT-targeting malware. After all, the Tor network is significantly more secure, and hiding the server within it could make locating it and taking it down very difficult. It is also something that companies, regular users, and even security researchers will have to start defending against quite soon.
Usually, Mirai botnets have a total of one to four C&C servers. However, this particular botnet was found to have 30 hard-coded IP addresses, and it used Socks5 proxies for communicating with the Tor-hidden servers. If any of the connections happens to fail, the malware can simply go to the next server.
Of course, this is not exactly a unique case. Hackers have made attempts to anonymize their malware in the past, as well. There were even cases of hackers doing this via the Tor network, which generally makes the threat significantly more difficult to combat. However, according to Trend Micro researchers, this case is noteworthy, as it might be a possible precedent for new IoT-targeting malware families that could evolve from it.
These kinds of breakthroughs usually lead to the rapid development of new types of threats, and Tor’s available environment, ability to make servers anonymous and similar features could lead to entirely new problems. One such issue is the fact that the servers can remain active, even if they are discovered. Meanwhile, the network traffic looks legitimate, and it remains encrypted. It would be difficult, if not impossible to identify it and blacklist it.