Mirai developers target embedded systems processors

News by Rene Millman

Botnet expands horizons to infect systems with new processor architecture

Security researchers have discovered new variants of the Mirai malware targeting different processor architectures.

According to a blog post by researchers at Palo Alto Networks, these new variants have been compiled for Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These types of processors are usually found in embedded systems.

While this is not the first time that Mirai has been found on a new platform, it does show that the developers behind the malware are continuing to target more IoT devices.

"If the latest innovations lead to an increase in the number of infected devices, that means that Mirai attackers would have access to additional firepower for use in denial of service attacks," said researchers.

As well as new architectures begin targeted, Mirai has had several new features added.

It now sports a modified version of the standard byte-wise XOR (as implemented in the toggle_obf function) used in the original Mirai source code. This uses 11 8-byte keys, all of which are cumulatively byte-wise XOR-ed to get the final resulting key.

There is also a new DDoS attack option enabling hackers to specify the parameters of a DDoS attack.

Researchers said there was evidence to support the theory that the new versions of Mirai and previous versions have been used by the same developer.

"Given that the Mirai source code is open source, something as elementary as compiling the same source code for a larger range of processors provides attackers with the advantage of a larger attack surface. Practically, this means that the family can now infect and propagate via a larger number of embedded devices, affording attackers greater DDoS firepower," said researchers.

Last month, researchers discovered variants of Mirai targeting new classes of IoT devices such as smart signage TVs and wireless presentation systems. A sample of this variant contained  a total of 27 exploits, of which are 11 new to Mirai. Researchers said that this development signalled a "potential shift to using Mirai to target enterprises".

"These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks," researchers said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews