A new vulnerability can make Mirai infections permanent
Surely many of you will remember when at the end of last year the Mirai botnet wreaked havoc across the entire world. It seemed that in the matter of botnets (especially in the case of Mirai) the news was somewhat calmer, and suddenly they are again topical.
As published in Bleeping Computer Mirai returns to the front page due to a recently discovered vulnerability that affects IoT equipment, which can make the infections of this botnet permanent instead of disappearing when the user rebooted them.
The malware that attacks the IoT devices usually disappears with the reboots because this procedure erases the RAM memory of the machine and leaves it completely clean. Given that most of the IoT’s malwares stay for the time being, it is “easy” to get rid of them. However, this news changes everything.
Apparently the security researchers from the firm Pen Test Partners who discovered it were studying the security features of 30 brands of DVR devices (digital video recorders). And precisely this vulnerability would allow Mirai to survive between restarts.
As is logical, security researchers have not wanted to publish any details about this vulnerability. Experts understand that there are reasons to believe that malicious actors could take advantage of their discoveries to carry out criminal activities.
The scope of Mirai could increase thanks to this vulnerability
The Pen Test Partnerts investigation has revealed other details that would allow Mirai to become relevant and even more dangerous than it was before …
- New DVR credentials can be added to the Mirai code, which could be used in brute force attacks.
- An alternative Telnet port that certain DVRs use instead of port 23 (the standard) could be used.
- You can run a remote shell on some DVR brands by authenticating on port 9527 with the credentials “admin / [blank password]” and “admin / 123456”.
- The botnet could take advantage of the passwords that change daily for a particular brand, since that brand publishes them online in its documentation.
- You could also exploit a buffer overflow bug that is present in a million DVRs that connect to the Internet. The researchers claim that this bug can be exploited directly from port 80, which contains the DVR’s embedded web server. This web server allows you to control these devices remotely.
- A cross directory bug allows attackers to recover passwords hashes from remote DVRs.
All these failures could cause Mirai to come back to life if they were exploited. According to the media, this family of malware has been losing ground against other threats such as Persirai, BrickerBot or Hajime.