Newly observed variants of the Mirai botnet pack domain generation algorithm (DGA) features that haven’t been associated with previous Mirai samples, security researchers warn.
Mirai emerged several months ago as just another Internet of Things (IoT) botnet, but managed to make a name for itself fast, after it was used in large distributed denial of service (DDoS) attacks against the web sites of security blogger Brian Krebs and hosting provider OVH in late September. However, it was only after the malware’s source code was made public in early October that interest in Mirai spiked.
By the end of October, researchers found that Mirai infected devices in 164 countries around the world, preying on their weak security credentials. Also in October, Mirai was said to have been used in a massive DDoS attack against DNS provider Dyn, which resulted in many popular websites becoming inaccessible for some of their users.
As expected, the public availability of Mirai’s source code esulted in numerous new malware variants being created, including a Mirai-based worm that used the TR-064 protocol to send commands to infected devices. According to researchers with Network Security Research Lab at 360, at least 53 unique Mirai samples exist, given that they have been captured by their honeypots from 6 hosting servers.
What’s more, the researchers reveal that newly spotted Mirai samples that spread through TCP ports 7547 and 5555. Moreover, the researchers discovered that the malware author who uses the email address dlinchkravitz[at]gmail[dot]com has already registered some of the generated domains.
According to the security researchers, the analyzed malware samples use 3 top-level domains (TLDs), namely .online, .tech, and .support, with each layer 2 (L2) domain having a fixed length of 12-bytes, with each character randomly chosen from ‘a’ to ’z’. The security researchers also note that the generated domain is only determined by month, day and hardcoded seed string.
However, it appears that these new Mirai variants use the DGA domains only when the hardcoded command and control (C&C) domains fail to resolve. What’s more, the malware generates only a single domain per day, which results in a maximum DGA domain number of 365 per year. The researchers already managed to predict these domains.
The analyzed samples revealed that 3 C&C controllers are hardcoded in the malware and that a random number is generated to select one server from the first and second controllers. However, should the selected domain fail to resolve, the malware would then try to decide whether it should use the DGA or attempt to resolve the third C&C domain, based on the current date.
Between Nov. 1 and Dec. 3, the malware would choose to resolve the third C&C domain, but it would execute the DGA branch otherwise. Basically, the author didn’t want the DGA domains to be used before Dec 4, which makes perfect sense, given that the first of them was actually registered on that date.
“The domain is generated based on a seed number and current date. The seed is converted from a hardcoded hex-format string by calling strtol(). It seems a wrong string of “x90x91x80x90x90x91x80x90” was configured, which leads to the strtol() always returning 0. The local date is got by calling C library functions of time() and localtime(). Only month and day are used here,” the security researchers explain.
After identifying the malware samples that use the DGA feature, the security researchers noticed that they all share the same DGA in terms of seed string and algorithm.