Mirai botnet

Security researchers have spotted a new variant of the Mirai malware that focuses on infecting IoT and networking equipment with the main purpose of turning these devices into a network of proxy servers used to relay malicious traffic.

IoT botnets used as proxy servers isn't a novel concept, and many such botnets have been spotted all last year, with the most famous being Linux.ProxyM.

Proxy feature is on par with the DDoS function

Fortinet claims this is the first Mirai variant that besides the DDoS function also includes a proxy feature as well. But according to sources in the infosec community who spoke to Bleeping Computer with the promise of anonymity as not to criticize Fortinet in public, this may not be 100% true.

Our sources said that malware authors have often tinkered with variations of the Mirai botnet meant to work as proxy servers ever since its release.

Most of those versions never saw massive distribution, nor did they focus on the proxy feature primarily, putting it aside for the DDoS function.

The Mirai variant that Fortinet discovered and detailed in research published last week is the first Mirai variant that is distributed with consistency and puts the proxy feature on the same level of importance as the DDoS option.

New Mirai variant named Mirai OMG

Fortinet has named this variant Mirai OMG —based on the OOMGA string found in some parts of the malware's source code where the term "Mirai" used to be— and this variant now joins a growing Mirai family that also includes variants such as Satori (Okiru), Masuta, and Akuma.

But while Fortinet has not analyzed the traffic flowing through the Mirai OMG network, in theory, it should not be any different from the regular type of traffic that malicious proxy networks have been relaying for years. This includes:

⠕  relaying traffic meant for malware C&C servers to hide their true location
⠕  acting as launching points for dictionary and brute-force attacks to bypass security solutions that limit the number of failed attempts per IP
⠕  launching SQL injection, CSRF, LFI, and XSS attacks to bypass geofencing rules and exploit other web applications

Since Mirai OMG still relies on the classic Mirai spreading technique of brute-forcing devices using weak passwords, changing any IoT equipment's default password should safeguard most users from having their device taken over for a crime spree.

Related Articles:

Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day

Passwords for Tens of Thousands of Dahua Devices Cached in IoT Search Engine

HNS Evolves From IoT to Cross-Platform Botnet

All That Port 8000 Traffic This Week! Yeah, That's Satori Looking for New Bots

Patches Available for Dangerous Bugs in Popular Brand of IP Cameras