Mirai botnet

Security researchers have spotted a new variant of the Mirai malware that focuses on infecting IoT and networking equipment with the main purpose of turning these devices into a network of proxy servers used to relay malicious traffic.

IoT botnets used as proxy servers isn't a novel concept, and many such botnets have been spotted all last year, with the most famous being Linux.ProxyM.

Proxy feature is on par with the DDoS function

Fortinet claims this is the first Mirai variant that besides the DDoS function also includes a proxy feature as well. But according to sources in the infosec community who spoke to Bleeping Computer with the promise of anonymity as not to criticize Fortinet in public, this may not be 100% true.

Our sources said that malware authors have often tinkered with variations of the Mirai botnet meant to work as proxy servers ever since its release.

Most of those versions never saw massive distribution, nor did they focus on the proxy feature primarily, putting it aside for the DDoS function.

The Mirai variant that Fortinet discovered and detailed in research published last week is the first Mirai variant that is distributed with consistency and puts the proxy feature on the same level of importance as the DDoS option.

New Mirai variant named Mirai OMG

Fortinet has named this variant Mirai OMG —based on the OOMGA string found in some parts of the malware's source code where the term "Mirai" used to be— and this variant now joins a growing Mirai family that also includes variants such as Satori (Okiru), Masuta, and Akuma.

But while Fortinet has not analyzed the traffic flowing through the Mirai OMG network, in theory, it should not be any different from the regular type of traffic that malicious proxy networks have been relaying for years. This includes:

⠕  relaying traffic meant for malware C&C servers to hide their true location
⠕  acting as launching points for dictionary and brute-force attacks to bypass security solutions that limit the number of failed attempts per IP
⠕  launching SQL injection, CSRF, LFI, and XSS attacks to bypass geofencing rules and exploit other web applications

Since Mirai OMG still relies on the classic Mirai spreading technique of brute-forcing devices using weak passwords, changing any IoT equipment's default password should safeguard most users from having their device taken over for a crime spree.

Related Articles:

Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs

Russia Passes Bill Banning Proxies, Tor, and VPNs

Microsoft Announces Custom Chip and Linux Distro to Secure IoT Devices

Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers

In-Browser Cryptojacking Is Getting Harder to Detect