Security researchers have spotted a new variant of the Mirai malware that focuses on infecting IoT and networking equipment with the main purpose of turning these devices into a network of proxy servers used to relay malicious traffic.
IoT botnets used as proxy servers isn't a novel concept, and many such botnets have been spotted all last year, with the most famous being Linux.ProxyM.
Fortinet claims this is the first Mirai variant that besides the DDoS function also includes a proxy feature as well. But according to sources in the infosec community who spoke to Bleeping Computer with the promise of anonymity as not to criticize Fortinet in public, this may not be 100% true.
Our sources said that malware authors have often tinkered with variations of the Mirai botnet meant to work as proxy servers ever since its release.
Most of those versions never saw massive distribution, nor did they focus on the proxy feature primarily, putting it aside for the DDoS function.
The Mirai variant that Fortinet discovered and detailed in research published last week is the first Mirai variant that is distributed with consistency and puts the proxy feature on the same level of importance as the DDoS option.
Fortinet has named this variant Mirai OMG —based on the OOMGA string found in some parts of the malware's source code where the term "Mirai" used to be— and this variant now joins a growing Mirai family that also includes variants such as Satori (Okiru), Masuta, and Akuma.
But while Fortinet has not analyzed the traffic flowing through the Mirai OMG network, in theory, it should not be any different from the regular type of traffic that malicious proxy networks have been relaying for years. This includes:
Since Mirai OMG still relies on the classic Mirai spreading technique of brute-forcing devices using weak passwords, changing any IoT equipment's default password should safeguard most users from having their device taken over for a crime spree.