The Mirai bot that runs on the Linux operating system developed a new way to use Windows to further its malicious aims, security researchers found. According to, researchers from Russian cybersecurity firm Dr.
Web found a Windows Trojan designed to help spread the Mirai malware. This is an unusual development since Mirai had previously propagated only from Linux systems.
A New Way to Spread Mirai Malware Even though the actual Mirai bot will not run on a Windows machine, the Trojan can perform some of the work the bot might otherwise have to do on its own to find its victims. The Windows Trojan amplifies the overall Mirai infection with additional processing power. The Trojan infects Linux-running machines it discovers with the Mirai bot.
If it encounters a Windows system, it inserts the Trojan code instead. Both systems can be infected, just with different payloads. If the Trojan finds a database to infect, such as MS SQL or MySQL, it will try to create a new user that possesses admin privileges. Such a user could exfiltrate the information in that database, putting valuable information directly in the hands of the cybercriminal. A Brute-Force Attack on the Internet The classic starts its quest for worldwide domination by selecting a random IP address.
It then attempts to log into that IP address via the Telnet or SSH port using a list of default admin credentials. In many ways, Mirai’s propagation method alone is a brute-force attack on the internet. The malware authors experience no downside to their incessant pinging of IP addresses — it only enables them to identify more potential victims. This is where the Windows Trojan comes in: It can check IP addresses for the bot and return any positive results to the malware’s command-and-control (C&C) servers for final instructions. Additionally, Windows version of Mirai uses different ports than the Linux version to self-propagate. It can use ports 22 (Telnet), 23 (SSH), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP) in its effort to reproduce, Bleeping Computer noted.
Web researchers only found the Trojan in the last month, which means security professionals must be on high alert.
Mac OS malware increased by 247% in the fourth quarter of 2016, according to a new report by McAfee Labs. The dramatic increase in Apple Mac OS malware samples went from 50,000 in Q3 2016 to about 320,000 in Q4. McAfee Labs VP Vincent Weafer says the increase can be partially attributed to hackers setting their sights beyond Windows targets. More people are using multi-platform environments in their homes and businesses, he explains, and attackers are taking advantage. 'The more that happens, the more hackers will ensure their attacks work on various systems,' he says. 'It's a natural extension of how they look at the market and their victims.'
Cybercriminals are expanding their campaigns onto other platforms, going from Windows to Mac OS, iOS, and Android. While PCs remain the target of choice for large attack campaigns, the report shows that they are using the same types of attacks on a smaller scale for different platforms.
(Image: McAfee Labs) 'No platform is immune to attackers,' Weafer says. 'Attackers are taking the time to make their threats multi-platform.'
The biggest driver behind the 247% growth in Mac OS malware was OSX/Bundlore, Weafer says. Bundlore is an installer that combines legitimate apps with offers for third-party apps users may not want.
These third-party apps are usually installed by default but may present an 'opt-out' option following installation. Much of the Mac OS malware variants follow patterns similar to malware on PCs. Attackers are going after credentials, banking information, and access into organizations. They're using misleading applications, remote access programs, info stealers, and ransomware, which saw a large expansion onto Mac platforms last year as well, he says. Weafer notes the dramatic growth is related to the relatively small number of Mac devices. There are hundreds of thousands of new instances of Mac OS malware, but there are tens of millions on the PC side. 'In general, you see more spikes when you have lower numbers,' he notes.
The Q4 spike in Mac OS malware peaked at about 320,000, which equates to about 1.3% of the Windows volume. The from Q4 will likely go down, Weafer continues. This dramatic spike is short-term but malware is increasing overall, year-over-year, with more attacks on Macs, PCs, Android, and iOS. Malware will continue to increase as the IoT grows and more devices, including cameras and drones, enter the mix. 'We're living in a multi-platform, cloud environment and we need to think about the security of all these systems,' he emphasizes.
The Mac OS malware spike doesn't mean Mac-heavy businesses should be rethinking their strategies, Weafer continues. Basic security principles are still key and standard precautions should be in place: implementing security software, paying attention to app updates, knowing where data is located, and protecting it with strong and unique passwords. McAfee's report also includes insight on Mirai, the botnet that exploited poorly secured IoT devices in October 2016 to launch the largest-ever DDoS attack. In the six months since then, Mirai has infected about 2.5 million IoT devices, McAfee discovered. About five IP addresses are added to Mirai botnets every minute. Researchers also discussed drivers behind the rise in intelligence-sharing.
In general, businesses have been working individually as attackers use open collaboration sharing. Now they are trying to talk and share intelligence as they solve problems. Related Content:. Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial.