NewsFebruary 23, 2017 @ 10:30 AM

Researchers Find Clues in Windows Mirai Botnet Spreader Code

The recently observed Mirai botnet spreader that uses Windows systems as its launching pad has caused some consternation in security circles. This week, Russian-based Kaspersky Lab issued a report on the phenomenon that looked at the specifics of the malware for some insight as to its origin and function.

Mirai Botnet Code Contains Crucial Clues

Security researchers stressed that what they have seen since January is just spreader malware that uses a different platform, not a new botnet. It attempts to brute-force a remote Telnet connection to spread Mirai to resources that would have otherwise been unavailable. The actual botnet still needs an embedded Linux system to operate.

SecurityWeek reported that some spreader components date back as far as 2014, and the functionality of invasive SQL attacks can be traced back to public sources as early as 2013. Meanwhile, the Kaspersky report noted that one of the directly related web command-and-control (C&C) hosts has been serving bot components since at least August 2014.

However, interesting clues emerged when the researchers analyzed the spreader’s code. Kaspersky experts called the code “richer and more robust than the Mirai codebase, with a large set of spreading techniques, including brute-forcing over Telnet, SSH, WMI, SQL injection and IPC techniques.”

Digging to China

Researchers also looked at multiple artifacts in the code, such as the word choices of string artifacts, and found that the code was compiled on a Chinese system. Additionally, the host servers were maintained in Taiwan and the operators abused code-signing certificates stolen from Chinese companies. These discoveries led the researchers to conclude that the attackers speak Chinese.

The report noted that the bot variant code and its components “have been pulled together from other projects and previous sources.” For example, components are embedded within JPEG file comments, a technique that has been used since 2013. This can provide the bot with very large file objects.

Kaspersky concluded that this spreader shows the development process going on around Mirai. It is changing from a pure destructive effort to a display of sophisticated propagation and intrusion capabilities. Security professionals will need to keep a keen eye on this malware in the future as it evolves further.

Share this Article:
Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He wrote for IBM's DeveloperWorks site for seven years and has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange.