While many ransomware and malware were targeting desktops in the past, a new trojan has emerged to hit Linux-based IoT devices in an uncomplicated way. Codenamed Mirai, the trojan performs DDoS attacks to silently infect connected devices.
MalwareMustDie researchers have spotted Mirai trojan. It was previously entered the malware market under names such as Gafgyt, Lizkebab, BASHLITE and Torlus.
The researchers team has found that the Mirai infection can be executed without any parameter. However, some instances show that even the downloaded malware file is deleted after the execution.
“In some cases of the Linux/Mirai infection is showing traces that the malware was executed without parameter, and there are cases where the downloaded malware file(s) is deleted after execution. In this case, mostly you won’t get the samples unless you dump the malware process to the ELF binary,” one of the researchers wrote in a blog post.
The DDoS trojan aims to hit IoT devices with platforms like ARM, MIPS, PPC, SH4, SPARC and x86. Also, it targets the hardware with Busybox GNU library.
MalwareMustDie researchers spotted “/dvrHelper” string in the Mirai code. This suggests that the malware is targeting DVRs and IP cameras. But the trojan could also let attackers access unattended Linux servers using the same structure. Additionally, it is considered that Linux devices based on x86-32 architecture are not on the priority of the DDoS trojan as most of the samples are powered by ARM chips.
Users are recommended to apply some securing methods on their devices to protect them from Mirai. Moreover, server administrators and sysadmins can deploy some mitigations on their end to filter brute-force traffic from the newest malware.