Mirai botnet started mining bitcoins on DVRs and camcorders

Employees of IBM X-Force discovered a variant of the ELF Linux / Mirai trojan , which is equipped with a new module for mining Bitcoins . As before, a Trojan with worm functionality searches and infects vulnerable devices with the Linux operating system that are connected to the Internet — digital video recorders (DVRs), set-top boxes, surveillance cameras, IP cameras and routers.

Bitcoin mining is a new, but quite expected feature of a botnet that was previously used only for DDoS attacks. However, to conduct a profitable DDoS attack, you need to find a customer or a suitable victim who agrees to pay money to stop the attack (the service is positioned as consulting in the field of information security, protection from DDoS, you can enter into an agreement). Looking for clients and victims to attack - a permanent job that takes a lot of time. On the other hand, mining Bitcoins gives a constant passive income and does not require any effort.
')
It is unlikely that attackers earn a lot of money on mining. Even hundreds of thousands of set-top boxes and surveillance cameras are not able to short any significant number of hashes. The owners of the botnet will earn a few Satoshi. But even a few Satoshi is better than nothing, because the botnet is still idle.

On Internet devices, the hashrate is just ridiculous. Nobody even measured it. It is known that on Cortex-A8 processors the hashrate is 0.12–0.2 M / s / s, and on Cortex-A9 - 0.57 M / s / s. Most set-top boxes are weaker processors.

Recall that the worm and botnet Mirai made a lot of noise in September-October 2016. Due to the fact that the worm automatically went through standard login-password combinations , it managed to spread to hundreds of thousands of devices (security cameras, routers, digital set-top boxes and DVR), from which he organized several DDoS attacks. The power of these attacks far exceeded the capabilities of standard PC botnets, because ordinary computers are much more difficult to infect in such numbers.

In September last year, one of the first victims of the Mirai botnet was journalist Brian Krebs, who specializes in information security topics and deanonymization of hackers. The traffic to its provider in peak reached 665 Gbit / s , which was one of the most powerful DDoS attacks in the history of the Internet. Brian had to translate the site offline, because Akamai brought the site out of DDoS protection so as not to put other clients at risk.

In September-October 2016, the botnet was used to attack the French hosting provider OVH and for a powerful DDoS attack on Dyn , which provides network infrastructure and DNS services for key American organizations. In this case, the stream of garbage requests from tens of millions of IP addresses was about 1 Tbit / s. Users around the world have had problems accessing Twitter, Amazon, Tumblr, Reddit, Spotify, and Netflix and others. In fact, the Mirai botnet temporarily "put" a small segment of the American Internet.

In November, a new version of Mirai attacked several models of Zyxel and Speedport routers from users of the German Internet service provider Deutsche Telekom. As the Kaspersky Lab's investigation showed, the modified version of the worm in this case used a new distribution method — through the specialized TR-064 protocol, which is used by providers to remotely control user devices. If the management interface (on port 7547) is accessible from the outside, you can either download and execute arbitrary code on the device or do the same, but through the stage of opening access to the traditional web interface.


Web console dropper Mirai. Screenshot: IBM X-Force

In September-October 2016, a real war unfolded between hackers for control of the Mirai botnet after a vulnerability was discovered in the worm's code. Although Brian Krebs eventually managed to de-anonymize the authors of the original version of Mirai, it is very likely that now the control over the botnet belongs to other hackers - one or several groups.

The new version of Mirai with a built-in miner probably belongs to one of those groups that are fighting for control of the botnet. The activity of this version of the malware was noted for several days at the end of March.



Reportedly, the worm spreads using the same methods: scanning the address space in search of new devices that work via Telnet (port 23), and selecting passwords for them. Dangerous devices under Linux with all versions of BusyBox and DVRHelper, if they are set to standard passwords.