OMG: Mirai Botnet Finds New Life, Again

The Mirai botnet refuses to die. This time, it has spawned a new bot called OMG, which Fortinet researchers have seen in the wild, and it's turning IoT devices into proxy servers.

Larry Loeb, Blogger, Informationweek

February 28, 2018

3 Min Read

The Mirai botnet -- used for so many Distributed Denial of Services (DDoS) attacks -- has a new variant that security company Fortinet has seen in the wild.

What company researchers are calling the OMG bot concentrates on establishing proxy servers that can be used to disseminate malicious traffic, and it uses Internet of Things (IoT) devices to get the job done.

Mirai variations have been designed for other tasks, such as cryptomining, in the past. While there have been attempts to include a proxy server before, this seems the first Mirai variant that is both widely distributed and emphasizes the proxy function as a main goal of the malware.

(Source: Pixabay)

(Source: Pixabay)

The goal of OMG may be to commercialize the proxy server for others to use as a distribution mechanism, according to Fortinet.

This kind of proxy server has many uses for malware. The proxy can relay instructions from another malware's Command and Control (C&C) server which will mask the true location of it. (See How Secure Are Your IoT Devices?)

Not only that, brute-force and dictionary attacks on something may be mitigated by only allowing certain number of attempts at a time to be made by a specific IP address. The proxy allows such an attack to continue by changing the IP address the victim sees.

Fortinet's analysis of the code found that OMG keeps Mirai's original module, which include an attack, killer and scanner module. This implies that it can function in the same way the original Mirai does. It can kill processes -- this can include telnet, ssh and http by checking open ports, and other processes related to other bots -- as well as telnet via brute-force login so it may spread, and launch a DDoS attack.

Once it initializes, the bot module tries to connect to the C&C server. Fortinet found that the C&C for Mirai OMG was at 188.138.125.235 with a port of 50023. However, they were not able to see the C&C in action, so their investigation is based only on static analysis of the code.

The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

The C&C server will respond to a module announcing that it has joined the net with either a 0 (be a proxy server), a 1 (attack something) or teardown the connection and hide.

The proxy server uses 3proxy, which is open source software. The server begins its life by generating two random ports that are used for the http_proxy_port and socks_proxy_port. Once the ports have been generated, they are reported to the C&C which then uses them.

The same techniques that prevent Mirai will help prevent this variant. It expects weak, default passwords to be present on the device. It's up to the user to change them to stronger, more robust ones.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights