Security experts have identified a new variant of the Mirai botnet used in live attacks which features built-in Domain Generation Algorithm.
The Mirai Botnet Evolves Once Again
The Mirai botnet has evolved once again as security experts uncovered a newly identified strain that now features a built-in domain generation algorithm. The new worm has been identified in several large attack campaigns as its samples have been collected from specialist honeypot servers.
The new Mirai virus spreads using TCP ports 7547 and 5555. They are identified as being developed by an author who has used the email address dlinchkravitz[at]gmail[dot]com as he has registered some of the generated domains.
The new virus capabilities allow the malware to use 3 top-level domains (TLDs) such as .online, .tech and .support with a layer 2 domain with the fixed length of 12-bytes. The used characters are randomly chosen ranging from the letters a to z. The domain generation algorithm is determined by day and month and is set via hardcoded seed string in the code.
The new DGA algorithm is used as a fallback mode if the worm cannot contact the hardcoded C&C remote servers. The current malware iteration cannot create more than a single domain per day which limits its maximum DGA domains to 365 per year. The experts have analyzed the samples and concluded that the 3 CC operators are hardcoded in the code itself and that a random number is used to select which is the primary controller.
The 5555 TCP port is usesd by the SoftEther VPN service, the Freeciv gaming protocol and several backdoors for remote command execution. Port 7547 is associated with the TR-069 protocol which is used for remote management of end-user devices. It is very popular among networking equipment such as modems, routers, gateways, VoIP phones and others.
As the Mirai botnet has been used in some of the largest botnet attacks on the Internet we expect to see other derivative samples in the near future. The worm has been proved to one of the most succesful attack tools in the last few years and it is not surprising to see new iterations The DGA algorithm is merely an example of what we can expect in future versions of Mirai.
For more information about the recent attacks you can read our article on the topic.