Security researchers alarm about newly-found versions of the Mirai botnet pack domain generation algorithm (DGA) features, which are not associated with previous Mirai samples.
Mirai is an Internet of Things (IoT) botnet that appeared a couple of months ago. However, it gained popularity quite fast as, last September, it was used in large distributed denial of service (DDoS) attacks against the websites of security blogger Brian Krebs and hosting provider OVH. And yet, the interest in Mirai increased only after its source code was published online in October.
Researchers said that, by the end of October, Mirai has managed to infect devices in 164 different countries around the globe, taking advantage of their weak security. Moreover, at this time, Mirai was believed to have been used in a huge DDoS attack against DNS provider Dyn. As a result from this, many popular websites became inaccessible to some of their visitors.
Unsurprisingly, Mirai`s source code being available online contributed to many new malware pieces` creation. One of them is a Mirai-based worm which sends commands to infected devices utilizing a TR-064 protocol.
Also, security experts from Network Security Research Lab at 360 said that there are at least 53 Mirai`s samples currently existing. Moreover, the researchers say that they have spotted even newer samples that spread via TCP ports 7547 and 5555. What`s more, the experts found out that the malware creator, who uses the firstname.lastname@example.org email address, has already registered some of the generates domains.
The experts explain that the analyzed malware samples use 3 top-level domains (TLDs) – .online, .tech, and .support, with each layer 2 (L2) domain having a fixed length of 12-bytes and with each character randomly chosen from ‘a’ to ’z’.
The researchers also state that the generated domain is determined only by day, month and hardcoded seed string. However, as it turns out, the new Mirai variants use the DGA domain only when the hardcoded C&C domain fails to resolve. Moreover, the malware generates only one domain per day meaning that the maximum DGA domain number for a year is 365.
The samples analysis showed that 3 C&C controllers are hardcoded in the malware and that one server from both the first and second controllers is randomly selected. If the selected domains fail to resolve, the malware uses the DGA or tries resolving the third C&C domain.
Between November 1st and December 3rd, the malware would choose to resolve the third domain instead of executing the DGA branch. This is because the malware developer didn’t want the DGA domains to be executed before December 4th as the first of them was registered on that date.
“The domain is generated based on a seed number and current date. The seed is converted from a hardcoded hex-format string by calling strtol(). It seems a wrong string of “\x90\x91\x80\x90\x90\x91\x80\x90” was configured, which leads to the strtol() always returning 0. The local date is got by calling C library functions of time() and localtime(). Only month and day are used here.” – the security researchers explain.
When the researchers analyzed the malware samples which uses the DGA feature, they found that all of them share the same DGA in terms of algorithm and speed.