The Mirai malware that hijacked hundreds of thousands of IoT gadgets, routers and other devices is now capable of infecting Windows systems.
The software nasty, discovered in August 2016, broke into heaps of insecure Linux-powered gizmos worldwide before running distributed denial of service attacks, most notably against DNS provider Dyn. Many household names relied on Dyn's servers to prop up their websites and online services; these big brands effectively became unreachable to consumers for hours at a time during the now infamous attack last October.
Many of the commandeered devices were personal digital video recorders, webcams, and the like. The malware spread by scanning the internet for machines with open ports and then using default or hardcoded passwords to log in and take over.
This week, researchers at Russian security software maker Dr Web documented a Windows version of the Mirai bot that scans the 'net for vulnerable IoT devices after infecting a Microsoft-powered host. That means vulnerable gear on a corporate network, hopefully shielded from the open internet by a firewall, can be attacked by adjacent Windows clients and servers if they get infected.
The Windows build, Trojan.Mirai.1, written in C++, uses lists of IP addresses and passwords to scan networks and attempt to log into devices. If it gets into a Linux machine, via Telnet for example, it downloads and runs Linux.Mirai on the compromised node, which continues the malware's spread. If Trojan.Mirai.1 finds a Windows box on a network, it attempts to use WMI and IPC to launch a new process on the computer to infect it and continue the spread.
The cyber-nasty, first spotted on Microsoft-powered systems at the end of January, also uses the MS SQL Server event service, if available, to execute commands as an administrator and install malicious software.
How the trojan gets its foothold on a corporate network is up to the malware's masterminds: an booby-trapped email attachment, for instance, could be a starting point of a network infection. If your Windows PCs and servers are infected by unauthorized software, worrying about your IoT gadgets may be the last thing on your mind, of course. Having said that, only one or two Windows machines have to be successfully attacked for the malware to move on to an organization's vulnerable Linux gizmos.
Richard Meeus, a technology veep at California-based DDoS mitigators Nsfocus IB, said the latest flavor of Mirai poses a greater risk to enterprises.
"The use of Windows to distribute Mirai means that it has now established a bridgehead into private networks," Meeus said. "Previously, IoT devices that were not connected directly to the internet were not thought to be as heavily at risk as those that were. With Windows ever-present in many homes and businesses, Mirai now has a new vehicle to infect even more devices." ®