This article is more than 1 year old

Sign of the times: Mirai botnet strain fine-tunes itself to infect digital signage, projectors

Notorious code puts on suit and tie, goes after business kit

A strain of the botnet malware Mirai has emerged focused on a wider set of embedded internet-connected devices.

Researchers at Palo Alto Networks' Unit 42 this week stated that a variant of the notorious Internet-of-Things infector is now looking to hijack TVs and projectors designed to display information and adverts, as well as the usual broadband routers, network-attached storage boxes, and IP-enabled cameras and digital video recorders.

The malware, best known for its hefty distributed denial-of-service (DDoS) punch and rapid expansion in 2016 and 2017, previously spread mostly around poorly protected consumer IoT devices. Its source code was leaked in 2016, allowing any miscreant to launch their own incarnation of the software nasty.

This latest flavor of Mirai attempts to compromise WePresent projectors, D-Link video cameras, LG digital signage TVs, and routers from Netgear, D-Link, and Zyxel, by exploiting vulnerabilities in firmware, and rope them into its remote-controlled botnets. At that point, the commandeered equipment can be instructed from afar to find and infect other devices, launch DDoS attacks, and other mischief.

"In particular, Unit 42 found this new variant targeting WePresent WiPG-1000 Wireless Presentation systems, and in LG Supersign TVs," the researchers said. "Both these devices are intended for use by businesses. This development indicates to us a potential shift to using Mirai to target enterprises."

In total, Unit 42 said, the new strain of the malware packed an arsenal of 27 exploits, including 11 that are new to Mirai, and eight that had previously not been used in the wild. All the targeted security flaws are known and patches exist for them. See the above link for the full list: the exploits mainly target security holes in the web-based user interface of the target device to execute arbitrary commands that download and run the botnet client.

According to the Unit 42 bug-hunters, the targeting of enterprise devices may be about more than just getting a new set of bots. Because businesses often have better network connections than residences enjoy, infecting an enterprise device will give the malware operator greater bandwidth to work with, meaning more data can be blasted at the botnet operator's chosen targets.

The downside of this approach is that businesses are, usually, a lot quicker to spot malware attacks and lock down their systems. But by going for seldom-patched hardware the attackers may think they can stay under the radar.

penguin entree army - black olives, carrot pieces and mozzarella balls pierced by toothpicks

Malware scum want to build a Linux botnet using Mirai


"IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both," Unit 42's Ruchna Nigam said.

"In addition, targeting enterprise vulnerabilities allows them access to links with potentially larger bandwidth than consumer device links, affording them greater firepower for DDoS attacks."

Unit 42 recommends that companies make sure all of their device firmware is up to date, particularly on network-attached gadgets like their routers, signage, and surveillance cameras. As none of the exploited flaws appear to be zero-days, and patches are available, an update will block off the targeted bugs. ®

More about


Send us news

Other stories you might like