Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks.
The new variant is shifting the use of the malicious payload beyond the internet of things (IoT), according to NETSCOUT ASERT’s researchers who discovered it by using the company’s honeypot network to monitor the tens of thousands of daily exploit attempts for the Hadoop YARN vulnerability. YARN is a large-scale, distributed operating system for big data applications.
Matt Bing, NETSCOUT ASERT security research analyst, said: “Mirai botmasters have found they can target Linux servers just as easily as IoT devices. They attack the servers themselves rather than rely on the bots to propagate, since servers tend not to move around the network or get powered down.
Servers make an attractive target for DDoS bots for their network speed and hardware resources, compared to relatively underpowered IoT devices, according to Bing.
He said: “What we’ve seen is Linux servers being conscripted to the same botnets as IoT devices. In the future, we can expect more DDoS botnets with both infected IoT devices and Linux servers, like an army of foot soldiers being supported by tanks.”
The new variant of Mirai is tailored to run on Linux servers and behaves in a similar way to the original version, but this is the first time ASERT has witnessed Mirai being used to exploit non-IoT systems in the wild.
Bing said: “Rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves. A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware.”
A command injection flaw enables the execution of arbitrary shell commands, a vulnerability used in October 2018 month to install the DemonBot DDoS bot, according to the researchers.