In preparation for our talk entitled \u201cIoT: Battle of Bots\u201d at the\u00a0RootedCon<\/a>\u00a0Security conference that will be held in Madrid, Spain this March 2018, the FortiGuard Labs team encountered yet another new Mirai variant.<\/p>\n Since the release of the source code of the Mirai botnet, FortiGuard Labs has seen a number of variations and adaptations written by multiple authors entering the IoT threat landscape. These modified Mirai-based bots differ by adding new techniques, in addition to the original telnet brute force login, including the use of\u00a0exploits<\/a>\u00a0and the targeting of more\u00a0architectures<\/a>. We have also observed that the motivation for many of the modifications to Mirai is to earn more money. Mirai was originally designed for DDoS attack, but later modifications were used to target vulnerable\u00a0ETH mining rigs<\/a>\u00a0to mine cryptocurrency. In this article we will discuss about how a Mirai-based bot called OMG turns an IoT device into a proxy server.<\/p>\n In October 2016, an\u00a0article<\/a>\u00a0was published by Brian Krebs about how cybercriminals earn money by converting IoT devices into proxy servers.\u00a0 Cybercriminals use proxies to add anonymity when doing various dirty work such as cyber theft, hacking into a system, etc. One way to earn money with proxy servers is to sell the access to these servers to other cybercriminals. This is what we think the motivation is behind this latest Mirai-based bot.<\/p>\n In this article, we will also take a look at its similarities compared to the original Mirai.<\/p>\n<\/div>\n We begin by taking a look at the configuration table of OMG. The table, originally encrypted, was decrypted using 0xdeadbeef as the cipher key seed, using the same procedure adopted for the original Mirai. The first thing we noticed are the strings\u00a0\/bin\/busybox OOMGA<\/i>\u00a0and\u00a0OOMGA: applet<\/i>\u00a0not found<\/i>. The name Mirai was given to the Mirai bot because of the strings\u00a0\/bin\/busybox MIRAI<\/i>\u00a0and\u00a0MIRAI: applet<\/i>\u00a0not found,\u00a0<\/i>which are commands to determine if it has successfully brute-forced its way into the targeted IoT device. These strings are similar with other variations such as Satori\/Okiru, Masuta, etc.<\/p>\n For this reason, we decided to name this variant OMG.<\/p>\n This variant also adds and removes some configurations that can be found in the original Mirai code. Two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports, which we will discuss in the latter part of the article.<\/p>\n<\/div>\n It looks like OMG keeps Mirai\u2019s original modules, including the attack, killer, and scanner modules. This means that it can also do what the original Mirai could, i.e. kill processes (related to telnet, ssh, http by checking open ports, and other processes related to other bots), telnet brute-force login to spread, and DOS attack.<\/p>\n<\/div>\n After initializing the modules, OMG proceeds to connect to the command and control (CnC) server. The configuration table below contains the CnC server string,\u00a0ccnew.mm.my,\u00a0<\/i>which resolves to 188.138.125.235.<\/p>\n<\/div>\n The CnC port, also included in the configuration table, is 50023.<\/p>\n<\/div>\n Unfortunately, the CnC server was not responding when we did our analysis, so much of our findings are based on static analysis.<\/p>\n When connected, OMG sends a defined data message (0x00000000) to the CnC to identify itself as a new bot.<\/p>\n<\/div>\n Based on the code, the bot receives a 5-byte long data string from the server, with the first byte being the command on how the IoT device will be used. Expected values are:\u00a00<\/b>\u00a0to be used as a proxy server,\u00a01<\/b>\u00a0for attack, and\u00a0>1<\/b>\u00a0to terminate the connection.<\/p>\n<\/div>\n This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the\u00a0http_proxy_port<\/i>\u00a0and\u00a0socks_proxy_port<\/i>. Once the ports are generated, they are reported to the CnC.<\/p>\n<\/div>\n For the proxy to work properly, a firewall rule must be added to allow traffic on the generated ports. As mentioned earlier, two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table .<\/p>\n<\/div>\n After enabling the firewall rule to allow traffic to pass through the randomly generated HTTP and SOCKS ports, it sets up 3proxy with predefined configuration embedded in its code.<\/p>\n<\/div>\n As the server was not alive during analysis, we are assuming that the author sells access to the IoT proxy server, providing them access credentials.<\/p>\n<\/div>\n This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization.<\/p>\n As always, FortiGuard Labs will continue monitoring Mirai and its derivatives and share interesting insights from our research.<\/p>\n Thank you for additional insights from our colleague Artem Semenchenko<\/i><\/p>\n -= FortiGuard Lion Team =-<\/p>\n IOC<\/p>\n All samples detected as Linux\/Mirai.A!tr<\/p>\n <\/a><\/a>9110c043a7a6526d527b675b4c50319c3c5f5c60f98ce8426c66a0a103867e4e<\/p>\n a5efdfdf601542770e29022f3646d4393f4de8529b1576fe4e31b4f332f5cd78<\/p>\n <\/a>d3ed96829df1c240d1a58ea6d6690121a7e684303b115ca8b9ecf92009a8b26a<\/p>\n <\/a><\/a>eabda003179c8499d47509cd30e1d3517e7ef6028ceb347a2f4be47083029bc6<\/p>\n 9b2fe793ed900e95a72731b31305ed92f88c2ec95f4b04598d58bd9606f8a01d<\/p>\n <\/a><\/a><\/a><\/a><\/a><\/a>2804f6cb611dc54775145b1bb0a51a19404c0b3618b12e41b7ea8deaeb9e357f<\/p>\n CC<\/p>\n <\/a>54.234.123.22<\/p>\n ccnew.mm.my<\/p>\n rpnew.mm.my<\/p>\n<\/div>\nMirai vs OMG<\/h3>\n<\/div>\n
![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_100117124.img.png\")
Fig 1. Configuration table of OMG<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_580877082.img.png\")
Fig 2. Mirai\u2019s main modules<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_1852561122.img.png\")
Fig 3. CnC domain resolution<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_1636789518.img.png\")
Fig 4. CnC port 50023<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_1041220377.img.png\")
Fig 5. Data sent identifies it as new bot<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_1226102507.img.png\")
Fig 6. Expected option from CnC server<\/span><\/div>\nOMG using 3proxy<\/h3>\n<\/div>\n
![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_176244147.img.png\")
Fig 7. Proxy setup<\/span><\/div>\nTABLE_IPTABLES1 -<\/span>><\/span> used to INSERT a firewall rule.<\/span>\niptables -<\/span>I INPUT -<\/span>p tcp --<\/span>dport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>I OUTPUT -<\/span>p tcp --<\/span>sport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>I PREROUTING -<\/span>t nat -<\/span>p tcp --<\/span>dport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>I POSTROUTING -<\/span>t nat -<\/span>p tcp --<\/span>sport %<\/span>d -<\/span>j ACCEPT\n \nTABLE_IPTABLES2 -<\/span>><\/span> used to DELETE a firewall rule.<\/span>\niptables -<\/span>D INPUT -<\/span>p tcp --<\/span>dport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>D OUTPUT -<\/span>p tcp --<\/span>sport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>D PREROUTING -<\/span>t nat -<\/span>p tcp --<\/span>dport %<\/span>d -<\/span>j ACCEPT;<\/span>\niptables -<\/span>D POSTROUTING -<\/span>t nat -<\/span>p tcp --<\/span>sport %<\/span>d -<\/span>j ACCEPT\n\n<\/code><\/pre>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_787876606.img.png\")
Fig 8. Firewall enable\/disable function<\/span><\/div>\n![\"\"](\"https:\/\/www.fortinet.com\/content\/fortinet-blog\/us\/en\/threat-research\/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers\/_jcr_content\/root\/responsivegrid\/image_751955053.img.png\")
Fig 9. Proxy configuration<\/span><\/div>\nConclusion<\/h3>\n<\/div>\n