SECURITY RESEARCHERS have uncovered a Windows Trojan designed to help hackers infect Linux devices with Mirai malware.
Russian security software company Dr Web claims to have uncovered the Windows Mirai Trojan, which it has labelled Trojan.Mirai.1. It is targeted at Windows PCs, and when established it scans the user's network for evidence of compromisable Linux-based connected devices.
"When launched, the Trojan connects to its command and control server, downloads the configuration file, and extracts the list of IP addresses.
"Then, Trojan.Mirai.1 launches a scanner that addresses the network nodes listed in the configuration file and attempts to log in using the login and password combination indicated in the same file. Trojan.Mirai.1's scanner can check several TCP ports simultaneously," claimed the company in an advisory published this week.
"If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed.
"Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai."
The malware can also identify a wide variety of host software, including MySQL and Microsoft SQL Server databases.
"If the attacked remote computer has Microsoft SQL Server... Trojan.Mirai.1 creates within it the user Mssqla with the password Bus3456#qwein and sysadmin [systems administrator] privileges," continues the advisory.
"Acting under the name of this user and with the help of the SQL Server event service, the Trojan executes various malicious tasks. Thus the Trojan, for example, launches executable files with administrator privileges, deletes files, or plants icons in the system folder for automatic launch (or creates the corresponding logs in the Windows registry).
"After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals."
The Mirai malware was originally developed during 2015 and 2016 and used in a variety of targeted attacks, allegedly related to a Minecraft server protection racket.
However, after the source code was leaked, it was used to harness together a bot-net of connected devices, which was used to launch large-scale distributed denial of service (DDoS) attacks.
Mirai takes advantage of old, unpatched and insecure versions of Linux running on connected devices, particular digital video recorders used to record CCTV images, which are often connected to the internet so that their owners can keep an eye on the security of their homes and businesses.
The designers of the CCTV systems and DVRs typically make the devices easy to set-up for internet viewing - but also punch large holes in owners' security in the process.
The Windows Trojan is designed to get the Mirai malware onto even more devices. It's not definitely known who might be responsible for it, although security journalist Brian Krebs has already pointed the finger at an alleged culprit following an in-depth investigation over several months.
Windows 10, 64-bit OS devices susceptible to rootkit attack
Malware suite likened to Stuxnet worm
Not the biggest fish out there
Redmond says figure is closer to the five million mark