SECURITY EXPERTS have discovered what they believe are the first non-IoT versions of the Mirai malware in the wild.
Mirai, which is Japanese for "the future", is malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks.
The researchers behind the discovery are from Netscout, an application and network performance management firm. They said that they observed at least one dozen Mirai variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.
This has led them to believe botmasters are now shifting their focus from IoT devices and are now targeting commodity Linux servers.
"Like many IoT devices, unpatched Linux servers linger on the network and are being abused at scale by attackers sending exploits to every vulnerable server they can find," Netscout researcher Matthew Bing said in a blog post.
"[We have] been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload - Mirai."
These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices, Bing said.
"While [we have] previously published observations of Windows Mirai, this is the first time we've seen non-IoT Mirai in the wild."
He added that Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86, and rather than rely on the bots to propagate, the attackers have shifted their tactics to issuing exploits themselves.
"A relatively small number of attackers are using custom tools to exploit the Hadoop YARN vulnerability and deliver Linux malware," he added. "Even if the victim Hadoop YARN server is not running the telnet service, the Mirai bot will attempt to brute-force factory default credentials via telnet."
Linux servers in data centres have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots. Which makes sense, as a handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.
Bing concluded that Mirai is no longer solely targeting IoT devices, and while the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it's actually much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices.
"The limited number of sources we've seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers," he explained.
"Their goal is clear - to install the malware on as many devices as possible. Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords."
He noted that the difference now is that among the small, diminutive devices in the botnet lurk fully-powered Linux servers." µ
Fetch the popcorn
Setting a new design stand-ard for AIOs
We're just as confused as you are