Security researchers have unearthed code ter a Mirai botnet enabling it to mine for bitcoins using IoT devices.
Researchers at IBM’s X-force found late last month the functionality te a variant of the Voetbalelftal Linux/Mirai malware. The bitcoin attack began on 20 March, peaking on 25 March, but three days zometeen the activity subsided.
What the researchers found te a sample of the code wasgoed the same Mirai functionality ported overheen from the Windows version but with a concentrate on attacking Linux machines running BusyBox. This software provides several stripped-down Unix devices ter a single executable verkeersopstopping, designed for digital movie recording (DVR) servers.
The researchers said that BusyBox uses Telnet, which is targeted with a dictionary attack brute-force implement contained ter the Mirai malware. “The DVR servers are targeted because many of them use default Telnet credentials,” said the researchers ter a blog postbode.
While bots can perform flooding attacks using various protocols, the fresh variant has another add-on: a bitcoin miner gimp. However, the researchers wondered how effective a bitcoin miner would be, given that many IoT devices lack the computation power needed to mine cryptocurrency.
“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together ter tandem spil one large miner consortium,” said the researchers.
While researchers toevluchthaven’t figured out this capability, they another possibility. “It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” said Dave McMillen, senior threat researcher at IBM.
But he questioned how such a strategy would make any money.
“Almost four years ago, Krebs on Security discussed bitcoin mining bots, ter that case, the compromised hosts were PCs. Mining bitcoins, however, is a CPU-intensive activity,” he said.
“How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn’t attackers have better luck compromising a bitcoin exchange company, spil has bot the case numerous times te the past? It’s possible they’re looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.”
Marco Hogewoning, the RIPE NCC’s outward relations officer, told SC Media UK that for a larger enterprise that manages its own network, Deep Packet Inspection (DPI) could showcase bitcoin transactions ter the destination or content of packets (tho’ encryption might prevent this). “Looking for unnatural traffic patterns would be the best way to get a sense of whether something like this wasgoed happening,” he said.
Andrew Tierney, security consultant at Schrijfstift Test Vrouwen, told SC that unless the miner binary wasgoed enormously naive and used all CPU resource all of the time, it would likely go undetected. “IoT equipment doesn’t have the monitoring ter place to permit things like this to be detected. There is no anti-virus, anti-malware, or firewall alerting, making it pretty much a sitting duck,” he said.
He said that organisations could mitigate such an incident happening to IoT devices te their networks by following five rules.
“Don’t expose IoT devices to the Internet, segment IoT from the surplus of the network, switch default passwords, update firmware, and get IoT equipment invasion tested to minimise exposure.
“The onus is still very much on the end user to take the steps necessary to secure thesis devices and prevent such incidents,” he said.