Trojan.Mirai.1 leverages Windows to force IoT devices into Mirai botnet bondage

Olivia Morelli - -

Mirai is the most infamous Linux virus, which was first spotted in 2016[1]. It is a major threat to Internet of Things[2] (IoT) technology because it can compromise devices, turn them into bots that are later used to perform DDoS attacks, and deletes itself from the infected device immediately. The Mirai botnet was utilized to take down giant Internet sites such as Amazon, Spotify, Soundcloud, Twitter and even more sites[3]. It is believed that there are around 380,000-500,000 compromised devices on a global scale. Mirai definitely earns the title of the largest IoT-based malware, and the number of infected devices is likely to grow, because experts from Russian security company Dr Web have discovered[4] a Windows Mirai Trojan (Trojan.Mirai.1), which aims to infect computers running Windows operating systems, scan users’ networks and find vulnerable Linux-based IoT devices.

Mirai Trojan contributes to Mirai malware distribution

According to Trojan.Mirai.1 discoverers, once launched, the Trojan reaches for its command and control server to download a configuration file, then extracts a list of IP addresses. The virus then scans network nodes included in the configuration file and then tries to log into them using logins and passwords included in the same file. Mirai Trojan is capable of checking multiple TCP ports at the same time. If it manages to connect to a node, it executes certain commands (except connections via RDP protocols). During the connection to a vulnerable Linux device via Telnet protocol, malware drops a binary file on it, which downloads and executes the Linux.Mirai malware.

On top of that, Trojan.Mirai might run tasks that are based on inter-process communication[5]. Just like typical Trojans, this one can silently initiate activities without drawing user’s attention. It is capable of launching executable files and creating new files; it can also use an existing Microsoft SQL server to create Mssqla user with a password Bus3456#qwein and assign administrator’s privileges to it. With the help of the newly created user, the trojan easily initiates various malicious activities. Users should keep in mind that rebooting the infected device might not necessarily clean the malware from it; it can be reinfected within minutes. Therefore, experts advice to change device’s default password, too.


Like us on Facebook
Spreading the knowledge: It is very hard to fight against computer parasites on the Internet alone. If you have a website, we would be more than happy if you would like to cooperate and help us spread the information about latest threats. Remember, knowledge is the most powerful weapon. Help your visitors protect their computers!