Home SECURITY A new variation of the Mirai botnet attacks vulnerable D-Link, TP-Link, Zyxel, Tenda, Netgear devices

A new variation of the Mirai botnet attacks vulnerable D-Link, TP-Link, Zyxel, Tenda, Netgear devices

0
A new variation of the Mirai botnet attacks vulnerable D-Link, TP-Link, Zyxel, Tenda, Netgear devices

[ad_1]

A new variation of the Mirai botnet attacks vulnerable D-Link, TP-Link, Zyxel, Tenda, Netgear devices

The malware exploits over twenty known vulnerabilities in various network devices.

The Mirai botnet, which uses vulnerabilities in network devices to conduct large-scale DDoS-attack, got a new modification. Experts from the company Palo Alto Networks discovered two campaigns aimed at infecting various devices from D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear and MediaTek.

The Mirai botnet is malicious software that turns ordinary network devices into remotely controlled “zombies”. This network, called a botnet, is often used to carry out DDoS (Distributed Denial of Service) attacks, in which the target site or server is overwhelmed with a large number of requests and becomes unavailable.

The Mirai botnet was first discovered in August 2016 by a group of researchers MalwareMustDie and has since been used in some of the most powerful and destructive DDoS attacks, including attacks on the website of cybersecurity journalist Brian Krebs, French hosting provider OVH, and domain name registration company Dyn.

IN new report experts Unit 42 developers are warned botnet continue to add code to exploit vulnerabilities in various connected products such as routers, DVRs (Digital Video Recorders), NVRs (Network Video Recorders), WiFi adapters, thermal monitors, access control systems, and solar panels.

Below is the full list of vulnerabilities and products targeted by malware in the latest version:



Table of exploited vulnerabilities

The attack begins with the fact that the botnet uses one of the vulnerabilities mentioned above, creating conditions for executing a shell script from an external resource. This script downloads the botnet client that matches the architecture of the infected device. The botnet supports 13 different architectures: armv4l, arm5l, arm6l, arm7l, mips, mipsel, sh4, x86_64, i686, i586, arc, m68k and sparc.

After the botnet client is executed, the loader script deletes the client file to erase traces of infection and reduce the chance of detection. Compared to the standard Mirai variants, this one directly accesses the encrypted strings in the “.rodata” section via an index instead of setting up a string table to get the botnet client configuration. This approach bypasses the initialization of the encrypted string table, giving the malware speed and stealth, and making it less susceptible to detection by security tools.

Experts also note that this version of Mirai does not have the ability to guess logins and passwords for entering telnet/SSH, so its distribution depends entirely on manual exploitation of vulnerabilities.

To reduce the risk of infection, it is recommended to install the latest firmware updates available from the device manufacturer, change access passwords from factory ones to unique and strong ones, and disable remote access to the admin panel from the Internet if it is not needed.

Signs of a botnet infection can include excessive device heat, setting/configuration changes, frequent shutdowns, and general slowdown in performance.

[ad_2]

Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here