Mirai Botnet New Variant Takes Aim at x86 Linux Servers

A new variant of the Mirai botnet now takes aim at the x86 Linux servers in enterprise networks.

It was just a couple of years ago that the chaotic Mira botnet used hacked computer routers and other IoT devices to block access to many major websites. Now comes this new variant, which calls itself “VPNFilter” and targets x86 Linux servers.

Arbor Networks, the company that has studied this Mirai botnet variant, discusses it in a detailed blog post published recently. The researchers associated with ASERT (Arbor’s Security Engineering & Response Team) have been probing this botnet variant in detail. The blog post, which is authored by Matthew Bing, explains how this new Mirai variant works; the blog post says, “Across our honeypot network, we saw this exploit being delivered by two source addresses on Nov 16 – 185.244.25.241 and 104.248.170.199. The command-and-control site for this bot is the same IP address that hosts the binary…This particular variant differs from an IoT Mirai in an important way – it only delivers the x86 version of the bot.”

The Arbor Networks team has noticed a rise in exploit attempts targeting Linux servers running Hadoop YARN, which is a resource manager that’s used in Hadoop-based big data platforms in enterprises.

The Arbor Networks blog post notes, “IoT Mirai variants will poke around a potential victim in order to deliver an executable that’s suitable for its CPU architecture – x86, x64, ARM, MIPS, ARC, etc. This version assumes the Hadoop YARN service is running on a commodity x86 Linux server.”

The researchers point out that this is the first time that a Mirai variant is targeting plain old servers and not IoT devices. Targeting Linux servers in enterprise data centers has its own advantage; these servers have much more bandwidth than the IoT devices and hence work great when it comes to using them for deploying DDoS (Distributed Denial of Service) attacks, and that too using fewer machines.

The attack method is also different. This Mirai variant doesn’t depend on compromised servers to spread to other vulnerable devices. Instead, it seems that a

small bunch of hackers manually scan the internet, looking for vulnerable instances of Hadoop YARN to be exploited for delivering Linux malware.

“While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it’s much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices. The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible,” says the Arbor Networks blog post.

The blog post further explains, “Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”

It was in March this year that the proof-of-concept code for a YARN vulnerability was published. Following this, there has been an increase in YARN attacks, exploiting the command injection flaw, which allows a hacker to execute arbitrary shell commands.