Malware behind biggest DDoS ever just got more dangerous

Mirai now has a Windows spin

The march of the infamous Mirai botnet continues, with Kaspersky having found the first Windows-based spreader for the malware.

You probably remember Mirai from last year – it was the source of a huge number of infections which powered some massive DDoS attacks. Well, now the code (which was made openly available online in 2016) has been crafted to make a Windows botnet, likely by a Chinese speaking malware author according to the security firm (going by language clues in the coding, and similar signposts).

Kaspersky notes that the components and techniques used in the new spreader may be a few years old, but on an overall level it’s “richer and more robust” than the original Mirai code, and its developer appears to have more sophisticated skills than those behind last year’s DDoS campaigns.

That said, the security company notes that the ability to spread Mirai is limited here, because the malware has to brute-force a remote telnet connection in order to propagate bots from a Windows machine to vulnerable Linux IoT gadgets.

Even so, Kaspersky has witnessed attacks on around 500 systems thus far this year (which it blocked), and says emerging markets which are heavily invested in the IoT are certainly at risk (China and India, plus many other nations to boot).

  • Nothing screams 'air-tight security' like a brand-new Chromebook

Experienced attackers

Kurt Baumgartner, Principal Security Researcher at Kaspersky, commented: “The appearance of a Mirai crossover between the Linux platform and the Windows platform is a real concern, as is the arrival on the scene of more experienced developers.

“More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code. A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning.”

Kaspersky says it’s busy working with hosting providers and network operators in the process of taking out a ‘significant’ number of Mirai’s command and control servers.