Mirai Updates from Partners

mirai-ddosnv8

As you likely read multiple articles on mirai I will not state the obvious and rehash what others have said just to make a new post, however I like giving readers multiple sources of information about what we are doing in the HDN Global network and what work we are doing globally with our partners such as Soc Prime and others that are too numerous to list.

Some updates that are certainly worth you reading are:

Soc Prime Update on HDN’s Mirai info and general info on botnet spreads

In addition more information  on the type of virus that targets Linux ELF based IoT devices which includes and targets Busybox that leverages hardcoded credentials (#facepalm).

Malwaremustdie Report on Linux ELF Malware

Here is a list of some of those variants from the malwaremustdie  blog:

  1. Tsunami/Kaiten [1]
  2. *) DNSAmp [1]
  3. *) LightAidra (Mod Zendran) [1]
  4. Elknot [1]
  5. Darkleech [1] [2] [3]
  6. *) Mayhem [1] [2]
  7. *) pscan & sshscan [1]
  8. ) *IptabLex and IptabLes [1] [2]
  9. *) AES.DDoS [1] [2]
  10. *) GayFgt/Bashdoor & Tiny backdoor1 [1] [2] [3] [4] [5]
  11. *) XOR.DDoS [1] [2] [3]
  12. *) ChinaZ [1] [2] [3] [4]
  13. *) DES.Downloader [1]
  14. *) Linux/BillGates.Lite [1] [2] [3] [4] [5]
  15. Mr. Black [1] [2] [3]
  16. *) BangSYN (unixfreaxjp/MMD) [1]
  17. *) Golang ARMbot (unixfreaxjp/MMD) [1] [2] [3]
  18. *) Yangji (unixfreaxjp/MMD) [1]
  19. *) KDefend [1]
  20. *) SSHV [1]
  21. *) DDOS.TF [1]
  22. Torte [1]
  23. *) Tiny backdoor2 [1]
  24. *) KillFile (unixfreaxjp/MMD) [1]
  25. *) Dtool (unixfreaxjp/MMD) [1]
  26. BossaBot (found by Malekal) [1] [2] [3] [4] [5] [6]
  27. *) Mubot [1] [2]
  28. Skiddies VARIOUS DDOS’ers [1]
  29. STDBot [1] [2] [3] [4]
  30. PnScan [1]
  31. *) Mirai [1]
  32. *) Luabot [1]
  33. *) NyaDrop (Tiny backdoor3) & s_malware [1]
  34. *) IRCTelnet (New Aidra) [1]
  35. *) UDPfker [1]
  36. Linux Website Ransomware – Reversing (in Japanese) [1]
  37. EnergyMech 2.8 overkill mod <a href=/2016/11/mmd-0061-2016-emech-for-ddos.html>[1]</a>

Lastly if you want to know how many devices actually use busy box then here is a great place to start: Busybox Linux Products

Everything from dd-wrt to firewalls use busy box, albeit they hopefully don’t have port 57982 as scanners, hardcoded passwords and logins as well as port 7547 open and are dsl routers….. Yeah there are quite a few of those out there.

We are currently tracking potential victims, targets and botnet members in the millions but have only found about 1 million that are actually likely to be victims so far. To put this into the correct perspective about 140,000 botnet members can easily attack multiple networks with more than 1,2tbs a second easily and also are just as fast to infect new clients due to the modular build of the botnets. Since many IPs are dynamic we are seeing a lot of telcos that have their infrastructure used for these widespread attacks and we encourage all telcos and modem offers as well as DVR and webcam products to finally lockdown their hard and software.

We are currently tracking multiple at risk assets with our solution that we are offering as a service to companies, mssps and critical infrastructure as well as certain cyber crime government bodies for the sake of defending against current and future attacks. We are also tracking multiple telcos and various at risk telco assets to find more connections. For more details on our service, please contact us via the contact form or our email: [email protected]

Please note, we scan any and all attempts to attack this server and any other using multiple methods and reserve the right to hack back. All emails that send spam will also be scanned and reported. Yes that means you dumbasses from Paris (108.162.229.246) and Frankfurt (162.158.90.143) using cloudflare as well….

Your 1D10t (Confirmed / Certified Security Noob)

Copyright HDN 2016 Soc Prime, Busybox and Malwaremustdie their copyrights 2016)