If there’s one thing that seems to have no end in sight is malware authors putting their own spin on the old Mirai malware and creating new botnets to haunt the IoT and enterprise landscapes.
Not a month goes by without a new major botnet appearing out of nowhere and launching massive attacks against people’s smart devices — either using default credentials to take over the device or by using exploits for old security flaws that device owners did not patch.
The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, last week.
The malware itself doesn’t bring anything new to the actual Mirai source code, which is no surprise since the Mirai code has remained unchanged for years now.
Echobot follows the trend — nothing new, but merely a malware author who added modules on top of the original Mirai source code.
When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.
What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities, said Larry Cashdollar, Akamai threat researcher. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware, he said.
And Cashdollar is right. Echobot’s exploit selection is, indeed, a smorgasbord of several vulnerabilities. It targets everything under the sun, from security cameras to DVRs, and from signage TVs to WeMo devices.
The botnet also incorporates old and new exploits alike. Age was not a factor in the selection of the exploit.
This weird way of evolving a botnet using unrelated exploits is not unique to Echobot’s only, but a process through which all IoT botnets go through.
From the outside, malware authors seem to pick their exploits at random, but there’s a process to their madness.
As some IoT botnet authors have told ZDNet in the past, they do start by choosing exploits at random, but they only keep the ones that bring in a large number of infected devices (bots) and discard the ones that are not working.
Exploits get recycled through a botnet in a matter of days, if they’re not working. So, in hindsight, Echobot’s current arsenal of exploits can be viewed as a list of today’s most bot-yielding vulnerabilities, and a list that device owners and security vendors would want to throw a look over, as it provides an insight for today’s most attacked devices.