SAT News: Mirai Update Targets Windows Systems


Mirai, the malware behind the largest DDoS attacks ever recorded, has been updated in order to increase distribution. Researchers have discovered an update in the form of a Windows Trojan designed to assist hackers in spreading Mirai to even more devices.

This update, named “Trojan.Mirai.1,” targets Windows computers and searches the user’s network for comprisable Linux-based connected devices. Once a device has been infected by this update, it contacts a C&C server and downloads a list of IP addresses. Upon the installation of that list, the infected machine tries to login to those devices via a series of ports:

  • 22 - SSH
  • 23 - Telnet
  • 135 - DCE/RPC
  • 445 - Active Directory
  • 1433 - MSSQL
  • 3306 - MySQL
  • 3389 - RDP

If the infected machine spreads to a new device, it will do one of two things:

  • If the new device runs Linux, it will execute a series of commands that will ultimately lead to a new Mirai DDoS bot.
  • If the new device is running Windows, it will copy itself there and continue to target new devices.

If a database is infected by Mirai, it will create a new user with admin privileges that will more than likely be used to steal data from infected devices.

Mirai targets IoT devices such as DVRs, routers, WebIP cameras, and other Linux-based devices. Once the device is accessed, the attacker then downloads and installs the malware.

“A majority of these devices have open SSH or Telnet ports, which are then accessed via hard-coded passwords that the manufacturer uses across all devices,” said Shawn Pope, a Security Analyst at Nuspire.

For more information on how to keep your data secure, click here.

Nuspire Insights

Nuspire Infographic

Contact Us