If you've been keeping up with tech news you will have heard of the Mirai botnet. Last year, attackers used it to take down a huge chunk of the internet, including Netflix, Amazon, and Twitter. It's currently the most widespread Linux trojan.
We covered Microsoft's response the attack last year. Security expert Paul Nicholas called for a shift in organization's view of cybersecurity. However, reports from antivirus firm Dr. Web reveal that Windows devices now play a significant role.
First, it's important to understand how it functioned. The botnet infected a host of IoT devices with malware. Devices include printers, cameras, baby monitors and more. Attackers used the botnet to perform a Distributed Denial of Service (DDoS) attack of 1.2 terabits per second. This flooded networks with thousands of false requests, causing them to crumble under the pressure.
Role of Windows
Since then, the botnet has only grown. A big factor in that is the use of Windows computers. Rather than assist in DDoS attacks, they are being utilized to discover more targets.
Mirai logs into surrounding IoT devices by trying default username and password combinations. Windows machines appear to be able to this much more quickly. The malware can scan several network ports at once, sending out files to vulnerable devices.
In the process, Mirai's new form can delete and modify files, modify the registry, and edit SQL databases.
“If the attacked remote computer has Microsoft SQL Server, a management system for relational databases, working on it, Trojan.Mirai.1 creates within it the user Mssqla with the password Bus3456#qwein and sysadmin privileges,” said Dr. Webb researchers.
“Acting under the name of this user and with the help of the SQL server event service, the Trojan executes various malicious tasks…Trojan.Mirai.1 has been added to the Dr.Web virus databases, and, therefore, it poses no threat to our users.”