Mirai Malware for Windows

Mirai, the infamous malware that has taken down millions of Internet of Things (IoT) devices and as a result has triggered a major Distributed Denial of Service (DDoS) attacks against the largest popular DNS hosting provider Dyn, causing a massive blackout last year in October due to which services of some the well-known websites has come to halt, is now seen hitting devices that runs on Windows platform. Mirai malware is the only malware that has hit the internet so hard that almost every country got blackout.

Originally this malware could only infect devices which run Linux on it. The Mirai malware can infect the connect devices like DVRs, CCTV cameras, routers and every device that is on the internet and is Linux based. It accessed the devices using default usernames and passwords. The malware then turns the affected devices into botnets in order to make bots do whatever command may be given by its controller via CNC server Like facilitating DDOS attacks, pulling logs from specified devices.

Security researchers at Dr. Web, a Russian antivirus company, have recently discovered a Windows Trojan that spreads the Mirai malware through the infected devices in order to generate attack at much larger scale.

Dubbed as Trojan.Mirai.1 connects to its command & control (C&C) server from which it downloads the configuration file and authenticates the device using the username or password mentioned in the same config file.

On successful authentication with the target system, the malware executes some sequence of commands indicated in the configuration file. And in the case of Linux device accessed via Telnet protocol, it downloads a binary file on the compromised system, which subsequently downloads and launches Mirai malware.

Researchers also stated that Trojan.Mirai.1 can execute on remote computers commands that rely on IPC technology. The Trojan can also compromise Microsoft SQL server, a database server, if found on the attacker computer by creating the user Mssqla with the password Bus3456#qweinand gives itself sysadmin privileges. With system level privileges Trojan can execute several malicious tasks like executing files with administrative privileges, delete files and so on.