'Muck spreading' Mirai malware identified as skilled attacker based in China or Taiwan

Windows Malware designed to propagate Mirai malware the work of a "skilled" attacker, warns Kaspersky

The impact of the Mirai malware, which infects poorly secured Linux-based connected devices, is likely to get worse, security software specialist Kaspersky has warned.

It comes as the company analyses new Windows-based malware found in the wild, which is designed to use infected Windows PCs to hunt down potentially vulnerable devices in order to propagate Mirai.

The author of a new strain of Windows malware designed to propagate Mirai, Kaspersky suggests, is "more advanced" than the coders behind Mirai itself, indicating that whoever is behind it has plans to use the botnet created by Mirai for other things.

"The Windows-based spreader is richer and more robust than the original Mirai codebase, but most of the components, techniques, and functionality of the new spreader are several years old," suggested Kaspersky.

It added: "Its capacity for spreading the Mirai malware is limited: it can only deliver the Mirai bots from an infected Windows host to a vulnerable Linux IoT device if it is able to successfully brute-force a remote telnet connection.

However, it is "clearly the work of a more experienced developer, although probably one who is new to the Mirai game.

"Artefacts such as language clues in the software, the fact that the code was compiled on a Chinese system, with host servers maintained in Taiwan, and the abuse of stolen code-signing certificates from Chinese companies, suggest that the developer is likely to be Chinese-speaking."

With more experienced hackers turning their hands to Mirai and malware for propagating it, Kaspersky suggests that we could soon see much bigger attacks, not just the distributed denial of service attacks carried out via Mirai last year.

At the moment, the Windows Mirai ‘muck spreader' has only seen limited distribution, with around 500 unique systems attacked in 2017 by the malware.

But based on the geolocation of IP addresses targetted in the second stage of attack, according to Kaspersky, the countries most vulnerable are emerging markets that have invested heavily in connected technology.

These include India, Vietnam, Saudi Arabia, China, Iran, Brazil, Morocco, Turkey, Malawi, United Arab Emirates, Pakistan, Tunisia, Russia, Moldova, Venezuela, the Philippines, Colombia, Romania, Peru, Egypt and Bangladesh.

"The release of the source code for the Zeus banking Trojan in 2011 brought years of problems for the online community - and the release of the Mirai IoT bot source code in 2016 will do the same for the Internet," said Kaspersky principal security researcher Kurt Baumgartner.

He continued: "More experienced attackers, bringing increasingly sophisticated skills and techniques, are starting to leverage freely available Mirai code.

"A Windows botnet spreading IoT Mirai bots turns a corner and enables the spread of Mirai to newly available devices and networks that were previously unavailable to Mirai operators. This is only the beginning."

Security blogger Brian Krebs, in a long posting on his own website, suggested that a US student was responsible for the original Mirai malware. After the code was published, the network of compromised devices was used in a number of DDoS attacks, and one Chinese manufacturer admitted responsibility for using insecure software in its digital video recorders produced for CCTV systems