Mirai IoT botnet could be used to mine bitcoins

New variant of ELF Linux/Mirai malware has a built-in bitcoin mining component

The Mirai botnet, developed to compromise insecure Internet of Things (IoT) devices and perform distributed denial-of-service (DDoS) attacks against predetermined targets, could be re-purposed to mine bitcoins instead.

IBM X-Force said it had recently uncovered a new variant of the ELF Linux/Mirai malware that has a built-in bitcoin mining component.

According to IBM security threat researcher Dave McMillen, there is incentive for criminals to have bitcoins in their pocket to facilititate their activities as it is the currency of choice for purchasing illegal commodities such as malware.

However, he is sceptical about using IoT devices to mine for bitcoins.

"Mining bitcoins is a CPU-intensive activity. How many compromised devices would it take to make the mining of bitcoin a viable revenue source for attackers? Wouldn't attackers have better luck compromising a bitcoin exchange company, as has been the case numerous times in the past," he questioned.

He added that it was possible that the attackers were looking to find a way to make bitcoin mining via compromised IoT devices a lucrative venture.

The new Mirai add-on

The new Mirai variant is similar to another recently-found version that leverages a Windows Trojan. Instead it focuses on attacking Linux machines running BusyBox software. According to McMillen, the software provides several stripped-down Unix tools in a single executable file and digital video recording (DVR) servers. BusyBox uses a Telnet protocol, which is a 'gateway' in to IoT devices for attackers.

The add-on to this variant is dubbed a 'bitcoin miner slave'. As many IoT devices are low-powered, McMillen and his team questioned the effectiveness of this add-on as it would lack the power to create many, if any, bitcoins.

However, he suggested that Mirai's power to infect thousands of machines at a time could mean there was a possibility that the bitcoin miners could work together in tandem as one large miner consortium.

"We haven't yet determined that capability, but we found it to be an interesting yet concerning possibility. It's possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode," he said.

The Mirai botnet has been blamed for several high-profile cyber assaults, including a DDoS attack against internet infrastructure firm Dyn, which caused problems accessing sites including Amazon, Twitter and Netflix.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!