Mirai could live on even after IoT device reboots

New vulnerability could enable Mirai and other IoT malware to survive between device reboots

Mirai, the Internet of Things (IoT) botnet, could be more resilient than first feared, as a new vulnerability may give it the ability to survive device reboots.

The malware causes havoc by remotely controlling devices like home security system digital video recorders (DVRs), and using them as part of a botnet in large-scale network attacks.

It is perhaps most well-known for the role it played in the distributed denial of service (DDoS) attack on internet infrastructure firm Dyn, which caused problems accessing high-profile sites such as Amazon, Netflix and Twitter.

Malware in IoT devices generally survives until the user reboots the equipment, clearing the memory and erasing any trace of malware from the device.

However, researchers from Pen Test Partners have discovered a new vulnerability that could enable the Mirai IoT worm and other IoT malware to survive between device reboots, creating what would be a far more resilient or even permanent IoT botnet.

In a blog post, the company said it found a route to remotely fix Mirai vulnerable devices, but that this same method could be used to make Mirai persistent beyond a power-off reboot. It claimed that other popular forms of malware, such as Hajime and BrickerBot, used a different, less effective method.

However, the company added that it will not publish any information relating to this for fear that criminals would look to use the method to create an even more disruptive, persistent Mirai botnet.

The researchers did add some details of other vulnerabilities and details that Mirai could exploit to become more of a threat than it was previously.

These included a new DVR default credentials that could be added to Mirai's built-in worm component, a DVR brand that used daily-changing passwords that had been published online in documentation, and a directory traversal bug that allows attackers to recover password hashes from remote DVRs.

If attackers exploited any of these, it could give Mirai a new lease of life and become a more serious threat than before.