Cybercrime , Encryption & Key Management , Endpoint Security

Even in Test Mode, New Mirai Variant Infecting IoT Devices

Researchers: 'Katana' Features Many Enhancements
Even in Test Mode, New Mirai Variant Infecting IoT Devices
As with the original Mirai malware, routers, gateways and switches are among the new Katana variant's preferred targets, according to Avira Protection Labs.

A greatly enhanced variant of the powerful Mirai botnet is already infecting IoT devices even though it’s operating in a test environment, according to researchers at cybersecurity firm Avira Protection Lab.

See Also: Supporting Malware Analysis at Scale

Researchers discovered samples of the variant, dubbed "Katana,” that have Layer 7 distributed denial-of-service capability, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers, Tettang, Germany-based Avira reports.

"Katana contains several features of Mirai,” says Alexander Vukevic, director of Avira Protection Labs. “These include running a single instance, a random process name, editing the watchdog to prevent the device from restarting and [distributed denial-of-service] commands."

Katana is infecting hundreds of IoT devices each day, Avira researchers say. The top three devices targeted by the botnet include D-Link's DSL-7740C router, the DOCSIS 3.1 wireless gateway and Dell's PowerConnect 6224 switch.

Avira was also able to determine which command-and-control servers help operate Katana, noting 100cnc[.]r4000[.]net and 1280x1024cnc[.] are most often contacted by its operators although these servers are not related to the original Mirai botnet.

The Mirai botnet gained notoriety in 2016 when the malware was used to disrupt domain name server provider Dyn and attack closed-circuit TV cameras primarily in Vietnam, Brazil the United States, China and Mexico (see: Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

Since that time, the Mirai source code has leaked online, giving other threat actors the ability to tweak the code for their own purposes (see: New Mirai Variant Exploits NAS Device Vulnerability).

Katana's Methods

Avira researchers discovered the new Katana botnet when the company's honeypots captured a wave of unknown malware binaries. They found the botnet, like Mirai, uses remote code execution and command injection to exploit security vulnerabilities in older Linksys and GPON routers as well as attack IoT devices, according to the report.

"It includes classic Mirai functions, such as running a single instance, random process name and manipulating the watchdog to prevent the device from restarting. Similar to Mirai, it offers various [distributed denial-of-service] commands such as 'attack_app_http' or 'attack_get_opt_int,'" the researchers note.

Avira's analysis found when the botnet runs as a single instance, it binds different ports, such as 53168, 57913, 59690, 62471 and 63749.

Avira's researchers found a page on GitHub saying "Katana HTTP Botnet coming soon."

More to Come

"The problem with new Mirai variants like Katana is that they are offered on the DarkNet or via regular sites like YouTube, allowing inexperienced cybercriminals to create their own botnets," the Avira researchers say.

Allison Nixon, chief research officer at the cyber risk assessment firm Unit 221B, told Information Security Media Group earlier this year that the next mass attack leveraging IoT botnets could be even worse than Mirai (see video: IoT Botnets: Why the Next Mirai Could Be Worse ).

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.