Newly Discovered Vulnerability Affected In Computers Make Mirai Permanent

Surely many of you will remember when at the end of last year the botnet Mirai caused havoc throughout the world. It seemed that in the matter of botnets (especially in the case of Mirai) the news was somewhat quieter, and suddenly they are again news.

As reported in Bleeping Computer Mirai returns to the front page due to a newly discovered vulnerability affecting IoT computers, which can cause infections of this botnet to be permanent rather than disappear when the user restarts them.

Malware that attacks IoT devices usually goes away with reboots because this procedure clears the RAM of the machine and leaves it totally clean. Since most of the IoT malware is currently lodged there, it is “easy” to get rid of them. However, this news changes everything.

Apparently the security researchers at Pen Test Partners who have discovered it were studying the security features of 30 brands of DVR (digital video recorders) devices. And precisely this vulnerability would allow Mirai to survive between restarts.

Of course, security researchers have not wanted to publish any details about this vulnerability. Experts understand that there is reason to believe that malicious actors could take advantage of their findings to engage in criminal activity.

Mirai’s reach could increase due to this vulnerability

The research of Pen Test Partnerts has revealed other details that would allow Mirai to be relevant and even more dangerous than it was before:

• New DVR credentials can be added to the Mirai code, which could be used in brute-force attacks.
• You could use an alternate Telnet port that certain DVRs use instead of port 23 (the standard).
• You can run a remote shell on some DVR tags by authenticating on port 9527 with the credentials “admin / [blank password]” and “admin / 123456”.
• The botnet could take advantage of the passwords that change daily of a particular mark, since that mark publishes them online in its documentation.
• It could also exploit a buffer overflow bug that is present in a million DVRs that connect to the Internet. The researchers say that this bug can be exploited directly from port 80, which contains the DVR’s built-in web server. This web server allows remote control of these devices.
• A cross-directory directory bug allows attackers to recover password hashes from remote DVRs.

All these faults could cause Mirai to come back to life if they took advantage. According to the media, this family of malware has been losing ground against other threats such as Persirai, BrickerBot or Hajime.