February 6, 2017
Linux.Mirai is currently the most widespread Trojan for Linux. The first version of this malware was added to the Dr.Web virus databases under the name Linux.DDoS.87 back in May 2016. Since then, it has become very popular among virus makers as its source codes have been made public. Moreover, in February 2017 Doctor Web security researchers examined the Trojan for Windows that contributed to the distribution of Linux.Mirai.
The new malicious program was dubbed Trojan.Mirai.1. When launched, the Trojan connects to its command and control server, downloads the configuration file, and extracts the list of IP addresses. Then Trojan.Mirai.1 launches a scanner that addresses the network nodes listed in the configuration file and attempts to log in using the login and password combination indicated in the same file. Trojan.Mirai.1’s scanner can check several TCP ports simultaneously.
If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.
In addition, Trojan.Mirai.1 can execute on remote machines commands that rely on inter-process communication (IPC) technology. The Trojan can launch new processes and create different files, e.g., Windows package files containing a certain set of instructions. If the attacked remote computer has Microsoft SQL Server, a management system for relational databases, working on it, Trojan.Mirai.1 creates within it the user Mssqla with the password Bus3456#qwein and sysadmin privileges. Acting under the name of this user and with the help of the SQL server event service, the Trojan executes various malicious tasks. Thus, the Trojan, for example, launches executable files with administrator privileges, deletes files, or plants icons in the system folder for automatic launch (or creates the corresponding logs in the Windows registry). After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals.
Trojan.Mirai.1 has been added to the Dr.Web virus databases, and, therefore, it poses no threat to our users.