February 6, 2017
The new malicious program was dubbed Trojan.Mirai.1. When launched, the Trojan connects to its command and control server, downloads the configuration file, and extracts the list of IP addresses. Then Trojan.Mirai.1 launches a scanner that addresses the network nodes listed in the configuration file and attempts to log in using the login and password combination indicated in the same file. Trojan.Mirai.1’s scanner can check several TCP ports simultaneously.
If the Trojan successfully connects to the attacked node via any of the available protocols, it executes the indicated sequence of commands. The only exception is a connection via RDP protocol: in this case, none of the instructions are executed. Besides that, while connecting to the Linux device via Telnet protocol, it downloads a binary file on the compromised device, and this file subsequently downloads and launches Linux.Mirai.
In addition, Trojan.Mirai.1 can execute on remote machines commands that rely on inter-process communication (IPC) technology. The Trojan can launch new processes and create different files, e.g., Windows package files containing a certain set of instructions. If the attacked remote computer has Microsoft SQL Server, a management system for relational databases, working on it, Trojan.Mirai.1 creates within it the user Mssqla with the password Bus3456#qwein and sysadmin privileges. Acting under the name of this user and with the help of the SQL server event service, the Trojan executes various malicious tasks. Thus, the Trojan, for example, launches executable files with administrator privileges, deletes files, or plants icons in the system folder for automatic launch (or creates the corresponding logs in the Windows registry). After connecting to a remote MySQL server, the Trojan creates the user MySQL with the login phpminds and the password phpgod, for the purpose of achieving the same goals.
Trojan.Mirai.1 has been added to the Dr.Web virus databases, and, therefore, it poses no threat to our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.