If there is one thing that seems to end up with security issues, it's the malware writers who put their own bugs in the old Mirai malware and create a new botnet to haunt the IoT and business devices.
It has not been a month since a big botnet emerged from nowhere and started massive attacks on smart devices - or using default credentials to take control of the device or by using farms for old security flaws that the owners of the devices did not fix.
New version of Mirai called Echobot
The latest variation in this long series of Mirai scourge is called Echobot. Since it appeared in mid-May, malware was first described by Palo Alto Networks in a report released in early June, and then a report by security researchers from Akamai last week.
The malware itself does not bring anything new to the actual Mirai source code, which is not surprising as the Mirai code has remained unchanged over the years.
Echobot malware follows the trend, but a malware writer added modules above the original Mirai source code.
When researchers from Palo Alto Networks first appeared in early June, Echobot used farms for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.
Targeting IoT devices and business applications
What I found to be the most interesting and not so odd is the inclusion of cross-application vulnerabilities, "said Larry Cashdollar, an Akamai threat researcher.
For example, instead of sticking to devices with built-in operating systems such as routers, cameras and DVRs, IoT botnets now use Oracle WebLogic and VMware SD-WAN vulnerabilities to infect targets and spread malware »continued.
This strange way of developing a botnet that uses irrelevant holdings is not unique to Echobot, but a process through which all IoT's botnet passes.
From the outside, malware writers seem to randomly select their holdings, but there is a process for their madness.
As some IoT writers have reported in the past, they start by choosing random farms, but only keep those that bring a large number of infected bots and reject those who are not working.
Farms are recycled via a botnet within a few days if they do not work. Therefore, the current Echobot holding arsenal can be seen as a list of the vulnerabilities that most bots offer, as well as a list that device owners and security vendors would like to take a look at as they provide a picture of the devices on which most attacks have been done.