New danger: Mirai offspring WICKED botnet has potential to cause havoc

The infamous Mirai botnet has had many different variants thanks to the public gaining access to the source code a couple of years back. As researchers have discovered, each botnet is able to cause havoc in different ways that set them apart from their parent Mirai. This is the case with the WICKED botnet, which was found and heavily studied by the team at Fortiguard Labs.

In a research blog post, the Fortiguard team goes into great detail about how WICKED functions and the specific dangers it poses. The hallmark of WICKED that separates it from Mirai is that, while the parent botnet attacks via brute forcing, WICKED targets IoT devices with exploits following port scans via raw socket SYN connections on specific devices. The exploits only work on unpatched devices, and these devices include Netgear DGN1000 and DGN2200 v1 routers (via port 8080 scans), CCTV-DVR Remote Code Execution (via port 81 scans), Netgear R7000 and R6400 Command Injection (which uses scan on port 8443 and then employs the exploit CVE-2016-6277).

Following the exploits, payloads are downloaded that turn the devices into zombies. What researchers found that is of particular intrigue is the fact that WICKED downloads use payloads from other Mirai variants like Sora, Owari, and Omni. This has led researchers to believe that one author is behind all of the IoT botnets in question, with the WICKED botnet just being the latest one. With hackers’ ability to cross over to multiple Mirai variants and harvest their collective resources to create WICKED, researchers are rightfully concerned as to just how powerful the botnet can become.

A key detail to note is that the IoT devices mentioned are largely insecure due to lack of patch installations. Not implementing the practice of constant updates upon the release of patches is asking for problems. Any owners of the devices mentioned should check their equipment for odd behavior (such as a flood of packets that might be a part of a larger IoT botnet’s DDoS attack) and make certain all patches are up to date.

Featured image: Shutterstock

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top