In September 2016, the Mirai source code was leaked on Hack Forums. Ever since that fateful event, there has been an explosion of malware targeting IoT devices, each bearing the name of a protagonist with supernatural powers found in Japanese anime. FortiGuard Labs has been tracking these IoT botnets in order to provide the best possible protection for our customers.

For example, Mirai was named after Mirai Kuriyama, the protagonist of the Kyoukai no Kanata anime series. And the name of the malware known as Owari comes from the “Seraph of the End: Vampire Reign” manga. Recently, on 17th May, our network telescopes caught a new variant called Shinoa, which is the name of the female protagonist in that same “Vampire Reign” series (the name is taken from the original name of the samples in the folder).

The host itself is very new:

After using some clever VirusTotal (VT) tricks, we managed get a hold of the source code of the new Shinoa malware. This source code piqued our interest because it offers a rare glimpse into the evolution and thinking of these malware authors. So we decided to dig deeper into the source code, and in doing so we hope to answer the question, “What's the deal with the names of all those malware variants?”

Overview of Shinoa

The source code comes in a Rar5 archive, and the hash is 499b4c2bc3396a215682d42ba0f2bdf96492e7f45a15129422f9ecd6134bd3b8

Since we were already familiar with the codebase of Mirai, our gut feeling told us that it likely had something to do with Mirai. After digging deeper, we found that there had been some rearrangements of the source code: some header files had been moved into “shinoa\bot\headers”, so we undid that.

Afterward, we got a clean side-by-side “diffing” that allowed us to perform a source code analysis.

As you can see, all data points are highly similar, which confirmed our earlier intuition that this is indeed a variant of Mirai. We also managed to obtain and block the host (185.244.25.197) for our customers‘ protection.

New Attack Methods

We next turned our attention to its attack methods, as there seemed to be a lot of changes there.

As can be seen, several attack methods have been removed from the original Mirai source code (namely "DNS resolver flood”, "TCP stomp flood", and "HTTP flood") but at the same time two new attack methods have been added: "XMAS flood" and "LYNX flood.”

We next dug deeper into the implementation of the new attack methods in attack_meth.c

Interestingly, we noticed that the original attack methods in Mirai have been merged into one big file (attack_meth.c) in Shinoa, but the code itself is unchanged.

We next focused our attention on the implementation of “XMAS flood" and "LYNX flood." The attack_tcp_xmas() is a classical implementation where every single option is set so as to maximally consume computing power and saturate bandwidth.

"LYNX flood", on the other hand, is seemingly new. As the old saying goes: “the code is the design,” so we decided to dig deeper. We found that attack_tcp_lynx() is quite similar to attack_tcp_xmas(). While the code is complex, in a nutshell the two flags (ATK_OPT_RST and ATK_OPT_FIN) in the header are now set to FALSE.

From the name of the database table above (“miori”) and the fact that it bears striking resemblance to MIORI (which also introduces Xmas flooding) we can conclude that Shinoa and MIORI are related.

What's the Deal with Those Mirai Variants?

As we have reverse engineered numerous Mirai variants, one thought has often crossed our mind: “script kiddies are at it again!” And the leaked source code of Shinoa confirms just that.

Take, for example, the build script below. We can see that the main logic is basically the same as Mirai. The author of Shinoa has simply removed the code that builds debug binaries.

In many other cases, the code is largely unchanged, only reorganized a bit, like moving common headers to headers\’

The team here at FortiGuard Labs has an internal prototype called Kill All IoT  Botnets (KAIB) that tracks and downloads new Mirai Variants.

As can be seen, there have been numerous variants popping up over time.  Given the” high quality” of the source code, it is rather easy for script kiddies to create new variants, as evidenced by the growing number of derivatives ever since the release of Mirai’s code in September of 2016. Fortunately, Fortinet customers are always protected from all new variants by FortiGuard Antivirus signatures.

Final Thoughts

Since the release of Mirai’s code online, many have tried to modify it, and as a result many variants have emerged – from simple modifications (such as just adding additional credentials) to sophisticated ones, such as adding the capability to turn infected IoT devices into malware proxies and cryptominers. With this trend we expect more to come in the future.

As always, FortiGuard Labs will continue to monitor the IoT threat landscape and keep everybody updated with insightful research.

Many thanks to our colleagues David Maciejak for the additional analyses/insights

-= FortiGuard Lion Team =-

Solution

Fortinet users are protected from Mirai variants with the following solutions:

·       Files are detected by FortiGuard Antivirus

·       Malicious download URLs and C2s are blocked by our "FortiGuard Web Filtering Service’’

IOCs

Source Code: 499b4c2bc3396a215682d42ba0f2bdf96492e7f45a15129422f9ecd6134bd3b8

FortiGuard Web Filtering Service‘s Coverage of CC and hosting servers for Shinoa:

91.229.20.98 - Malicious

185.244.25.197 - Malicious