IoT.Linux.MIRAI.VWIUO
ELF:Mirai-GG [Trj] (AVAST); ELF/Mirai.GG!tr (FORTINET)
Unix
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This Backdoor connects to the following URL(s) to send and receive commands from a remote malicious user:
- snortcnc.{BLOCKED}s.org
- snortscan.{BLOCKED}s.org
Denial of Service (DoS) Attack
This Backdoor is capable of performing various network denial-of-service (DoS) attacks:
Other Details
This Backdoor does the following:
- It uses the following credentials to try to login to other devices:
- taZz@23495859
- root
- tsgoingon
- solokey
- admin
- default
- user
- guest
- telnetadmin
- 1111
- 1234
- 12345
- 123456
- 54321
- 88888888
- 20080826
- 666666
- 888888
- 1001chin
- xc3511
- vizxv
- 5up
- jvbzd
- hg2x0
- Zte521
- grouter
- telnet
- oelinux123
- tl789
- GM8182
- hunt5759
- telecomadmin
- twe8ehome
- h3c
- nmgx_wapia
- private
- abc123
- ROOT500
- ahetzip8
- anko
- ascend
- blender
- cat1029
- changeme
- iDirect
- nflection
- ipcam_rt5350
- swsbzkgn
- juantech
- pass
- password
- svgodie
- t0talc0ntr0l4!
- zhongxing
- zlxx.
- zsun1188
- xmhdipc
- klv123
- hi3518
- 7ujMko0vizxv
- 7ujMko0admin
- dreambox
- system
- iwkb
- realtek
- 00000000
- 12341234
- huigu309
- win1dows
- antslq
- It displays the following string once executed in the command line:
- unstableishere
- It may spread to other devices by taking advantage of the following vulnerabilities:
- AVTECH IP Camera / NVR / DVR Devices - Multiple Vulnerabilities
- Comtrend VR-3033 - Command Injection
- CVE-2014-8361 |Realtek SDK - Miniigd UPnP SOAP Command Execution
- CVE-2015-2051 | D-Link Devices - HNAP SOAPAction-Header Command Execution
- CVE-2017-8221 | Wireless IP Camera (P2P) WIFICAM - Remote Code Execution
- CVE-2017-17215 | Huawei Router HG532 - Arbitrary Command Execution
- CVE-2017-18368 | Zyxel P660HN-T v1 - Remote Command Execution
- CVE-2018-10561 | GPON Routers - Authentication Bypass / Command Injection
- CVE-2018-17173 | LG SuperSign EZ CMS 2.5 - Remote Code Execution
- D-Link Devices - UPnP SOAP Command Execution
- D-Link DSL-2750B - OS Command Injection
- Eir D1000 Wireless Router - WAN Side Remote Command Injection
- Linksys E-series - Remote Code Execution
- MVPower DVR TV-7104HE 1.8.4 115215B9 - Shell Command Execution
- Netlink GPON Router 1.0.11 - Remote Code Execution
- Symantec Web Gateway 5.0.2.8 - Remote Code Execution
- ThinkPHP 5.0.23/5.1.31 - Remote Code Execution
SOLUTION
Scan your computer with your Trend Micro product to delete files detected as IoT.Linux.MIRAI.VWIUO. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.