CIRA cybersecurity

Weekly web security warning – Mirai worm crawls to the top

As malware continues to wreak havoc across Canada, a new champion wriggled to the top of our DNS block list—the Mirai worm. 

As malware continues to wreak havoc across Canada, a new champion wriggled to the top of our DNS block list—the Mirai worm. Mirai claimed the top two blocked sites of the week, unseating Bitcoin miners which had dominated the list for the past three weeks. If you are IT administrator, this list can give you some insight into what to block but also to see the general trends impacting Canadian organizations.

Domain Name

Category

Threat Type

ns6.wowrack.com

BLOCK

Mirai

ns5.wowrack.com

BLOCK

Mirai

zws12.com

BLOCK

Malware Call Home

vcfs6ip5h6.bid

BLOCK

Bitcoin Miner

juice.losmibracala.org

BLOCK

Palevo

c0i8h8ac7e.bid

BLOCK

Bitcoin Miner

redwassheptal.com

BLOCK

Malware Call Home

fge9vbrzwt.bid

BLOCK

Bitcoin Miner

avualrhg9p.bid

BLOCK

Bitcoin Miner

aqqgli3vle.bid

BLOCK

Bitcoin Miner

The Mirai worm infects IoT devices and vulnerable routers. Unfortunately these aren’t the kind of devices that people pay daily attention to, and as a result, one of the largest DDoS attacks in history was executed this way.After a month of doing our weekly web security warning, we have our first official fan who was interested in learning how to recognize when your system is infected. Since we’re all about giving the people what they want, here’s a quick overview of how to spot something nasty on your network.

The good news is that the Mirai worm is simple to investigate and easy to remove. The easiest solution is to sign up for a 30-day free trial of D-Zone DNS Firewall, which will instantly detect and block Mirai’s attempt to reach the command and control servers. A second option is to log into your router and look for blocked ports which are often a sign of Mirai’s attempts to stay hidden from scanning tools. A simple reboot of your device will temporarily fix the problem and remove the infection. However, you must change your password immediately to prevent the infection servers from scanning for an opportunity to re-infect.

Bitcoin miners are typically not hard to spot. In the case of drive-by mining, the code is run in the browser while you are visiting a web site. It is a method to monetize your web traffic by the site owners. You will see a slow-down in performance as CPU cycles are being consumed mining. You can avoid this by not enabling JavaScript or Flash. There are also extensions and plugins you can use that will request your permission before running scripts.

Neither of these tactics are a perfect solution as they significantly degrade the web browsing experience. It’s up to you to decide what balance of usability vs security you are willing to cope with. The most extreme option is to not visit sites that may be deploying these tactics but that still won’t protect you from sites that are compromised without their knowledge. If you discover a Bitcoin miner already on your system, it is basically the same as a virus or a PUA (potentially unwanted application).  Having a good protective perimeter defense, along with anti-virus software, can help protect your system. 

Finally, Palevo is a particularly nasty piece of malware that can get on your systems through vectors like file sharing and removable drives. Its most nefarious trick is that it can steal passwords and take over a system and turn it into a zombie installing malware at will. To protect your devices, make sure you have a good firewall installed, never enable any auto-run functions, and if infected, remove the system from the network to prevent it from spreading to other devices.  

In conclusion, if you are an IT administrator you are likely already managing risk appropriate to the organization. If you are a homeowner, add a couple layers of defence and take the time to try to educate/remind/badger your family about safe internet practices. I also recommend you treat your home network (computers, mobile devices, peripherals, and IoT devices) like you do your car. Every time you change the oil on your car spend an hour to run scans on your network, check for unpatched firmware, and review your security software.

Blog navigation