27 February 2018

OMG botnet turns infected devices into proxy servers

Fortinet researchers have discovered a new modification of the Mirai malware, which is capable of setting up proxy servers on vulnerable IoT devices. The new variant was dubbed OMG because of the strings in its code containing the “OOMGA” substring. It supports most of the functionality implemented in the original Mirai malware, but it also has some features of its own.

Unlike Mirai, the configuration of OMG includes two strings that add firewall rules allowing traffic on two random ports. At the same time, the new variant has kept the original Mirai modules designed to scan the internet for IoT devices available over telnet that are vulnerable to brute force attacks and to conduct DDoS attacks.

However, what sets OMG apart is its proxy function. OMG uses 3proxy open-source software as its proxy server. During installation, the malware generates two random HTTP and SOCKS ports, reports them to the command-and-control (C&C) server and adds a firewall rule to allow traffic on these ports. After enabling the firewall rules the malware installs 3proxy with a predefined configuration embedded in its code.

According to the researchers, cybercriminals use proxy servers to provide anonymity when hacking into devices and performing other malicious operations. In addition, proxy servers can be used to make money by selling access to them to other cybercriminals.

Source: Fortinet