The malicious program first appeared in May 2016, detected by Doctor Web after being added to its virus database under the name Linux.DDoS.87 and Linux.DDoS.89. The Trojan can work with with the SPARC, ARM, MIPS, SH-4, M68K architectures and Intel x86 computers. It has similar features as Linux.BackDoor.Fgt, a backdoor that was found infecting Linux operating system back in 2014. Linux.DDoS.87 targets Linux operating systems by killing old and existing trojans. In order to avoid removing itself, the trojan creates a file named .shinigami in its folder and checks for its presence.
The trojan connects back to a command-and-control (C&C) server to get more instructions and also sends the MAC addresses and the architecture of the infected system. If it is commanded to run a DDoS, it can launch attacks like UDP flood; UDP flood over GRE; DNS flood; TCP flood (several types); HTTP flood. Linux.Mirai can turn off Linux Watchdog timer (WDT), a hardware circuit that can reset the computer system in case of a software fault.
Linux.Mirai has recently been used to carry out Internet-Of-Things (IoT) botnet DDoS attacks, which include some of the largest DDoS attacks in history.
Dr Web’s Investigations
Source Code Leak
According to the user:
When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb[sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.