Cybercrooks are using the infamous Mirai IoT botnet as a framework to quickly add in new exploits and functionalities, it has emerged.

The tactic is dramatically decreasing the development time for new botnets, according to research from Netscout's Arbor Security Engineering and Response Team (ASERT). The work looks at four Mirai variants – Satori, JenX, OMG and Wicked – to illustrate how their authors have built upon Mirai and added their own flair:

Satori leveraged remote code injection exploits to enhance the Mirai code

JenX removed several features from the core code and instead relies on external tools for scanning and exploitation

OMG adds a novel feature in the form of an HTTP and SOCKS proxy. These enable the infected IoT device to act as a pivot to connected private networks

Wicked can target Netgear routers and CCTV-DVR devices that happen to be vulnerable to remote code execution flaws. Within the exploit, Wicked includes instructions to download and execute a copy of the Owari bot. The scanning and exploitation of devices can often be automated, resulting in any susceptible devices becoming part of the zombie network

Botnet authors are already using the Mirai source code as their building blocks. "As the explosion of IoT devices does not look to be slowing down, it is likely we'll continue to see increases in IoT botnets," ASERT warns. "We are likely to see remnants of Mirai live on in these new botnets as well."

Miscreants will continue to leverage IoT-based malware, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in internet-facing devices.

ASERT concludes that the malicious behaviour underlines the need for organisations to apply proper patching, updates, and DDoS mitigation strategies to defend their networks and systems.

Compromised IoT devices were co-opted into the Mirai botnet and infamously used in a DDoS attack that left many of the world's most famous sites unreachable back in October 2016. The Mirai source code has leaked and is easily available so the type of attack is still a problem despite the arrest and admission of guilt by a key suspect in the malware's creation.

Security researcher Troy Mursch told El Reg that Mirai-related activity has been quiet of late.

"There has been a recent surge in devices in Mexico due to a GPON router exploit," he said. "Otherwise not much activity relative to the past."

Mursch published a year-to-date summary of Mirai-related botnet activity by country earlier this week. ®