A greatly enhanced variant of the powerful Mirai botnet is already infecting IoT devices even though it’s operating in a test environment.
Researchers discovered samples of the variant, dubbed “Katana,” that have Layer 7 distributed denial-of-service capability, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers,
Katana is infecting hundreds of IoT devices each day, Avira researchers say. The top three devices targeted by the botnet include D-Link’s DSL-7740C router, the DOCSIS 3.1 wireless gateway and Dell’s PowerConnect 6224 switch.
Researchers discovered the new Katana botnet when the company’s honeypots captured a wave of unknown malware binaries. They found the botnet, like Mirai, uses remote code execution and command injection to exploit security vulnerabilities in older Linksys and GPON routers as well as attack IoT devices, according to the report.
It includes classic Mirai functions, such as running a single instance, random process name and manipulating the watchdog to prevent the device from restarting. It binds different ports, such as 53168, 57913, 59690, 62471 and 63749.
Avira’s researchers found a page on GitHub saying “Katana HTTP Botnet coming soon.”