The tale of the infamous Mirai IoT botnet and its prolific attacks

The evolution of the Mirai botnet was very swift and dramatic compared to any other malware in the threat landscape. Mirai is popular for taking control over many popular websites since its first discovery in mid-2016.

What differentiates Mirai from other malware is that it infects unsecure internet of things (IoT) devices. These devices can be DVR’s, IP Cameras, Wi-Fi routers and many other home automation devices connected to the Wifi network.

Mirai is also notably one of the most sustained, significant botnet malware variants to have emerged in cyberspace. It has managed to compromise a record-breaking number of devices in various attacks. The botnet also managed to stay under the radar until it became large enough to affect a massive number of devices.

Typically, Mirai searches the internet for IoT devices that are easy to compromise and uses brute force attacks with the help of default passwords. It also continues to hunt for more vulnerable devices via the Telnet network protocol, creating a huge self-replicating network.

Discovery of Mirai Botnet

Mirai was first spotted by researchers at MalwareMustDie in August 2016, who reported Mirai as a new trojan that played on the ELF file execution format found in Unix. The main functionality was reported to be sending out telnet attacks to other systems.

At the time of detection, researchers warned that the botnet had a low detection rate as the samples were hard to fetch from the infected IoT devices, routers, DVR’s, or WebIP cameras.

Major attacks

Immediately after the discovery in August, security journalist Brian Krebs, who runs the KrebsOnSecurity site, stated that his website was hit by a whopping 620GB per second speed DDoS attack. Researchers who investigated the attack also noted that it was launched by a very large number of hacked IoT devices.

It was later determined that the attack against Krebs’ site was launched using Mirai, which had capabilities that were never seen before in the wild. In the same month, the French cloud and web hosting company OVH reported a huge DDoS attack on multiple sites of its customers. Octave Klaba noted that the attacks came from 145,607 separate devices, sending more than 1.5 TB per second data.

More attacks flow in after “Mirai source code was made public”

On October 2016, a user named Anna-senpai claimed responsibility for the KerbsOnSecurity attack and publicly dumped the source code of the botnet on Hackforums.

After the release of Mirai’s source code, cybercriminals improved on it and introduced their own versions of the code by implementing new functionalities and adding new exploits. On examining the count of IoT devices affected by Mirai after October 2016, it rose from 213,000 to at least 493,000.

Later in 2016, Dyn, a core internet service provider for Twitter, Spotify, Reddit, and other popular websites was taken offline due to a powerful DDoS attack by the Mirai botnet. The attack caused the sites to slow down or stop working completely and nearly shut the entire internet in the US.

In November 2016, Mirai DDoS attacks compromised many of Liberia’s government websites for a week. Security researchers wrote that “The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

In the aftermath of the attack, an updated type of Mirai variant emerged. It exploited security loopholes in routers by OEM manufacturers Zyxel and Speedport. The malware also compromised web access for almost a million Deutsche Telekom customers for at least two days.

Two hackers going by the pseudonym BestBuy and Popopret started advertising a 400,000-strong variant of Mirai for rent in November 2016. The two hackers were linked to the attack that caused the Deutsche Telekom outage.

After this, more attacks started surfacing as various new Mirai botnet variants began cropping up. Some of the notable attacks include the attack on the British ISP TalkTalk and the attack exploiting Dlink routers.

A recent report in June 2018, confirmed the intense activities of threat actors relating to Mirai botnet. At least four Mirai variants, tracked as Satori, JenX, OMG, and Wicked, were identified as new variants of the notorious Mirai botnet.

The arrest of Mirai's authors

As pointed by Kerbs’ research, two people called Paras Jha (21) and Josiah White (20) pleaded guilty for their role in developing and deploying Mirai. However, the arrest of the botnet’s developers has done little to stem the flow of attacks leveraging Mirai.

Mirai continues to evolve

Cybercriminals will likely continue to create their own versions of the Mirai botnet, using its leaked source code. The exploitation of IoT devices by the botnet also does not appear to be slowing down.

Organizations should apply proper patches, updates, DDoS detection and mitigation procedures to protect themselves against Mirai attacks.