Mirai Botnet (Worm) – Malware

Overview

Mirai malware is a notorious and highly disruptive strain of malicious software that primarily targets Internet of Things (IoT) devices. First discovered in 2016, Mirai’s main method of propagation is through exploiting poorly secured devices, such as IP cameras, routers, and home security systems, many of which are connected to the internet without proper security configurations. The malware is designed to scan the internet for vulnerable devices, infect them, and then form large botnets—networks of compromised machines that can be used for malicious activities, including distributed denial-of-service (DDoS) attacks.

The most significant characteristic of Mirai is its ability to harness the power of these infected devices to launch large-scale attacks that overwhelm and disrupt targeted websites or services. These DDoS attacks, which can generate massive traffic volumes, often result in websites becoming inaccessible for extended periods. Mirai has been responsible for some of the most devastating and high-profile cyberattacks in recent history, including the attack on Dyn in 2016, which disrupted major websites like Twitter, Reddit, and Netflix. This event highlighted the vulnerabilities in IoT devices and underscored the critical need for better security practices across the Internet of Things.

Targets

Information

Individuals

How they operate

The core functionality of Mirai revolves around exploiting weak credentials. It performs a brute-force attack against common IoT devices, attempting to log in using a predefined list of usernames and passwords. The list contains common default credentials, such as “admin” and “password,” which many users fail to change. Upon successfully logging into a device, the malware installs itself, turning the device into a “bot” under the attacker’s control. Once a device is compromised, it begins communicating with a command-and-control (C2) server, awaiting instructions to carry out malicious activities. The C2 infrastructure behind Mirai is typically decentralized, often spread across multiple locations to evade detection and shutdown.

Mirai’s primary purpose is to create a powerful botnet capable of launching large-scale DDoS attacks. Once a sufficient number of devices are infected, the botnet can generate massive volumes of traffic, overwhelming targeted servers or websites with requests, effectively rendering them inaccessible. This DDoS functionality is achieved through several methods, including SYN floods, UDP floods, and HTTP floods. These attack vectors exploit weaknesses in the targeted system’s ability to handle large traffic volumes, leading to service outages. The most notable example of Mirai’s effectiveness was the 2016 DDoS attack on Dyn, a major DNS provider, which caused widespread disruption to popular websites like Twitter, Reddit, and Netflix.

Technically, Mirai operates through a relatively simple but highly effective mechanism. When the malware infects a device, it uses a custom-built exploit designed to target devices running on Linux-based operating systems, often with minimal security protections. The malware then injects its payload into the infected device, which connects to the botnet and waits for commands. Mirai’s source code is highly modular, allowing it to be easily adapted and modified for different types of attacks or to target different vulnerabilities. This modularity has led to the emergence of various Mirai variants over time, with each version incorporating new attack strategies and capabilities.

One of the key features that make Mirai so effective is its ability to spread rapidly across networks of connected devices. By targeting devices that are frequently exposed to the internet, such as security cameras and routers, Mirai can quickly gain a foothold in a network. Additionally, the malware’s use of default credentials is a significant factor in its success; most users fail to change these settings, leaving their devices vulnerable to exploitation. Even more concerning is the growing number of IoT devices that remain unpatched or poorly secured, which provides a fertile ground for Mirai’s spread.

Mirai has also been used as a vehicle for other types of malware, further enhancing its threat potential. Once a device is infected, it can be repurposed to deliver additional payloads, including ransomware, cryptojacking scripts, or other malicious software. By leveraging the large-scale botnet created by Mirai, attackers can increase the reach and effectiveness of their campaigns. For example, some variants of Mirai have been observed to exploit vulnerabilities in high-profile devices like Huawei routers or in enterprise-level software such as Hadoop, showcasing the malware’s ability to adapt and evolve.

Impact / Significant Attacks

A Mirai significant attack was the attack on Dyn, a cloud-based internet performance management company. The Mirai attack overwhelmed its sites such as Amazon, Netflix, PayPal, The New York Times, and Verizon. Around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack. Approximately 14,500 web domains that used Dyn’s managed Domain Name System services prior to the Mirai attack stopped using them immediately following the attack.

References

1. What is the Mirai Botnet?
2. Exclusive: Mirai Attack Was Costly For Dyn, Data Suggests
3. Why are the Mirai Botnet Attacks So Famous?