What is the Mirai botnet, and how does it spread?
With more digital devices connected to the internet every year, attacks like those perpetrated by the Mirai botnet malware continue to be a serious threat. This malicious software was used in devastating DDoS attacks starting in 2014, and although its code has now been released, copycats and mutations are still wreaking havoc. The best way to protect yourself from these attacks is to understand how they exploit system weaknesses and prevent them from happening.
Table of Contents
Table of Contents
What is the Mirai botnet?
The Mirai botnet is malware that enslaves networked devices running Linux. The malware turns them into bots that later perform coordinated, large-scale distributed denial of service or DDoS attacks. They flood targeted IPs with requests so that legitimate users’ requests can’t be fulfilled. This causes interruptions or complete shutdowns of service for all of the IP’s users. Mirai primarily targets Internet of Things (IoT) devices, also known as smart devices, such as doorbell cameras, printers, wireless modems, routers, and many other consumer devices.
Mirai was discovered by the white hat hacker group MalwareMustDie in August 2016 after it was used to stage several attacks. While these were initially focused on Minecraft servers, they included notable attacks against web hosts and service providers, causing widespread damage. Mirai quickly became malware because of the surprising scale of its attacks. By recruiting and enslaving hundreds of thousands of devices into its botnets, it was used to launch attacks that flooded targets with over 1 Tbit/sec of data. That was enough to disrupt some of the biggest systems in the world and cause connection issues for millions of Internet users.
How does the Mirai botnet attack work?
This malware has two significant parts to understand. It’s used to collect a network of bots from around the world, and then these bots overwhelm servers with data, rendering them inoperable.
Mirai is a self-replicating worm that infects vulnerable IoT devices that have exploitable firmware and then spreads itself to other devices. The malware uses a list of default login credentials to brute-force devices that are still using factory defaults. Mirai identifies other malware and deletes it to claim the device as its own. It also deletes logs to hide its own presence on the device. Mirai was originally designed to work only on IoT devices that were running the Linux operating system. However, variants have now crossed over to Android devices as well.
The original Mirai was very effective at exploiting vulnerabilities, mostly in routers and cameras. At the time of its creation, Mirai was able to enslave 67,000 devices on its first day, and this enabled the creator to launch attacks with up to 350,000 bots at a time. Since the number of IoT devices was increasing rapidly in population centers, most of these bots were located in South America and Asia.
Using a command and control (C2) server, the botnet is then used to perform distributed denial of service (DDoS) attacks. These attacks are performed by using various methods to flood a server or a network resource with data packets. Processing so much data takes up all of the target’s resources, leaving it overwhelmed and unable to respond to requests from legitimate users. In other words, no one can connect to the server to use it normally.
Attack techniques employed by Mirai
Mirai uses several different techniques to attack its targets, both in its original form and in its many variants. These include:
- UDP flood. It sends an overwhelming number of UDP packets to a targeted server.
- Open resolver query flood. It floods resolvers with DNS queries.
- Tsource engine query flood. It uses Tsource engine queries and UDP traffic to overwhelm a server.
- SYN flood. It sends an overwhelming number of initial connection requests to a server, monopolizing its resources.
- ACK flood. It overloads a server with TCP acknowledgment packets.
- GRE flood. It randomizes information (source IP, UDP destination port, etc.) by encapsulating IP packets within GRE packets.
- HTTP flood. It’s an attack that overwhelms the target with HTTP requests.
In all of these cases, Mirai botnets hit machines hard. Its remotely controlled bots were recorded as sending over 1 Tbit/sec of data to the OVH data center in 2016. There was even speculation that its botnet of over 350,000 infected devices could produce rates of even 1.5 Tbit/sec, making it a completely overwhelming weapon to defend against.
What is the history of Mirai Botnet?
Mirai came into the spotlight because of the scale of its DDoS attacks in 2016. However, this malware and its predecessors were used for previous attacks in the two or three years leading up to this landmark year. To better understand how Mirai works, it’s useful to look at its history and how and why it was created. This will put the sophistication of its design into context.
Who created Mirai and why?
After major attacks in 2016 that disabled major sites like Netflix and AirBnB, people speculated online about who had created this botnet. The scale of the attacks was unprecedented, sometimes ten times larger than anything previously seen. Some people even suggested that Mirai was created by terrorists or hostile governments aiming to destabilize the US and its allies.
However, in October 2016, a user named Anna-senpai claimed responsibility for designing the malware and released its source code. In January 2017, security journalist Brian Krebs posted a blog recording the complicated history of Mirai and suggesting the true identity of its designer. He named Paras Jha, a 21-year-old computer science student from New Jersey, as Anna-senpai. Jha was investigated by the FBI and New Jersey police, though he initially denied his involvement. However, Krebs was eventually proven right. In the same year, Jha, along with Josiah White and Dalton Norman, pled guilty to infecting devices with malicious software and launching cyberattacks.
The young trio ran a DDoS mitigation service company called ProTraf Solutions, which focused on providing security for Minecraft servers. Paras Jha seems to have started the development of the Mirai botnet worm while he was a student at Rutgers University in New Jersey, and it was used in multiple attacks on that institution. However, coordinated attacks were used against Minecraft servers in a type of protection racket. ProTraf promised client servers security while simultaneously launching DDoS attacks against competing servers. The purpose of these attacks was to disable the servers and interrupt service so that users would migrate to other servers protected by ProTraf.
In 2018, Jha, White, and Norman were sentenced to probation and community service for their part in creating the Mirai malware and using it in attacks on Rutgers and various Minecraft servers. They also officially claimed to have ended their involvement with the use of Mirai after Jha released its source code in 2016. All subsequent attacks may have been executed by other threat actors.
Why was it called Mirai?
Mirai is a Japanese word meaning “future.” In a chat with Minecraft server and Mirai attack victim ProxyPipe, Jha, using the alias Anna-senpai, admitted to being an anime fan. In this chat, he said he had recently rewatched the anime film Mirai Nikki (Future Diary) and that the film was the origin of the malware’s name.
Notable Mirai incidents
- Rutgers University (2014-2016): Various attacks on Rutgers University’s web services and intranet over two years disrupted academic activity and access to grades, admissions, and course plans online for thousands of staff and students.
- OVH (September 2016): An unprecedented DDoS attack of 1 Tbit/s was perpetrated on French web host OVH, the largest data center in Europe, which was providing protection against DDoS attacks on Minecraft servers.
- Krebs on Security (September 2016): DDoS attacks that reached 620 Gbit/s were made on a security researcher and journalist’s website after blogging about security threats. Krebs would later research and correctly identify Jha as the creator of Mirai.
- ProxyPipe (September 2016): Mirai performed multiple attacks on ProxyPipe, a company providing DDoS protection for Minecraft servers. ProxyPipe made complaints and eventually had the botnet shut down on its C2 server, ending the attacks.
- Source code (October 2016): Prapas Jha, under the alias Anna-senpai, publicly released Mirai’s source code into the wild.
- Dyn (October 2016): Three consecutive major attacks on DNS provider Dyn caused major disruptions in Europe and the US. The Anonymous and New World Hackers claimed responsibility, but a minor and script kiddie later pled guilty to the use of Mirai in the attack.
- Deutsche Telekom routers (November 2016): This was not an attack but an attempted recruitment. Over 900,000 routers were crashed when a Mirai variant attempted to enslave them as bots, causing widespread loss of internet connectivity.
- Lonestar Telecom (November 2016): Lonestar Telecom in Liberia was attacked over 600 times, debilitating this ISP and taking most of the country offline for large periods of time.
How it evolved through the years
Since the release of Mirai’s source code, researchers have found many mutations. These mutations follow the same general architecture as Mirai but use different means to exploit various vulnerable IoT devices. From 2016 to 2019, variations named Satori, Okiru, Masuta, PureMasuta, OMG, Wicked, Miori, Hakai, Yowai, SpeakUp, and dozens of others have been discovered and implicated in attacks. All use IoT devices as bots, but the malware has since migrated from just Linux to the Android operating system. Many are used in DDoS for hire schemes or as threats to collect ransom from targets.
Is Mirai still dangerous?
Not long after its source code was released into the wild in October 2016, Mirai ceased to be a direct threat. While this malware is no longer active, variants and mutations that build on its source code continue to pop up and be used in attacks by various threat actors around the world.
How to prevent Mirai botnet attacks
There are over 17 billion IoT devices online in the world, and that number is estimated to reach 29 billion by 2030, so there are many more vulnerable devices available to be exploited. Whether you’re defending against Mirai mutations or other botnet attacks, there are several things you can do to firm up security:
- Keep IoT devices updated with the latest security patches to address vulnerabilities that botnets might exploit.
- Keep your operating systems up to date with the latest security patches.
- Use anti-malware tools.
- Use a VPN to mask your IP so botnets can’t target it directly.