Mirai

The Mirai botnet is named after the Mirai Trojan, the malware that was used in its creation. Mirai was discovered by MalwareMustDie!, a white-hat security research group, in August 2016. After obtaining samples of the Mirai Trojan, they determined that it had evolved from a previously-created Trojan, known as Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor, and Torlus. They reported that it was created using ELF (Executable and Linkable Format) binaries, a common file format for Linux and UNIX-based systems. This format is used in the firmware of many IoT devices including routers, DVRs, and IP cameras. In the samples they studied, the research group noted that Mirai targets SSH or Telnet network protocols, exploiting default and hardcoded credentials or using brute-force techniques to compromise the Linux-based devices. According to a report by intelligence firm, Flashpoint, the primary default username and password combination used on these vulnerable devices is root and xc3511. (See Fig. 1 for additional username/password combinations.) Once compromised, the malware payload is delivered. In some cases, the malware’s executable files delete themselves after the main process launches, in order to avoid detection. Mirai also encrypts the traffic that passes between the infected devices and the C2 servers used to issue commands in order to prevent monitoring. A detailed analysis of the Mirai Trojan can be found on the MalwareMustDie! Blog.

DDoS Attacks Attributed to the Mirai Botnet:

The Mirai Botnet began garnering a lot of attention on October 1, 2016 when security researcher, Brian Krebs, published a blog post titled Source Code for IoT Botnet “Mirai” Released. According to his post, the alleged botnet creator, “Anna-senpai,” leaked the Mirai Botnet source code on a popular hacking forum. Just a week and a half prior, on September 20, Krebs’ website was the target of the largest DDoS attack that cloud security provider, Akamai, had seen up to that point. At 620 Gbps, Akamai struggled to mitigate the attack and ultimately made the decision to stop shielding KrebsOnSecurity.com, giving Brian Krebs approximately two hours to migrate his site off their network. To protect his website hosting provider from the ongoing attack, Krebs requested that all incoming network traffic be redirected to 127.0.0.1 until a better solution could be found. A few days later, on September 25, Krebs’ site returned with the help of Project Shield, an initiative by Google designed to help protect journalists from online censorship. After a thorough investigation, the DDoS attack on Krebs’ website was attributed to the Mirai Botnet. More information about Krebs’ DDoS attack and recovery can be found in his blog post titled, The Democratization of Censorship.

On September 20, the same day as the Krebs DDoS attack, OVH, a French-based web hosting provider, was targeted with network traffic that amounted to nearly 1 Tbps. Over the next 48 hours, OVH was the victim of more than 25 DDoS attacks on its servers. OVH founder, Octave Klaba, posted a picture to his personal Twitter account of the company’s network traffic log detailing the simultaneous attacks, each of them well over 100 Gbps. Klaba followed up with another post suggesting that this botnet, comprised of nearly 150,000 cameras and DVRs, was capable of delivering a multi-vector 1.5 Tbps DDoS attack. Fortunately, OVH was able to recover from the attack and it was determined that this was attack was conducted using the Mirai botnet.

On October 22, 2016, Dynamic Network Services, Inc., also known as Dyn, was the target of three large-scale DDoS attacks, which caused disruption to many major websites and online services across the U.S. Dyn’s DNS server infrastructure, responsible for resolving domain names to their IP addresses, struggled due to the strength of the attacks which reportedly reached 1 Tbps. Many large and popular companies felt the effects as users were unable to reach their websites for extended periods of time. Affected websites included: Twitter, Spotify, Amazon, Paypal, GitHub, Netflix, CNBC, among others. Dyn reported that the attacks were “well planned and executed, coming from tens of millions of IP addresses at the same time.” Flashpoint confirmed that the attacks against the Dyn DNS were the result of the Mirai Botnet. However, Flashpoint also noted that these attacks came from different sources than those that attacked KrebsOnSecurity.com and OVH, suggesting it may have been a different attacker who downloaded the Mirai source code and used it to create his or her own Mirai Botnet to launch this particular attack. The investigation is ongoing and, as of now, no attribution has been made.

UPDATE 12/16/2016: A new variant, dubbed Botnet #14 or Annie, was discovered by researchers from Qihoo 360 Technology Co., Ltd. It was designed with a built-in, but limited, domain generation algorithm (DGA) which generates one domain per day to use for communication with its C2 servers. This feature makes it very difficult to dismantle the botnet because it requires the successful prediction and purchase of domain names that the algorithm has not yet generated, as well as the coordination between law enforcement, domain registrars, and even security companies. However, Qihoo’s researchers were able to crack Botnet #14’s DGA and determine which domains it would generate. The Swiss Governmental Computer Emergency Response Team (GovCERT) posted a list of these domains here. This resulted in the botnet creator removing the DGA feature and claiming to have replaced it with Tor to preserve anonymity for the botnet controller and make it much more difficult for law enforcement to track and shut down domains. As of yet, no Mirai variant has been spotted using Tor for C2 communication in the wild.

UPDATE 2/21/2017: Kaspersky Lab published a report about a January 2017 discovery of a cross-platform Windows-based botnet actively distributing a Mirai variant. Internet-facing SQL servers running Windows that are connected to networks of devices with embedded Linux systems such as IP cameras, DVRs, and media center appliances are particularly vulnerable to this threat. Analysis of the code of this new botnet leads researchers at Kaspersky to believe that it was developed by a Chinese-speaking author. 

UPDATE 2/23/2017: UK police have arrested a suspect behind the DDoS attacks that knocked a German telecommunications company, Deutsche Telekom, offline in November 2016. The source of these attacks was attributed to Mirai Botnet #14 which exploited a vulnerability in the company’s standard router.

UPDATE 3/30/2017: A new Mirai botnet variant was observed targeting a US college beginning on February 28, 2017 and lasting 54 hours. The traffic generated by this new variant averaged over 30,000 RPS and peaked at approximately 37,000 RPS - the largest seen by any Mirai botnet to date. The attack generated more than 2.8 billion requests. Devices used in the attack include CCTV cameras, DVRs, and routers and cybersecurity firm, Imperva, discovered that 56 percent of the 9,793 IPs used in the attack originated from DVRs manufactured by the same vendor. 70 percent of the traffic originated from ten countries with the US representing almost 20 percent of the botnet IP addresses used.

UPDATE 4/11/2017: Between March 20 and March 27, one variant of the Mirai malware was observed delivering a Bitcoin-mining module to infected 64-bit BusyBox-based IoT devices. Researchers believe that distribution of this variant ceased because the infected devices lack the processing power needed to successfully mine Bitcoin. IBM researchers claim to have traced this version back to a web console used by a Chinese-speaking actor.

UPDATE 7/22/2017: A 29-year-old hacker pleaded guilty to hijacking over 900,000 routers on the Deutsche Telekom network using Mirai malware.

UPDATE 12/01/2017: New Mirai attack attempts were detected in South America and North African countries.

UPDATE 12/13/2017: NJ native, Paras Jha, pleads guilty to co-authoring the Mirai botnet.

UPDATE 1/16/2018: A new variant of Mirai, dubbed Okiru, was discovered targeting devices containing ARC processors.

UPDATE 2/23/2018: A new variant of Mirai, dubbed OMG, has emerged with added configurations to target vulnerable IoT devices, turning them into proxy servers. New firewall rules that allow traffic to travel through the generated HTTP and SOCKS ports were added configurations to the Mirai code. Once these ports are open to traffic, OMG sets up 3proxy – open-source software available on a Russian website.

UPDATE 5/17/2018: A new variant of Mirai, dubbed Wicked, has emerged with added configurations to target at least three additional exploits including those affecting Netgear routers and CCTV-DVRs. Wicked scans ports 8080, 8443, 80, and 81 and attempts to locate vulnerable, unpatched IoT devices running on those ports. Researchers at Fortinet suspect the same author created the Wicked, Sora, Owari, and Omni botnets.

UPDATE 12/20/2018: Mirai variant, dubbed Miori, is being spread through a remote code execution vulnerability in the ThinkPHP framework, affecting versions 5.0.23 to 5.1.31.

UPDATE 5/23/2019: New Mirai variant uses 13 different exploits together in a single campaign targeting routers and other devices.

UPDATE 6/6/2019: A new Mirai variant adds eight new exploits against a wide range of embedded devices. These newly targeted devices range from wireless presentation systems to set-top-boxes, SD-WANs, and IoT devices such as smart home controllers.

UPDATE 7/11/2019: Miori, a new Mirai variant, was first observed in December 2018, spreading through a Remote Code Execution (RCE) vulnerability in ThinkPHP, enslaving Linux machines to participate as a botnet and facilitate DDoS (distributed denial of service) attacks. Miori has resurfaced using a text-based protocol to communicate with its command-and-control (C&C) rather than the customary use of binary-based protocol. This variant is marked with a distinct message specified directly to researchers, pictured below, when they attempted to connect to the C&C server. Miori targets IoT devices that have SSH or Telnet services. Trend Micro provides technical details and IOCs here. Also, VirusBulletin provides details regarding the older variant of Miori here.

UPDATE 07/24/2019: A distributed denial of service (DDoS), also known as an application-layer or layer-7 attack, was detected that lasted 13 days and directed a peak flow of 292,000 RPS (Requests Per Second). The attack was aimed at an undisclosed Imperva customer, an online entertainment-service provider, that utilizes the content delivery network (CDN), with the intent of taking down the company’s service. It was led by an Internet of Things (IoT) botnet—assessed to be Mirai by Imperva researchers, that coordinated 402,000 different IPs largely made up of home routers. The entertainment company suffered no down time, as the attack was mitigated by Imperva’s application security suite. This attack was one of the most significant DDoS Layer 7 (application layer), RPS attacks observed by researchers to-date. Imperva provides further reporting here.

UPDATE 08/01/2019: Researchers at Trend Micro recently observed a new sample of Mirai hiding the C&C server in Tor to remain anonymous and evade law enforcement’s efforts to shut down operations. Though this tactic is not unique, it is not commonly used among IoT malware families, causing researchers to believe this could set the precedent for future attacks.