Mirai (Japanese for “the future”) is malware that turns computer systems running Linux into remotely controlled “bots”, that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers.^[1] The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 ^[2] on computer security journalist Brian Krebs‘s web site, an attack on French web host OVH^[3] and the October 2016 Dyn cyberattack.^[4][5][6]

The source code for Mirai has been published in hacker forums as open-source.^[7] Since the source code was published, the techniques have been adapted in other malware projects.^[8]

Malware[edit]

Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP Address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.^[9]

Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware.^[3][10][11] Infected devices will continue to function normally, except for occasional sluggishness,^[10] and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.^[10] Upon infection Mirai will identify “competing” malware and remove them from memory and block remote administration ports.^[12]

There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack.^[10] The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.

Use in DDoS attacks[edit]

Mirai was used, alongside BASHLITE,^[13] in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbps.^[14] Ars Technica also reported a 1 Tbps attack on French web host OVH.^[3]

On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others.^[15] The attribution of the Dyn attack to the Mirai botnet was originally reported by Level 3 Communications.^[13][16]

Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.^[17]

Mirai has also been used in an attack on Liberia‘s Internet infrastructure in November 2016.^[18][19][20] According to computer security expert Kevin Beaumont the attack appears to have originated from the actor which also attacked Dyn.^[18]

Other notable incidents[edit]

At the end of November 2016 0.9 million routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices.^[21] While TalkTalk later patched their routers, a new variant of Mirai was discovered in TalkTalk routers.^[22]