Overview
Mirai first emerged in August 2016 and was created by a group of young hackers, including Paras Jha, Josiah White, and Dalton Norman, who were later identified and prosecuted. The malware gained notoriety for its ability to compromise Internet of Things devices, such as routers, cameras, and digital video recorders, by exploiting default or weak credentials. Its operators initially used it for profit through DDoS-for-hire services, but the source code was publicly leaked in October 2016, leading to widespread adoption and adaptation by other threat actors. This leak catalyzed the proliferation of numerous Mirai variants and spin-offs, making it a persistent threat in the IoT ecosystem. Over the years, Mirai has evolved through various campaigns, with actors continuously updating its capabilities to target new vulnerabilities and devices, ensuring its ongoing relevance in cybercrime activities. Recent developments include adaptations to exploit zero-day vulnerabilities in IoT firmware, expanding its reach beyond initial targets.
Capabilities
Mirai is designed to infect Linux-based IoT devices, where it executes a binary that scans for other vulnerable devices using a list of common default credentials. Once installed, it establishes persistence by modifying system processes to survive reboots, often through cron jobs or init scripts. The malware connects to a command-and-control server using a hardcoded domain or IP address, receiving instructions for launching distributed denial-of-service attacks, such as UDP floods, HTTP floods, and other network-based assaults. It employs anti-analysis techniques like process hiding and encryption of C2 communications to evade detection. Additionally, Mirai can kill competing malware processes on infected devices to monopolize resources. Its modular architecture allows operators to update attack vectors and scanning methods dynamically, though it lacks advanced stealth features compared to more sophisticated malware families.
Distribution Methods
Mirai primarily spreads through brute-force attacks targeting Telnet and SSH services on IoT devices, using a predefined list of username and password combinations. It exploits weak or default credentials that are often unchanged by users, enabling rapid propagation across networks. The malware scans IP ranges to identify vulnerable devices, then uses these credentials to gain access and download the malicious payload. In some variants, distribution has expanded to include exploitation of specific vulnerabilities in IoT firmware, such as remote code execution flaws, to compromise devices without relying solely on credential guessing. This method allows for more efficient infection rates, especially in environments with patched or non-default settings. The initial access is typically automated and scalable, leveraging the high volume of exposed IoT devices on the internet.
Notable Campaigns
Mirai gained widespread attention in late 2016 when it was used to launch massive distributed denial-of-service attacks against key internet infrastructure. One of the most notable incidents targeted Dyn, a major DNS provider, in October 2016, causing widespread outages for popular websites like Twitter, Netflix, and Reddit. This attack highlighted the vulnerability of IoT devices and the potential impact of botnet-driven assaults on critical services. Another significant campaign involved the Krebs on Security website, which experienced a record-breaking DDoS attack in September 2016, attributed to Mirai operators. These incidents underscored the malware’s capability to harness hundreds of thousands of compromised devices for disruptive attacks. Since then, various Mirai variants have been linked to attacks against telecommunications companies, gaming services, and other organizations, though specific campaigns often involve adapted versions by different threat actors.
Detection & Mitigation
Defending against Mirai involves a multi-layered approach focusing on behavioral and network indicators. On endpoints, particularly IoT devices, detection can be enhanced by monitoring for unusual process activity, such as unexpected cron jobs or network scans originating from devices. Implementing strong password policies and disabling unnecessary services like Telnet can reduce initial access vectors. Network-based detection should include analyzing traffic for patterns associated with brute-force attacks, such as repeated login attempts on port 23 or 22, and monitoring for connections to known malicious IP addresses associated with Mirai command-and-control servers. Operational mitigations include regularly updating device firmware to patch vulnerabilities, segmenting IoT networks from critical infrastructure, and using intrusion detection systems to alert on anomalous behavior. Additionally, organizations can participate in threat intelligence sharing to stay informed about emerging Mirai variants and indicators of compromise.