Live Latest activity →

Mirai - Protection Guide

Last updated: 2026-04-21

Practical Defense Guide: Mirai Botnet Malware

Attack Vectors to Block

Mirai primarily propagates through automated exploitation of network services rather than user interaction. Block these vectors at multiple layers:

Internet-Facing Service Exploitation

  • Mirai continuously scans for TCP ports 23 (Telnet), 2323 (alternative Telnet), and 7547 (TR-069 CWMP) on random IP addresses.
  • Upon finding an open port, it attempts brute-force login using a hardcoded list of over 60 common username/password combinations (like root:admin, admin:password).
  • Blocking Strategy: Deploy network firewalls to deny inbound connections to these ports from untrusted networks. For necessary services, implement strict access control lists (ACLs) limiting source IP ranges and enable multi-factor authentication where possible.

Compromised Device Propagation

  • Infected devices scan and attack additional devices, creating exponential growth.
  • Blocking Strategy: Implement egress filtering on network firewalls to prevent internal devices from making outbound connections to Telnet and other uncommon service ports. Use intrusion prevention systems (IPS) with rules detecting the specific scanning patterns and brute-force attempts characteristic of Mirai.

Secondary Payload Delivery

  • After initial compromise, Mirai downloads architecture-specific binaries from attacker-controlled servers via HTTP.
  • Blocking Strategy: Deploy web proxy filtering to block connections to known malicious domains and IPs. Use DNS filtering services to prevent resolution of known C2 domains.

IoT Device Default Credential Exploitation

  • Mirai exploits devices still using factory-default credentials.
  • Blocking Strategy: Implement network segmentation to isolate IoT devices from critical infrastructure. Enforce credential changes during device deployment through automated provisioning systems.

Email Security Configuration

While Mirai doesn’t typically spread via email, attackers may use phishing to gain initial access to networks containing vulnerable devices:

Attachment Filtering Policies

  • Block executable attachments (.exe, .scr, .bat, .cmd) and compressed archives containing executables.
  • Implement deep content inspection for archive files to detect nested malicious executables.
  • Quarantine PowerShell script files (.ps1) and Windows Script Files (.wsf) for administrative review.

URL Defense Configuration

  • Enable time-of-click URL analysis for all embedded links.
  • Implement domain reputation filtering with strict policies for newly registered domains (less than 30 days old).
  • Block URLs containing IP addresses instead of domain names, which Mirai C2 servers frequently use.

Sender Authentication Enforcement

  • Configure strict DMARC, DKIM, and SPF policies to reject unauthorized emails.
  • Implement impersonation protection rules flagging emails that appear to come from internal technical support or IoT device vendors.

Content Filtering Rules

  • Create custom dictionaries to flag emails containing terms like “device firmware update,” “security patch for router,” or “configuration change required.”
  • Block emails with subject lines containing excessive exclamation points or urgency indicators commonly used in social engineering.

Endpoint Protection Tuning

Behavioral Detection Rules Configure your endpoint detection and response (EDR) solution with these custom rules:

  • Alert on processes making outbound connections on ports 23, 2323, or 7547
  • Flag processes that spawn multiple instances attempting network connections to different IP addresses
  • Detect processes that download and execute binaries from IP addresses rather than domain names
  • Alert on processes that attempt to disable security services or modify firewall rules

Application Control Policies

  • Implement whitelisting for authorized applications on servers and workstations
  • Block execution from temporary directories (AppData\Local\Temp, \tmp, \var\tmp)
  • Restrict execution of binaries with no digital signature or from untrusted publishers
  • Prevent execution of binaries with names mimicking system processes (like “lsass.exe” with one character different)

Script Execution Restrictions

  • Configure constrained language mode for PowerShell to prevent malicious script execution
  • Block execution of scripts downloaded from the internet via Mark-of-the-Web enforcement
  • Implement application control policies to allow only signed scripts in production environments
  • Disable Windows Script Host on non-development systems

Memory Protection Settings

  • Enable exploit protection with strict control flow guard (CFG) and data execution prevention (DEP)
  • Configure arbitrary code guard (ACG) to prevent malicious code injection
  • Implement certificate pinning to prevent SSL interception attacks that could deliver Mirai payloads

Network-Level Defenses

DNS Filtering Configuration

  • Deploy DNS filtering to block resolution of known malicious domains from our Current IOCs list
  • Implement DNS sinkholing for domains associated with Mirai activity
  • Configure DNS logging to detect devices attempting to resolve suspicious domains (random subdomains, newly registered domains)
  • Use DNS security extensions (DNSSEC) to prevent poisoning attacks

Proxy Server Rules

  • Block HTTP/HTTPS connections to IP addresses instead of domain names
  • Implement strict filtering for connections to non-standard ports (anything other than 80, 443, and approved business ports)
  • Configure SSL inspection for outbound traffic to detect encrypted C2 communications
  • Block user-agent strings associated with Mirai variants (often empty or generic strings like “Mozilla”)

Firewall Policy Configuration Ingress Rules:

  • Deny all inbound connections to ports 23, 2323, and 7547 from external networks
  • Implement geo-blocking for regions with no business presence
  • Rate-limit connection attempts to prevent brute-force attacks

Egress Rules:

  • Restrict outbound connections to only required ports and protocols
  • Block outbound connections from internal devices to Telnet ports (23, 2323)
  • Implement egress filtering to prevent internal devices from scanning external networks
  • Create alerts for internal devices making connections to known malicious IPs from our IOCs list

Network Segmentation

  • Isolate IoT devices on separate VLANs with strict inter-VLAN routing rules
  • Implement microsegmentation for critical servers to prevent lateral movement
  • Deploy network access control (NAC) to ensure only authorized devices connect to the network

Network Monitoring

  • Configure your SIEM platform to alert on:
    • Multiple failed login attempts followed by successful login on network devices
    • Devices making simultaneous connections to multiple external IP addresses
    • Unusual outbound traffic patterns from normally quiet devices
    • DNS queries for known malicious domains

User Awareness Training Points

Recognizing Social Engineering Attempts

  • Train users to suspect unsolicited communications about “device updates” or “security patches”
  • Teach verification procedures for technical requests (call-back verification, ticket number confirmation)
  • Highlight that legitimate IT staff will never ask for password sharing or credential input on unofficial pages

IoT Device Security Responsibilities

  • Educate users about the risks of consumer IoT devices on corporate networks
  • Train technical staff to always change default credentials on network devices
  • Create clear policies for connecting personal devices to corporate networks

Reporting Procedures

  • Establish simple reporting mechanisms for suspicious emails or system behaviors
  • Train users to report devices behaving strangely (unusual network activity, rebooting unexpectedly)
  • Create escalation paths for potential security incidents involving network infrastructure

Password Hygiene Specifics

  • Emphasize that default credentials are the primary Mirai infection vector
  • Train staff to use complex, unique passwords for all network devices
  • Implement mandatory credential rotation policies for administrative accounts

Physical Security Considerations

  • Educate staff about the risks of unauthorized devices connected to network ports
  • Train reception and facilities staff to challenge visitors connecting devices to network infrastructure
  • Create clear policies for disposal of old network equipment to prevent credential recovery

Response Protocols

  • Ensure users know immediate steps if they suspect compromise (disconnect from network, contact IT security)
  • Train help desk staff to recognize potential Mirai infection indicators during troubleshooting calls
  • Create clear communication channels for security incidents affecting network availability

For detailed information on how Mirai spreads, see our Distribution Methods page. Regular updates to defensive configurations based on current threat intelligence are essential, as Mirai continues to evolve with new exploits and obfuscation techniques.

Related

← Mirai Overview How to Detect Removal Guide Incident Response IOCs Samples All Families